stackabletech
diff --git a/‎.github/workflows/build_push_dev.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/build_push_dev.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/build_push_release.yml‎
Lines changed: 16 additions & 13 deletions b/‎.github/workflows/build_push_release.yml‎
Lines changed: 16 additions & 13 deletions
diff --git a/‎.github/workflows/check_backend.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/check_backend.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/check_frontend.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/check_frontend.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/check_licenses_dev.yml‎
Lines changed: 20 additions & 6 deletions b/‎.github/workflows/check_licenses_dev.yml‎
Lines changed: 20 additions & 6 deletions
diff --git a/‎.github/workflows/check_vulnerabilities.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/check_vulnerabilities.yml‎
Lines changed: 6 additions & 4 deletions
@@ -37,7 +37,7 @@ jobs:
       -
         name: Build and push backend
         id: build-and-push-backend
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -78,7 +78,7 @@ jobs:
       -
         name: Build and push frontend
         id: build-and-push-frontend
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
 
@@ -36,7 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -74,7 +74,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push frontend
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
@@ -98,13 +98,13 @@ jobs:
           ref: 'v${{ github.event.inputs.release }}'
       - 
         name: Run vulnerability scanners for images
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@2f7b500fde2de2bdea7eef3b6df5503c2476916f # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@32595f58f393dbc99507c7ec574e47c3443808f1 # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run vulnerability scanners for endpoints
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@2f7b500fde2de2bdea7eef3b6df5503c2476916f # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@32595f58f393dbc99507c7ec574e47c3443808f1 # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
@@ -115,7 +115,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
       -
@@ -126,16 +126,18 @@ jobs:
       - 
         name: Install programs
         env:
-          CDXGEN_VERSION: 10.9.4
-          SBOM_UTILITY_VERSION: 0.16.0
-          CYCLONE_DX_CLI_VERSION: 0.25.1
+          CDXGEN_VERSION: 11.2.3
+          TRIVY_VERSION: 0.61.0
+          SBOM_UTILITY_VERSION: 0.17.0
+          CYCLONE_DX_CLI_VERSION: 0.27.2
         run: |
           npm install -g @cyclonedx/cdxgen@"$CDXGEN_VERSION"
           cd /usr/local/bin
           wget --no-verbose https://github.com/CycloneDX/sbom-utility/releases/download/v"$SBOM_UTILITY_VERSION"/sbom-utility-v"$SBOM_UTILITY_VERSION"-linux-amd64.tar.gz -O - | tar -zxf -
           wget --no-verbose https://github.com/CycloneDX/cyclonedx-cli/releases/download/v"$CYCLONE_DX_CLI_VERSION"/cyclonedx-linux-x64
           cp cyclonedx-linux-x64 /usr/local/bin/cyclonedx
           chmod +x /usr/local/bin/cyclonedx
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v"$TRIVY_VERSION"
       - 
         name: Generate SBOM for backend application
         env:
@@ -145,7 +147,7 @@ jobs:
         run: |
           mv ../backend/poetry_requirements.txt ../backend/poetry_requirements.sic
           sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_application.json
-          cdxgen ../backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json
+          cdxgen ../backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json --spec-version 1.6
           sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_backend_application.json \
             | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
             | sbom-utility patch --patch-file ./configuration/patch_backend_application.json --quiet --input-file - --output-file sbom_backend_application_"$VERSION".json
@@ -159,7 +161,7 @@ jobs:
         working-directory: ./sbom
         run: |
           sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_application.json
-          cdxgen ../frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
+          cdxgen ../frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json --spec-version 1.6
           sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_frontend_application.json \
             | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
             | sbom-utility patch --patch-file ./configuration/patch_frontend_application.json --quiet --input-file - --output-file sbom_frontend_application_"$VERSION".json
@@ -172,7 +174,7 @@ jobs:
         working-directory: ./sbom
         run: |
           sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_container.json
-          cdxgen maibornwolff/secobserve-backend:$VERSION --type container --exclude-type python --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_backend_container.json
+          trivy image --scanners license --pkg-types os --format cyclonedx --output sbom_backend_container.json maibornwolff/secobserve-backend:$VERSION
           sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_backend_container.json \
             | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
             | sbom-utility patch --patch-file ./configuration/patch_backend_container.json --quiet --input-file - --output-file sbom_backend_container_"$VERSION".json
@@ -185,7 +187,7 @@ jobs:
         working-directory: ./sbom
         run: |
           sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_container.json
-          cdxgen maibornwolff/secobserve-frontend:$VERSION --type container --exclude-type npm --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_frontend_container.json
+          trivy image --scanners license --pkg-types os --format cyclonedx --output sbom_frontend_container.json maibornwolff/secobserve-frontend:$VERSION
           sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_frontend_container.json \
             | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
             | sbom-utility patch --patch-file ./configuration/patch_frontend_container.json --quiet --input-file - --output-file sbom_frontend_container_"$VERSION".json
@@ -199,12 +201,13 @@ jobs:
         run: |
           sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_complete.json
           cyclonedx merge --hierarchical --name "SecObserve" --version "$VERSION" --input-files sbom_backend_application_"$VERSION".json sbom_frontend_application_"$VERSION".json sbom_backend_container_"$VERSION".json sbom_frontend_container_"$VERSION".json --output-format json \
+            | sbom-utility trim --keys=declarations,definitions --quiet --input-file - \
             | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
             | sbom-utility patch --patch-file ./configuration/patch_complete.json --quiet --input-file - --output-file sbom_"$VERSION".json
           sbom-utility validate --input-file sbom_"$VERSION".json
       - 
         name: Commit SBOMs
-        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5
         with:
           skip_fetch: true
           create_branch: true
 
