Merge branch 'dev' of https://github.com/MaibornWolff/SecObserve into stackable

Author: dervoeti

.github/workflows/check_vulnerabilities.yml

@@ -18,3 +18,35 @@ jobs:
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
+
+  check_code_sonarqube_backend:
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0  
+      - 
+        name: Run SonarQube scan for backend
+        uses: SonarSource/sonarqube-scan-action@v5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          projectBaseDir: backend
+
+  check_code_sonarqube_frontend:
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0  
+      - 
+        name: Run SonarQube scan for frontend
+        uses: SonarSource/sonarqube-scan-action@v5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_FRONTEND }}
+        with:
+          projectBaseDir: frontend

backend/application/commons/api/views.py

@@ -112,6 +112,9 @@ def patch(self, request: Request, pk: int = None) -> Response:  # pylint: disabl
         if not request_serializer.is_valid():
             raise ValidationError(request_serializer.errors)
 
+        if request_serializer.validated_data.get("feature_automatic_osv_scanning"):
+            request_serializer.validated_data["feature_license_management"] = True
+
         settings = Settings.load()
         request_serializer.update(settings, request_serializer.validated_data)
 

backend/config/settings/base.py

@@ -5,6 +5,7 @@
 from pathlib import Path
 
 import environ
+from csp.constants import NONE, SELF
 
 from application.__init__ import __version__
 
@@ -267,11 +268,15 @@ def whitenoise_security_headers(headers: dict, path: str, url: str) -> None:
 # https://docs.djangoproject.com/en/dev/ref/settings/#x-frame-options
 X_FRAME_OPTIONS = "DENY"
 # https://django-csp.readthedocs.io/en/latest/configuration.html
-CSP_SCRIPT_SRC = ("'self'",)
-CSP_OBJECT_SRC = ("'none'",)
-CSP_BASE_URI = ("'none'",)
-CSP_FRAME_ANCESTORS = ("'self'",)
-CSP_FORM_ACTION = ("'self'",)
+CONTENT_SECURITY_POLICY = {
+    "DIRECTIVES": {
+        "script-src": [SELF],
+        "object-src": [NONE],
+        "frame-ancestors": [SELF],
+        "form-action": [SELF],
+        "base-uri": [NONE],
+    },
+}
 # https://docs.djangoproject.com/en/dev/ref/middleware/#http-strict-transport-security
 SECURE_HSTS_SECONDS = 31536000
 SECURE_HSTS_PRELOAD = True

backend/poetry.lock

@@ -12,10 +12,10 @@ python = ">= 3.10, < 3.13"
 # Django
 # ------------------------------------------------------------------------------
 gunicorn = "23.0.0"  # https://github.com/benoitc/gunicorn
-django = "5.1.7"  # https://www.djangoproject.com/
+django = "5.1.8"  # https://www.djangoproject.com/
 django-environ = "0.12.0"  # https://github.com/joke2k/django-environ
 django-filter = "25.1"  # https://github.com/carltongibson/django-filter 
-django-csp = "3.8"  # https://github.com/mozilla/django-csp
+django-csp = "4.0"  # https://github.com/mozilla/django-csp
 django-picklefield = "3.3"  # https://github.com/gintas/django-picklefield 
 django-encrypted-model-fields = "0.6.5"  # https://gitlab.com/lansharkconsulting/django/django-encrypted-model-fields
 argon2-cffi = "23.1.0"  # https://github.com/hynek/argon2_cffi

backend/pyproject.toml

@@ -0,0 +1,17 @@
+sonar.projectKey=maibornwolff-gmbh_SecObserve_backend
+sonar.organization=maibornwolff-gmbh
+
+
+# This is the name and version displayed in the SonarCloud UI.
+sonar.projectName=SecObserve Backend
+#sonar.projectVersion=1.0
+
+
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+#sonar.sources=.
+
+# Encoding of the source code. Default is default system encoding
+#sonar.sourceEncoding=UTF-8
+
+sonar.python.version=3.12
+sonar.exclusions=**/unittests/**,**/migrations/**

backend/sonar-project.properties

@@ -10,7 +10,7 @@ networks:
 services:
 
   traefik:
-    image: "traefik:v3.3.4"
+    image: "traefik:v3.3.5"
     container_name: "prod_traefik"
     command:
       - "--log.level=INFO"

docker-compose-prod-mysql.yml

@@ -10,7 +10,7 @@ networks:
 services:
 
   traefik:
-    image: "traefik:v3.3.4"
+    image: "traefik:v3.3.5"
     container_name: "prod_traefik"
     command:
       - "--log.level=INFO"

docker-compose-prod-postgres.yml

@@ -9,6 +9,6 @@
   "author": "",
   "devDependencies": {
     "@playwright/test": "1.51.1",
-    "@types/node": "22.13.14"
+    "@types/node": "22.14.0"
   }
 }