Merge branch 'dev' of https://github.com/MaibornWolff/SecObserve into stackable

Author: dervoeti

.github/workflows/build_push_dev.yml

@@ -9,18 +9,18 @@ permissions:
   id-token: write
 
 jobs:
-  docker:
+  docker_backend_dev:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       -
         name: Login to Stackable Harbor
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -37,7 +37,7 @@ jobs:
       -
         name: Build and push backend
         id: build-and-push-backend
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -47,13 +47,35 @@ jobs:
             CREATED=${{ env.CREATED }}
             REVISION=${{ github.sha }}
             VERSION=dev
+
+  docker_frontend_dev:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set current date as env variable
+        run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Sign the published backend image
         run: cosign sign -y oci.stackable.tech/stackable/secobserve-backend@${{ steps.build-and-push-backend.outputs.digest }}
       -
         name: Build and push frontend
         id: build-and-push-frontend
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile

.github/workflows/build_push_release.yml

@@ -11,7 +11,7 @@ on:
 permissions: read-all
 
 jobs:
-  docker:
+  docker_backend_release:
     runs-on: ubuntu-latest
     steps:
       -
@@ -21,10 +21,10 @@ jobs:
           ref: 'v${{ github.event.inputs.release }}'
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       -
         name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -36,7 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -48,9 +48,33 @@ jobs:
             CREATED=${{ env.CREATED }}
             REVISION=${{ github.sha }}
             VERSION=${{ github.event.inputs.release }}
+
+  docker_frontend_release:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: 'v${{ github.event.inputs.release }}'
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set current date as env variable
+        run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push frontend
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
@@ -62,15 +86,128 @@ jobs:
             CREATED=${{ env.CREATED }}
             REVISION=${{ github.sha }}
             VERSION=${{ github.event.inputs.release }}
+
+  vulnerability_scans_release:
+    runs-on: ubuntu-latest
+    needs: [docker_backend_release, docker_frontend_release]
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: 'v${{ github.event.inputs.release }}'
       - 
         name: Run vulnerability scanners for images
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@5476f0de11c46875081d9767ec166c1e030e9ef0 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run vulnerability scanners for endpoints
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@5476f0de11c46875081d9767ec166c1e030e9ef0 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
+
+  generate_sboms:
+    runs-on: ubuntu-latest
+    needs: [docker_backend_release, docker_frontend_release]
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: 20
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: 'v${{ github.event.inputs.release }}'
+      - 
+        name: Install programs
+        env:
+          CDXGEN_VERSION: 10.9.4
+          SBOM_UTILITY_VERSION: 0.16.0
+          CYCLONE_DX_CLI_VERSION: 0.25.1
+        run: |
+          npm install -g @cyclonedx/cdxgen@"$CDXGEN_VERSION"
+          cd /usr/local/bin
+          wget --no-verbose https://github.com/CycloneDX/sbom-utility/releases/download/v"$SBOM_UTILITY_VERSION"/sbom-utility-v"$SBOM_UTILITY_VERSION"-linux-amd64.tar.gz -O - | tar -zxf -
+          wget --no-verbose https://github.com/CycloneDX/cyclonedx-cli/releases/download/v"$CYCLONE_DX_CLI_VERSION"/cyclonedx-linux-x64
+          cp cyclonedx-linux-x64 /usr/local/bin/cyclonedx
+          chmod +x /usr/local/bin/cyclonedx
+      - 
+        name: Generate SBOM for backend application
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+          FETCH_LICENSE: 1
+        working-directory: ./sbom
+        run: |
+          mv ../backend/poetry_requirements.txt ../backend/poetry_requirements.sic
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_application.json
+          cdxgen ../backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json
+          sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_backend_application.json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_backend_application.json --quiet --input-file - --output-file sbom_backend_application_"$VERSION".json
+          sbom-utility validate --input-file sbom_backend_application_"$VERSION".json
+          rm sbom_backend_application.json
+          mv ../backend/poetry_requirements.sic ../backend/poetry_requirements.txt
+      - 
+        name: Generate SBOM for frontend application
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_application.json
+          cdxgen ../frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
+          sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_frontend_application.json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_frontend_application.json --quiet --input-file - --output-file sbom_frontend_application_"$VERSION".json
+          sbom-utility validate --input-file sbom_frontend_application_"$VERSION".json
+          rm sbom_frontend_application.json
+      - 
+        name: Generate SBOM for backend container
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_container.json
+          cdxgen maibornwolff/secobserve-backend:$VERSION --type container --exclude-type python --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_backend_container.json
+          sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_backend_container.json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_backend_container.json --quiet --input-file - --output-file sbom_backend_container_"$VERSION".json
+          sbom-utility validate --input-file sbom_backend_container_"$VERSION".json
+          rm sbom_backend_container.json
+      - 
+        name: Generate SBOM for frontend container
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_container.json
+          cdxgen maibornwolff/secobserve-frontend:$VERSION --type container --exclude-type npm --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_frontend_container.json
+          sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_frontend_container.json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_frontend_container.json --quiet --input-file - --output-file sbom_frontend_container_"$VERSION".json
+          sbom-utility validate --input-file sbom_frontend_container_"$VERSION".json
+          rm sbom_frontend_container.json
+      - 
+        name: Merge SBOMs
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_complete.json
+          cyclonedx merge --hierarchical --name "SecObserve" --version "$VERSION" --input-files sbom_backend_application_"$VERSION".json sbom_frontend_application_"$VERSION".json sbom_backend_container_"$VERSION".json sbom_frontend_container_"$VERSION".json --output-format json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_complete.json --quiet --input-file - --output-file sbom_"$VERSION".json
+          sbom-utility validate --input-file sbom_"$VERSION".json
+      - 
+        name: Commit SBOMs
+        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+        with:
+          skip_fetch: true
+          create_branch: true
+          commit_message: "chore: generate SBOMs for release ${{ github.event.inputs.release }}"
+          branch: "chore/sboms_release_${{ github.event.inputs.release }}"
+          file_pattern: "sbom/sbom*.json"

.github/workflows/check_backend.yml

@@ -9,10 +9,8 @@ env:
   POETRY_NO_INTERACTION: 1
 
 jobs:
-  check_backend:
-
+  code_quality:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python 3.12
@@ -57,6 +55,10 @@ jobs:
         run: |
           lint-imports --no-cache
 
+  unittests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Unittests
         run: |
           docker build -f docker/backend/unittests/django/Dockerfile -t secobserve_backend_unittests:latest .

.github/workflows/check_frontend.yml

@@ -5,36 +5,38 @@ on: [push, pull_request]
 permissions: read-all
 
 jobs:
-  check_frontend:
-
+  code_quality:
     runs-on: ubuntu-latest
-
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
-      with:
-        node-version: 20
-
-    - name: Install dependencies
-      working-directory: ./frontend
-      run: |
-        npm ci
-
-    - name: Prettier
-      working-directory: ./frontend
-      run: |
-        npx prettier -c src
-
-    - name: ESLint
-      working-directory: ./frontend
-      run: |
-        npx eslint src
-
-    - name: End-to-end tests
-      working-directory: .
-      run: |
-        cd end_to_end_tests
-        npm install
-        cd ..
-        docker compose -f docker-compose-playwright.yml build
-        docker compose -f docker-compose-playwright.yml up --abort-on-container-exit --exit-code-from playwright
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: 20
+
+      - name: Install dependencies
+        working-directory: ./frontend
+        run: |
+          npm ci
+
+      - name: Prettier
+        working-directory: ./frontend
+        run: |
+          npx prettier -c src
+
+      - name: ESLint
+        working-directory: ./frontend
+        run: |
+          npx eslint src
+
+  end_to_end_tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: End-to-end tests
+        working-directory: .
+        run: |
+          cd end_to_end_tests
+          npm install
+          cd ..
+          docker compose -f docker-compose-playwright.yml build
+          docker compose -f docker-compose-playwright.yml up --abort-on-container-exit --exit-code-from playwright

.github/workflows/check_licenses_dev.yml

@@ -10,8 +10,6 @@ permissions: read-all
 jobs:
   scan_licenses:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
     steps:
       - 
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -37,7 +35,7 @@ jobs:
           cdxgen ./frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
       -
         name: Import backend SBOM
-        uses: MaibornWolff/secobserve_actions_templates/actions/importer@5476f0de11c46875081d9767ec166c1e030e9ef0 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/importer@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_product_name: 'SecObserve'
           so_file_name: 'sbom_backend_application.json'
@@ -47,7 +45,7 @@ jobs:
           so_api_token: ${{ secrets.SO_API_TOKEN }}
       -
         name: Import frontend SBOM
-        uses: MaibornWolff/secobserve_actions_templates/actions/importer@5476f0de11c46875081d9767ec166c1e030e9ef0 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/importer@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_product_name: 'SecObserve'
           so_file_name: 'sbom_frontend_application.json'

.github/workflows/check_vulnerabilities.yml

@@ -14,7 +14,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       -
         name: Run vulnerability scanners for code
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@5476f0de11c46875081d9767ec166c1e030e9ef0 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}