@@ -14,7 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python 3.12
-        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.12
 
 
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
 
 
@@ -12,44 +12,58 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - 
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
       - 
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - 
         name: Install programs
         env:
-          CDXGEN_VERSION: 10.10.6
+          CDXGEN_VERSION: 11.2.3
         run: |
           npm install -g @cyclonedx/cdxgen@"$CDXGEN_VERSION"
       - 
         name: Generate SBOM for backend application
         env:
           FETCH_LICENSE: 1
         run: |
+          mv ./backend/poetry_requirements.txt ./backend/poetry_requirements.sic
           cdxgen ./backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json
+          mv ./backend/poetry_requirements.sic ./backend/poetry_requirements.txt
       - 
         name: Generate SBOM for frontend application
         run: |
           cdxgen ./frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
       -
         name: Import backend SBOM
-        uses: MaibornWolff/secobserve_actions_templates/actions/importer@2f7b500fde2de2bdea7eef3b6df5503c2476916f # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/upload_sbom@32595f58f393dbc99507c7ec574e47c3443808f1 # main
         with:
           so_product_name: 'SecObserve'
           so_file_name: 'sbom_backend_application.json'
-          so_parser_name: 'CycloneDX'
           so_branch_name: 'dev'
           so_api_base_url: "https://secobserve-backend.maibornwolff.de"
           so_api_token: ${{ secrets.SO_API_TOKEN }}
       -
         name: Import frontend SBOM
-        uses: MaibornWolff/secobserve_actions_templates/actions/importer@2f7b500fde2de2bdea7eef3b6df5503c2476916f # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/upload_sbom@32595f58f393dbc99507c7ec574e47c3443808f1 # main
         with:
           so_product_name: 'SecObserve'
           so_file_name: 'sbom_frontend_application.json'
-          so_parser_name: 'CycloneDX'
           so_branch_name: 'dev'
           so_api_base_url: "https://secobserve-backend.maibornwolff.de"
           so_api_token: ${{ secrets.SO_API_TOKEN }}
+      - 
+        name: Check licenses for backend application
+        uses: MaibornWolff/purl-patrol@c11a9181b28143386d730aef6e1fed9aef51e2e6 # v1.6.1
+        with:
+          SBOM_PATH: 'sbom_backend_application.json'
+          LICENSE_POLICY_PATH: 'sbom/configuration/license_policy.json'
+          BREAK_ENABLED: false
+      - 
+        name: Check licenses for frontend application
+        uses: MaibornWolff/purl-patrol@c11a9181b28143386d730aef6e1fed9aef51e2e6 # v1.6.1
+        with:
+          SBOM_PATH: 'sbom_frontend_application.json'
+          LICENSE_POLICY_PATH: 'sbom/configuration/license_policy.json'
+          BREAK_ENABLED: false
@@ -6,20 +6,21 @@ permissions: read-all
 
 jobs:
   check_code_vulnerabilities:
-    if: github.event.repository.url == 'https://github.com/MaibornWolff/SecObserve'
+    if: github.repository == 'MaibornWolff/SecObserve'
     runs-on: ubuntu-latest
     steps:
       - 
         name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       -
         name: Run vulnerability scanners for code
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@2f7b500fde2de2bdea7eef3b6df5503c2476916f # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@32595f58f393dbc99507c7ec574e47c3443808f1 # main
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
 
   check_code_sonarqube_backend:
+    if: github.repository == 'MaibornWolff/SecObserve'
     runs-on: ubuntu-latest
     steps:
       - 
@@ -29,13 +30,14 @@ jobs:
           fetch-depth: 0  
       - 
         name: Run SonarQube scan for backend
-        uses: SonarSource/sonarqube-scan-action@v5
+        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
           projectBaseDir: backend
 
   check_code_sonarqube_frontend:
+    if: github.repository == 'MaibornWolff/SecObserve'
     runs-on: ubuntu-latest
     steps:
       - 
@@ -45,7 +47,7 @@ jobs:
           fetch-depth: 0  
       - 
         name: Run SonarQube scan for frontend
-        uses: SonarSource/sonarqube-scan-action@v5
+        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_FRONTEND }}
         with: