Merge pull request #8948 from DefectDojo/master-into-bugfix/2.28.0-2.…

…29.0-dev Release: Merge back 2.28.0 into bugfix from: master-into-bugfix/2.28.0-2.29.0-dev
DefectDojo · Nov 7, 2023 · d841a9f · d841a9f
2 parents 9817c94 + ab43cef
commit d841a9f
Show file tree

Hide file tree

Showing 87 changed files with 18,211 additions and 166 deletions.
diff --git a/.github/scripts/git_protect.py b/.github/scripts/git_protect.py
@@ -0,0 +1,103 @@
+import argparse
+import logging
+import re
+import subprocess
+from pathlib import Path
+
+log = logging.getLogger(__name__)
+
+
+def gitignore_to_regex(pattern) -> str:
+    # Replace .gitignore-style patterns with regex equivalents
+    pattern = pattern.replace("*", ".*")  # *      -> .*
+    pattern = pattern.replace("?", ".")  # ?      -> .
+    pattern = pattern.replace("[!", "[^")  # [!abc] -> [^abc]
+
+    # If the pattern ends with '/', it matches directories
+    if pattern.endswith("/"):
+        pattern = f"{pattern}.*"
+
+    return rf"^{pattern}"
+
+
+def get_protected_files(file_name: str) -> list[str]:
+    # Check to see if the .gitprotect file exists
+    config_path = Path(file_name)
+    if not config_path.exists():
+        log.error(f"ERROR: Could not find .gitprotect at {config_path.absolute()}")
+        exit(1)
+
+    # Open the file and read in file paths
+    with open(file_name, "r") as file:
+        return [gitignore_to_regex(line.strip()) for line in file]
+
+
+def get_changed_files(base_ref: str, head_ref: str) -> list[str]:
+    result = subprocess.run(
+        [
+            "git",
+            "diff",
+            "--name-only",
+            base_ref,
+            head_ref,
+        ],
+        capture_output=True,
+        text=True,
+    )
+    return result.stdout.splitlines()
+
+
+def check_changes_against_protect_list(
+    changed_files: list[str], protected_files: list[str], comment_only: bool
+):
+    violations = set()
+
+    # If any modified file is one in the protect list, add the files to the violations list
+    for protected_file in protected_files:
+        pattern = re.compile(protected_file)
+        files_with_pattern = [f for f in changed_files if pattern.search(f)]
+        violations.update(files_with_pattern)
+
+    violations_list = "\n".join(violations)
+    if violations:
+        log.error(
+            f"The following files are protected and cannot be modified:\n{violations_list}"
+        )
+        if comment_only:
+            exit_code = 0
+        else:
+            exit_code = 1
+        exit(exit_code)
+    else:
+        log.debug("No changes to protected files were detected.")
+
+
+def main(args):
+    changed_files = get_changed_files(
+        args.base_ref,
+        args.head_ref,
+    )
+    protected_files = get_protected_files(".gitprotect")
+    check_changes_against_protect_list(
+        protected_files=protected_files,
+        changed_files=changed_files,
+        comment_only=args.comment_only
+    )
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="A utility function to check if protected files have been modified."
+    )
+    parser.add_argument(
+        "base_ref", help="The git SHA for the most recent merged commit."
+    )
+    parser.add_argument("head_ref", help="The git SHA for the incoming commit")
+    parser.add_argument(
+        "--comment-only",
+        action="store_true",
+        help="Sets git-protect to not exit with an error code",
+    )
+
+    args = parser.parse_args()
+    main(args)
diff --git a/.github/workflows/cancel-outdated-workflow-runs.yml b/.github/workflows/cancel-outdated-workflow-runs.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 3
     steps:
-      - uses: styfle/cancel-workflow-action@0.11.0
+      - uses: styfle/cancel-workflow-action@0.12.0
         with:
           workflow_id: 'integration-tests.yml,k8s-testing.yml,unit-tests.yml'
           access_token: ${{ github.token }}
diff --git a/.github/workflows/check-protected-files.yml b/.github/workflows/check-protected-files.yml
@@ -0,0 +1,45 @@
+name: Check For Modifications to Protected Files
+
+on:
+  pull_request_target:
+
+jobs:
+  check-if-protected-files-are-modified:
+    permissions: write-all
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Check for file changes using git-protect
+        run: |
+          python .github/scripts/git_protect.py ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} --comment-only &> output.txt
+
+      - name: Post a comment back to the PR if protected files have changed
+        if: ${{ always() }}
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const fs = require('fs');
+
+            fs.readFile('output.txt', 'utf8', (err, data) => {
+                if (err) {
+                    console.error('Error reading the file:', err);
+                    return;
+                }
+                github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: data
+              })
+            });
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -21,7 +21,7 @@ jobs:
           extended: true
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '16.x'
 

diff --git a/.github/workflows/plantuml.yml b/.github/workflows/plantuml.yml
@@ -33,7 +33,7 @@ jobs:
         with:
           args: -v -tpng ${{ steps.getfile.outputs.files }}
       - name: Push Local Changes
-        uses: stefanzweifel/git-auto-commit-action@v4.16.0
+        uses: stefanzweifel/git-auto-commit-action@v5.0.0
         with:
           commit_user_name: "PlantUML_bot"
           commit_user_email: "[email protected]"

diff --git a/.github/workflows/release-1-create-pr.yml b/.github/workflows/release-1-create-pr.yml
@@ -75,7 +75,7 @@ jobs:
           grep -H version helm/defectdojo/Chart.yaml
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@v4.16.0
+        uses: stefanzweifel/git-auto-commit-action@v5.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

diff --git a/.github/workflows/release-3-master-into-dev.yml b/.github/workflows/release-3-master-into-dev.yml
@@ -57,7 +57,7 @@ jobs:
           grep version components/package.json
       
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@v4.16.0
+        uses: stefanzweifel/git-auto-commit-action@v5.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"
@@ -123,7 +123,7 @@ jobs:
           grep version components/package.json
       
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@v4.16.0
+        uses: stefanzweifel/git-auto-commit-action@v5.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -19,7 +19,7 @@ jobs:
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5.24.0
+      - uses: release-drafter/release-drafter@v5.25.0
         with:
           version: ${{github.event.inputs.version}}  
         env:

diff --git a/.github/workflows/test-helm-chart.yml b/.github/workflows/test-helm-chart.yml
@@ -35,7 +35,7 @@ jobs:
              helm dependency update ./helm/defectdojo
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.1
 
       - name: Determine target branch
         id: ct-branch-target

diff --git a/.gitprotect b/.gitprotect
@@ -0,0 +1,54 @@
+dojo/announcement/
+dojo/api_v2/
+dojo/authorization/
+dojo/db_migrations/
+dojo/endpoint/
+dojo/engagement/
+dojo/finding/
+dojo/finding_group/
+dojo/group/
+dojo/importers/
+dojo/jira_link/
+dojo/metrics/
+dojo/note_type/
+dojo/notes/
+dojo/product/
+dojo/product_type/
+dojo/reports/
+dojo/risk_acceptance/
+dojo/rules/
+dojo/search/
+dojo/templates/
+dojo/templatetags/
+dojo/test/
+dojo/tool_config/
+dojo/tool_product/
+dojo/tool_type/
+dojo/user/
+
+dojo/apps.py
+dojo/celery.py
+dojo/context_processors.py
+dojo/decorators.py
+dojo/filters.py
+dojo/forms.py
+dojo/middleware.py
+dojo/models.py
+dojo/okta.py
+dojo/pipeline.py
+dojo/remote_user.py
+dojo/tasks.py
+dojo/urls.py
+dojo/utils.py
+dojo/views.py
+dojo/wsgi.py
+
+
+docker/environments/
+docker/extra_settings/
+docker/entrypoint-celery-beat.sh
+docker/entrypoint-celery-worker.sh
+docker/entrypoint-initializer.sh
+docker/entrypoint-nginx.sh
+docker/entrypoint-uwsgi.sh
+docker/wait-for-it.sh
diff --git a/Dockerfile.nginx-alpine b/Dockerfile.nginx-alpine
@@ -140,7 +140,7 @@ COPY manage.py ./
 COPY dojo/ ./dojo/
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.25.2-alpine@sha256:16164a43b5faec40adb521e98272edc528e74f31c1352719132b8f7e53418d70
+FROM nginx:1.25.3-alpine@sha256:db353d0f0c479c91bd15e01fc68ed0f33d9c4c52f3415e63332c3d0bf7a4bb77
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

diff --git a/Dockerfile.nginx-debian b/Dockerfile.nginx-debian
@@ -75,7 +75,7 @@ COPY dojo/ ./dojo/
 
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.25.2-alpine@sha256:16164a43b5faec40adb521e98272edc528e74f31c1352719132b8f7e53418d70
+FROM nginx:1.25.3-alpine@sha256:db353d0f0c479c91bd15e01fc68ed0f33d9c4c52f3415e63332c3d0bf7a4bb77
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

diff --git a/README.md b/README.md
@@ -41,7 +41,10 @@ Try out the demo server at [demo.defectdojo.org](https://demo.defectdojo.org)
 
 Log in with `admin / 1Defectdojo@demo#appsec`. Please note that the demo is publicly accessible and regularly reset. Do not put sensitive data in the demo.
 
-## Quick Start
+## Quick Start for Compose V2
+From July 2023 Compose V1 [stopped receiving updates](https://docs.docker.com/compose/reference/).
+
+Compose V2 integrates compose functions into the Docker platform, continuing to support most of the previous docker-compose features and flags. You can run Compose V2 by replacing the hyphen (-) with a space, using `docker compose`, instead of `docker-compose`.
 
 ```sh
 git clone https://github.com/DefectDojo/django-DefectDojo
@@ -52,9 +55,23 @@ cd django-DefectDojo
 ./dc-up.sh postgres-redis
 # obtain admin credentials. the initializer can take up to 3 minutes to run
 # use docker-compose logs -f initializer to track progress
-docker-compose logs initializer | grep "Admin password:"
+docker compose logs initializer | grep "Admin password:"
+```
+## For Docker Compose V1
+You can run Compose V1 by editing the below files to add the hyphen (-) between `docker compose`. 
+```sh
+     dc-build.sh
+     dc-down.sh
+     dc-stop.sh
+     dc-unittest.sh
+     dc-up-d.sh
+     dc-up.sh
+     docker/docker-compose-check.sh
+     docker/entrypoint-initializer.sh
+     docker/setEnv.sh
 ```
 
+
 Navigate to <http://localhost:8080>.
 
