Merge branch 'dev' of https://github.com/MaibornWolff/SecObserve into stackable

Author: dervoeti

.github/workflows/build_push_release.yml

@@ -205,7 +205,7 @@ jobs:
             | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
             | sbom-utility patch --patch-file ./configuration/patch_complete.json --quiet --input-file - --output-file sbom_"$VERSION".json
           sbom-utility validate --input-file sbom_"$VERSION".json
-      - 
+      -
         name: Commit SBOMs
         uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5
         with:
@@ -214,3 +214,95 @@ jobs:
           commit_message: "chore: generate SBOMs for release ${{ github.event.inputs.release }}"
           branch: "chore/sboms_release_${{ github.event.inputs.release }}"
           file_pattern: "sbom/sbom*.json"
+      -
+        name: Merge SBOM branch into main and delete branch
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const sbomBranch = `chore/sboms_release_${process.env.VERSION}`;
+            const targetBranch = 'main';
+            
+            console.log(`Merging branch ${sbomBranch} into ${targetBranch}`);
+            
+            try {
+              // Merge the SBOM branch into main
+              await github.rest.repos.merge({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                base: targetBranch,
+                head: sbomBranch,
+                commit_message: `chore: merge SBOM files for release ${process.env.VERSION}`
+              });
+              
+              console.log(`Successfully merged ${sbomBranch} into ${targetBranch}`);
+              
+              // Delete the SBOM branch after successful merge
+              console.log(`Deleting branch ${sbomBranch}`);
+              await github.rest.git.deleteRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: `heads/${sbomBranch}`
+              });
+              
+              console.log(`Successfully deleted branch ${sbomBranch}`);
+            } catch (error) {
+              console.error(`Error during merge or branch deletion: ${error.message}`);
+              core.setFailed(error.message);
+            }
+      -
+        name: Add SBOMs to GitHub Release
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const version = process.env.VERSION;
+            const releaseTag = `v${version}`;
+            
+            console.log(`Adding SBOMs to GitHub release ${releaseTag}`);
+            
+            try {
+              // Get the release by tag
+              const { data: release } = await github.rest.repos.getReleaseByTag({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                tag: releaseTag
+              });
+              
+              // SBOM files to upload
+              const sbomFiles = [
+                `sbom_backend_application_${version}.json`,
+                `sbom_frontend_application_${version}.json`,
+                `sbom_backend_container_${version}.json`,
+                `sbom_frontend_container_${version}.json`,
+                `sbom_${version}.json`
+              ];
+              
+              // Upload each SBOM file to the release
+              for (const file of sbomFiles) {
+                const filePath = path.join('./sbom', file);
+                
+                console.log(`Uploading ${filePath} to release ${releaseTag}`);
+                
+                const fileContent = fs.readFileSync(filePath);
+                
+                await github.rest.repos.uploadReleaseAsset({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  release_id: release.id,
+                  name: file,
+                  data: fileContent
+                });
+                
+                console.log(`Successfully uploaded ${file} to release ${releaseTag}`);
+              }
+            } catch (error) {
+              console.error(`Error adding SBOMs to release: ${error.message}`);
+              core.setFailed(error.message);
+            }

.github/workflows/check_backend.yml

@@ -62,4 +62,34 @@ jobs:
       - name: Unittests
         run: |
           docker build -f docker/backend/unittests/django/Dockerfile -t secobserve_backend_unittests:latest .
-          docker run --rm --env-file docker/backend/unittests/envs/django --env-file docker/backend/unittests/envs/sqlite secobserve_backend_unittests:latest /start
+          docker run --rm \
+            --volume ./backend:/home \
+            --env-file docker/backend/unittests/envs/django \
+            --env-file docker/backend/unittests/envs/sqlite \
+            secobserve_backend_unittests:latest
+      - name: "Upload coverage report"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: coverage-report
+          path: backend/coverage.xml
+          retention-days: 1
+
+  check_code_sonarqube_backend:
+    if: github.repository == 'MaibornWolff/SecObserve'
+    needs: [unittests]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0  
+      - name: Download a single artifact
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: coverage-report
+      - name: Run SonarQube scan for backend
+        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          projectBaseDir: backend

.github/workflows/check_frontend.yml

@@ -40,3 +40,20 @@ jobs:
           cd ..
           docker compose -f docker-compose-playwright.yml build
           docker compose -f docker-compose-playwright.yml up --abort-on-container-exit --exit-code-from playwright
+
+  check_code_sonarqube_frontend:
+    if: github.repository == 'MaibornWolff/SecObserve'
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0  
+      - 
+        name: Run SonarQube scan for frontend
+        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_FRONTEND }}
+        with:
+          projectBaseDir: frontend

.github/workflows/check_licenses_dev.yml

@@ -55,14 +55,14 @@ jobs:
           so_api_token: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Check licenses for backend application
-        uses: MaibornWolff/purl-patrol@c11a9181b28143386d730aef6e1fed9aef51e2e6 # v1.6.1
+        uses: MaibornWolff/purl-patrol@fe0da8d7c02235dfdf3c52ec936873e57e37203d # v1.6.2
         with:
           SBOM_PATH: 'sbom_backend_application.json'
           LICENSE_POLICY_PATH: 'sbom/configuration/license_policy.json'
           BREAK_ENABLED: false
       - 
         name: Check licenses for frontend application
-        uses: MaibornWolff/purl-patrol@c11a9181b28143386d730aef6e1fed9aef51e2e6 # v1.6.1
+        uses: MaibornWolff/purl-patrol@fe0da8d7c02235dfdf3c52ec936873e57e37203d # v1.6.2
         with:
           SBOM_PATH: 'sbom_frontend_application.json'
           LICENSE_POLICY_PATH: 'sbom/configuration/license_policy.json'

.github/workflows/check_vulnerabilities.yml

@@ -18,37 +18,3 @@ jobs:
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
-
-  check_code_sonarqube_backend:
-    if: github.repository == 'MaibornWolff/SecObserve'
-    runs-on: ubuntu-latest
-    steps:
-      - 
-        name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0  
-      - 
-        name: Run SonarQube scan for backend
-        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        with:
-          projectBaseDir: backend
-
-  check_code_sonarqube_frontend:
-    if: github.repository == 'MaibornWolff/SecObserve'
-    runs-on: ubuntu-latest
-    steps:
-      - 
-        name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0  
-      - 
-        name: Run SonarQube scan for frontend
-        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_FRONTEND }}
-        with:
-          projectBaseDir: frontend

.github/workflows/scan_sca_current.yml

@@ -16,7 +16,7 @@ jobs:
         name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: 'v1.32.1'
+          ref: 'v1.33.0'
       -
         name: Run SCA vulnerability scanners
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@03881bede1d05a40887bf26d8dfd7a1a37be892d # main

.github/workflows/scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         with:
           sarif_file: results.sarif

.gitignore

@@ -15,3 +15,4 @@ keycloak/h2/keycloakdb.trace.db
 keycloak/h2/keycloakdb.lock.db
 keycloak/h2/keycloakdb.mv.db
 backend/application/import_observations/parsers/trivy_operator_prometheus_file
+coverage.xml

backend/application/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "1.32.1"
+__version__ = "1.33.0"
 
 import pymysql
 

backend/application/commons/api/views.py

@@ -1,5 +1,3 @@
-from typing import Union
-
 import environ
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
@@ -71,7 +69,7 @@ def get(self, request: Request) -> Response:
             if env("EMAIL_HOST", default="") or env("EMAIL_PORT", default=""):
                 features.append("feature_email")
 
-        content: dict[str, Union[int, list[str]]] = {
+        content: dict[str, (int | list[str])] = {
             "features": features,
         }