Merge pull request #228 from iriusrisk/release/1.13.0

release/1.13.0 to main
iriusrisk · Apr 20, 2023 · 983741d · 983741d
2 parents a7f22f2 + 30cbf48
commit 983741d
Show file tree

Hide file tree

Showing 45 changed files with 3,305 additions and 187 deletions.
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,20 @@
+# This workflow will perform a static code testing with semgrep
+
+name: Static Application Security Testing
+
+on:
+  pull_request: {}
+  push:
+    branches: ["dev", "main"]
+
+jobs:
+  semgrep:
+    name: Run Semgrep scan with owasp-top-ten & cwe-top-25
+    runs-on: ubuntu-latest
+
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      - uses: actions/checkout@v3
+      - run: semgrep ci --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks -q --exclude="tests" --exclude="*/tests" --skip-unknown-extensions --suppress-errors
diff --git a/.github/workflows/startleft-unit-integration-fast.yml b/.github/workflows/startleft-unit-integration-fast.yml
@@ -30,10 +30,11 @@ jobs:
       - name: Setup Graphviz
         uses: ts-graphviz/setup-graphviz@v1
 
+      - name: Update pip version to 23.0.1
+        run: python -m pip install --upgrade pip==23.0.1
+
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install .
           pip install -e ".[setup,test]"
 
       - name: Test with pytest

diff --git a/.github/workflows/startleft-unit-integration-full.yml b/.github/workflows/startleft-unit-integration-full.yml
@@ -34,6 +34,9 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
+      - name: Update pip version to 23.0.1
+        run: python -m pip install --upgrade pip==23.0.1
+
       - if: runner.os == 'Windows'
         shell: bash
         run: |
@@ -42,8 +45,6 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install .
           pip install -e ".[setup,test]" 
 
         # This step MUST be after the general installation of StartLeft

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,8 @@
+repos:
+- repo: https://github.com/returntocorp/semgrep
+  rev: 'v1.14.0'
+  hooks:
+    - id: semgrep
+      exclude: "(.)*/tests|tests"
+      args: ['--config', 'p/owasp-top-ten',  '--config', 'p/cwe-top-25', '--config', 'p/gitleaks', '--error', '--skip-unknown-extensions']
+      stages: [commit]
diff --git a/deployment/Dockerfile.application b/deployment/Dockerfile.application
@@ -15,7 +15,9 @@ COPY . .
 
 RUN pip install .
 
+RUN rm -r ../app/*
+
 # Remove git and geos-dev dependencies
 RUN apk del git geos-dev
 
-ENTRYPOINT ["uvicorn", "startleft.startleft.api.fastapi_server:webapp", "--host", "0.0.0.0", "--port", "5000"]
+ENTRYPOINT ["startleft", "server", "--host", "0.0.0.0"]
diff --git a/deployment/Dockerfile.docs b/deployment/Dockerfile.docs
@@ -0,0 +1,8 @@
+FROM squidfunk/mkdocs-material
+
+RUN pip install --upgrade pip
+
+RUN pip install mkdocs-glightbox
+
+COPY /docs ./docs
+COPY mkdocs.yml .
diff --git a/deployment/Dockerfile.documentation b/deployment/Dockerfile.documentation
diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml
@@ -1,13 +1,13 @@
 services:
-  docs:
+  startleft-docs:
     build:
       context: ..
-      dockerfile: deployment/Dockerfile.documentation
+      dockerfile: deployment/Dockerfile.docs
     ports:
       - 8000:8000
     container_name: startleft-docs
 
-  application:
+  startleft-app:
     build:
       context: ..
       dockerfile: deployment/Dockerfile.application

diff --git a/docs/Quickstart-Guide-for-Beginners.md b/docs/Quickstart-Guide-for-Beginners.md
@@ -174,16 +174,16 @@ files used for External Threat Model conversions as MTMT (Microsoft Threat Model
 
 #### **OTM** 
 These files may have been generated by StartLeft or handcrafted by any user. To see how to validate 
-an OTM file, we can download an example from the `examples/manual` folder.
+an OTM file, we can download an example from the `examples/otm` folder.
 ```shell
-wget https://raw.githubusercontent.com/iriusrisk/startleft/main/examples/manual/manual.otm
+wget https://raw.githubusercontent.com/iriusrisk/startleft/main/examples/otm/manual_threat_model.otm
 ```
 
 And then validate it by executing:
 ???+ example "OTM example"
 
     ```shell
-    startleft validate --otm-file manual.otm
+    startleft validate --otm-file manual_threat_model.otm
     ```
 
 ???+ warning "Mapping file and otm validation"

diff --git a/docs/development/Create-a-new-StartLeft-Processor.md b/docs/development/Create-a-new-StartLeft-Processor.md
@@ -452,6 +452,34 @@ no code is needed, and you only need to perform the configuration steps below.
         'forbidden_dependencies': ['startleft', 'slp_cft', 'slp_tf', 'slp_visio', 'slp_mtmt']
      }
 ```
+
+### Update the Swagger schema
+1. Open the file `startleft/resources/api/v1/swagger.yaml` where the API is defined.
+2. Add the new MAIS type to the `iac_type` description and to the `IacType` enum:
+```yaml
+# Reduced for simplicity
+components:
+  schemas:
+    Body_iac_api_v1_startleft_iac_post:
+      properties:
+        iac_type:
+          description: 'Type of IaC File: CLOUDFORMATION, TERRAFORM, MAIS'
+```
+```yaml
+# Reduced for simplicity
+components:
+  schemas:
+    IacType:
+       title: IacType
+       enum:
+       - CLOUDFORMATION
+       - TERRAFORM
+       - MAIS
+       type: string
+       description: Type of IaC file
+
+
+```
 
 ### Try it on the REST API
 Launch the REST API as explained in the [Quickstart Guide for Developers](Quickstart-Guide-for-Developers.md)

diff --git a/docs/integration/Quickstart-Guide-for-Integrations.md b/docs/integration/Quickstart-Guide-for-Integrations.md
@@ -59,7 +59,7 @@ git checkout release/1.5.0
 
 Now, we can create the StartLeft image:
 ```shell
-docker build . -f deployment/Dockerfile.application -t startleft
+docker build . -f deployment/Dockerfile.docs.application.application -t startleft
 ```
 
 And, finally, we can run the docker container for the image we have just generated. Notice that you can select the
@@ -100,17 +100,12 @@ For more details about how to use the StartLeft API, you can check the [REST API
 The Dockerfile provided should be enough for the most common integration scenarios, but, of course, it is possible to
 create a custom docker image for StartLeft. For that, you can take the existent 
 [Dockerfile](https://raw.githubusercontent.com/iriusrisk/startleft/main/Dockerfile) available in the root of the StartLeft
-repository as a base. However, you must bear in mind the following considerations:
+repository as a base. However, you must bear in mind that every [official python image from the Docker Hub](https://hub.docker.com/_/python) 
+for versions over 3.6 should work, but:
 
-* Every [official python image from the Docker Hub](https://hub.docker.com/_/python) for versions over 3.6 should work, but:
-    * Depending on the base image, you may need to install additional libraries.
-    * **Debian/Ubuntu based python official images present security vulnerabilities**. This is the reason we decided 
+* Depending on the base image, you may need to install additional libraries.
+* **Debian/Ubuntu based python official images present security vulnerabilities**. This is the reason we decided 
     to use the Alpine based one despite the fact it is significantly slower than others at building time.
-* Although you could set as the entrypoint the `startleft server` command, it is more recommendable to just use the uvicorn 
-  command, that also allows you to select the default deployment port:
-```
-ENTRYPOINT ["uvicorn", "startleft.startleft.api.fastapi_server:webapp", "--host", "0.0.0.0", "--port", "5000"]
-```
 
 ## In batch processes