 

diff --git a/components/package.json b/components/package.json
@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.28.0-dev",
+  "version": "2.29.0-dev",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

diff --git a/components/yarn.lock b/components/yarn.lock
@@ -253,9 +253,9 @@ core-util-is@~1.0.0:
   integrity sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==
 
 crypto-js@^4.0.0:
-  version "4.1.1"
-  resolved "https://registry.yarnpkg.com/crypto-js/-/crypto-js-4.1.1.tgz#9e485bcf03521041bd85844786b83fb7619736cf"
-  integrity sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw==
+  version "4.2.0"
+  resolved "https://registry.yarnpkg.com/crypto-js/-/crypto-js-4.2.0.tgz#4d931639ecdfd12ff80e8186dba6af2c2e856631"
+  integrity sha512-KALDyEYgpY+Rlob/iriUtjV6d5Eq+Y191A5g4UqLAi8CyGP9N1+FdVbkc1SxKc2r4YAYqG8JzO2KGL+AizD70Q==
 
 d@1, d@^1.0.1:
   version "1.0.1"

diff --git a/dc-build.sh b/dc-build.sh
@@ -12,4 +12,6 @@ fi
 
 # Building images for all configurations
 # The docker build doesn't supply any environment variables to the Dockerfile, so we can use any profile.
-docker-compose --profile mysql-rabbitmq --profile postgres-redis --env-file ./docker/environments/postgres-redis.env build $1
+
+# Compose V2 integrates compose functions into the Docker platform, continuing to support most of the previous docker-compose features and flags. You can run Compose V2 by replacing the hyphen (-) with a space, using docker compose, instead of docker-compose.
+docker compose --profile mysql-rabbitmq --profile postgres-redis --env-file ./docker/environments/postgres-redis.env build $1
diff --git a/dc-down.sh b/dc-down.sh
@@ -12,4 +12,6 @@ fi
 
 # Stopping containers for all configurations
 # The environment must be provided but it doesn't make a difference which one
-docker-compose --profile mysql-rabbitmq --profile postgres-redis --env-file ./docker/environments/postgres-redis.env down $1
+
+# Compose V2 integrates compose functions into the Docker platform, continuing to support most of the previous docker-compose features and flags. You can run Compose V2 by replacing the hyphen (-) with a space, using docker compose, instead of docker-compose.
+docker compose --profile mysql-rabbitmq --profile postgres-redis --env-file ./docker/environments/postgres-redis.env down $1
diff --git a/dc-stop.sh b/dc-stop.sh
@@ -12,4 +12,6 @@ fi
 
 # Stopping containers for all configurations
 # The environment must be provided but it doesn't make a difference which one
-docker-compose --profile mysql-rabbitmq --profile postgres-redis --env-file ./docker/environments/postgres-redis.env stop $1
+
+# Compose V2 integrates compose functions into the Docker platform, continuing to support most of the previous docker-compose features and flags. You can run Compose V2 by replacing the hyphen (-) with a space, using docker compose, instead of docker-compose.
+docker compose --profile mysql-rabbitmq --profile postgres-redis --env-file ./docker/environments/postgres-redis.env stop $1
diff --git a/dc-unittest.sh b/dc-unittest.sh
@@ -73,4 +73,6 @@ then
 fi
 
 echo "Running docker compose unit tests with profile $PROFILE and test case $TEST_CASE ..."
-docker-compose --profile $PROFILE --env-file ./docker/environments/$PROFILE.env exec uwsgi bash -c "python manage.py test $TEST_CASE -v2 --keepdb"
+
+# Compose V2 integrates compose functions into the Docker platform, continuing to support most of the previous docker-compose features and flags. You can run Compose V2 by replacing the hyphen (-) with a space, using docker compose, instead of docker-compose.
+docker compose --profile $PROFILE --env-file ./docker/environments/$PROFILE.env exec uwsgi bash -c "python manage.py test $TEST_CASE -v2 --keepdb"
diff --git a/dc-up-d.sh b/dc-up-d.sh
@@ -27,4 +27,6 @@ else
 fi
 
 echo "Starting docker compose with profile $PROFILE in the background ..."
-docker-compose --profile $PROFILE --env-file ./docker/environments/$PROFILE.env up --no-deps -d
+
+# Compose V2 integrates compose functions into the Docker platform, continuing to support most of the previous docker-compose features and flags. You can run Compose V2 by replacing the hyphen (-) with a space, using docker compose, instead of docker-compose.
+docker compose --profile $PROFILE --env-file ./docker/environments/$PROFILE.env up --no-deps -d