diff --git a/.env.example b/.env.example index c7bf02c..8d10c16 100644 --- a/.env.example +++ b/.env.example @@ -1,6 +1,7 @@ SECRET_KEY='akj)aa@2rp+$duf_m$)4!@cc#()h@q(ag0f=h8#1@dlpdouni5' DEBUG=0 DJANGO_ALLOWED_HOSTS=['web','app','localhost','127.0.0.1'] +CSRF_TRUSTED_ORIGINS=['http://localhost','http://localhost:8888','http://127.0.0.1:8888'] ENV=PROD SQL_ENGINE=django.db.backends.postgresql SQL_DATABASE=postgres diff --git a/.github/workflows/anchore-analysis.yml b/.github/workflows/anchore-analysis.yml deleted file mode 100644 index c17e637..0000000 --- a/.github/workflows/anchore-analysis.yml +++ /dev/null @@ -1,28 +0,0 @@ -# This workflow checks out code, builds an image, performs a container image -# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security -# code scanning feature. For more information on the Anchore scan action usage -# and parameters, see https://github.com/anchore/scan-action. For more -# information on Anchore's container image scanning tool Grype, see -# https://github.com/anchore/grype -name: Anchore Container Scan -on: push -jobs: - Anchore-Build-Scan: - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v2 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag mpast/mobile_audit:latest - - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@main - id: scan - with: - image: "mpast/mobile_audit:latest" - acs-report-enable: true - - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} - - name: Inspect action SARIF report - run: cat ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f68aa09..77954d2 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -2,33 +2,26 @@ name: Semgrep on: pull_request_target: {} + workflow_dispatch: {} push: - branches: ["main"] - # Schedule the CI job (this method uses cron syntax): - schedule: - - cron: '0 0 1 * *' # Sets Semgrep to scan every month - + branches: ["master", "main"] jobs: semgrep: - name: Scan + name: semgrep/ci runs-on: ubuntu-latest container: - image: returntocorp/semgrep + image: semgrep/semgrep - # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') - steps: - # Fetch project source with GitHub Actions Checkout. - uses: actions/checkout@v3 - # Run the "semgrep ci" command on the command line of the docker image. - - run: semgrep ci --sarif --output=semgrep.sarif + - run: semgrep ci --sarif > semgrep.sarif env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - # Upload the results to Github Advanced Security + - name: Upload SARIF file for GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif - if: always() + if: always() \ No newline at end of file diff --git a/.github/workflows/shiftleft-analysis.yml b/.github/workflows/shiftleft-analysis.yml deleted file mode 100644 index a95371c..0000000 --- a/.github/workflows/shiftleft-analysis.yml +++ /dev/null @@ -1,26 +0,0 @@ -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -# This section configures the trigger for the workflow. Feel free to customize depending on your convention -on: push - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@master - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - - name: Upload report - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: reports diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml deleted file mode 100644 index c24aa47..0000000 --- a/.github/workflows/trivy-analysis.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: build -on: - push: - branches: [ main ] - pull_request: -jobs: - build: - name: Build - runs-on: "ubuntu-18.04" - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Build an image from Dockerfile - run: | - docker build -t mpast/mobile_audit:latest . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'mpast/mobile_audit:latest' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: 'trivy-results.sarif' diff --git a/Dockerfile b/Dockerfile index d3d2514..a1d754c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,10 @@ -FROM python:3.9.16-buster@sha256:5e28891402c02291f65c6652a8abddedcb5af15933e923c07c2670f836243833 +FROM python:3.10-bullseye@sha256:02c7cb92b8f23908de6457f7800c93b84ed8c6e7201da7935443d4c5eca7b381 # Update and package installation RUN apt-get update && \ apt-get clean && \ apt-get install -y ca-certificates-java --no-install-recommends && \ - apt-get clean - -RUN apt-get update && \ apt-get install -y openjdk-11-jdk p11-kit wkhtmltopdf libqt5gui5 && \ - apt-get install -y && \ apt-get clean && \ update-ca-certificates -f diff --git a/app/config/settings.py b/app/config/settings.py index 896f4d1..e056e0c 100755 --- a/app/config/settings.py +++ b/app/config/settings.py @@ -1,5 +1,4 @@ import os -import logging from getenv import env BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) @@ -65,6 +64,7 @@ DEBUG = int(env("DEBUG", 0)) ALLOWED_HOSTS = tuple(env("DJANGO_ALLOWED_HOSTS", ['web','app','localhost','127.0.0.1'])) +CSRF_TRUSTED_ORIGINS=tuple(env("CSRF_TRUSTED_ORIGINS", ['http://web','http://app','http://localhost','http://127.0.0.1'])) # Database # https://docs.djangoproject.com/en/3.0/ref/settings/#databases @@ -140,8 +140,6 @@ LANGUAGE_CODE = 'en-us' -TIME_ZONE = 'UTC' - USE_I18N = True USE_L10N = True diff --git a/app/config/urls.py b/app/config/urls.py index 64d5091..1e46002 100755 --- a/app/config/urls.py +++ b/app/config/urls.py @@ -1,10 +1,8 @@ from django.contrib import admin -from django.urls import path, include +from django.urls import path, include, re_path from app import views, api -from django.conf.urls import url from rest_framework import routers from rest_framework.authtoken.views import obtain_auth_token -from rest_framework import permissions from drf_yasg.views import get_schema_view from drf_yasg import openapi from app.worker.tasks import scan_state @@ -58,8 +56,8 @@ path('api/v1/auth-token/', obtain_auth_token, name='api_token_auth'), path('api/v1/', include(router.urls)), path('scan_state/', scan_state, name="scan_state"), - url(r'^swagger(?P\.json|\.yaml)$', schema_view.without_ui(cache_timeout=0), name='schema-json'), - url(r'^swagger/$', schema_view.with_ui('swagger', cache_timeout=0), name='schema-swagger-ui'), - url(r'^redoc/$', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'), + re_path(r'^swagger(?P\.json|\.yaml)$', schema_view.without_ui(cache_timeout=0), name='schema-json'), + re_path(r'^swagger/$', schema_view.with_ui('swagger', cache_timeout=0), name='schema-swagger-ui'), + re_path(r'^redoc/$', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'), ] \ No newline at end of file diff --git a/docker-compose.prod.yaml b/docker-compose.prod.yaml index dcfd377..cb9bf5a 100644 --- a/docker-compose.prod.yaml +++ b/docker-compose.prod.yaml @@ -1,7 +1,7 @@ version: '3.8' services: db: - image: postgres:15.1-alpine@sha256:07c3361c9e8e1d734dfc51e239327b11d25196347be630fbdc556ca41f219184 + image: postgres:16-bullseye@sha256:7174d2a352ad138906e3dc4a28a5d11b5a158180e9bff80beed8c8cc346f874c env_file: - ./.env.example environment: @@ -28,7 +28,7 @@ services: - db restart: on-failure nginx: - image: nginx:1.23.3-alpine@sha256:dd8a054d7ef030e94a6449783605d6c306c1f69c10c2fa06b66a030e0d1db793 + image: nginx:stable-bullseye@sha256:ee187e563496b690edaab157f89db924cd35fab42631309f4d62957baecf7d6c ports: - "443:443" volumes: @@ -40,7 +40,7 @@ services: - web restart: on-failure rabbitmq: - image: rabbitmq:3.11.5-management-alpine@sha256:826a39d68330e7c380f527d0ac31e87999ade0afa6747e688c9d56989319a2c2 + image: rabbitmq:3.13.0-management@sha256:ba406c7daaef53b59c92a13db37a27d0425579a40c59266d10022a40a8ba7242 env_file: - ./.env.example environment: diff --git a/docker-compose.yaml b/docker-compose.yaml index feaaa0c..7d49fcb 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,7 +1,7 @@ version: '3.8' services: db: - image: postgres:15.1-alpine@sha256:07c3361c9e8e1d734dfc51e239327b11d25196347be630fbdc556ca41f219184 + image: postgres:16-bullseye@sha256:7174d2a352ad138906e3dc4a28a5d11b5a158180e9bff80beed8c8cc346f874c env_file: - ./.env.example environment: @@ -28,7 +28,7 @@ services: - db restart: on-failure nginx: - image: nginx:1.23.3-alpine@sha256:dd8a054d7ef030e94a6449783605d6c306c1f69c10c2fa06b66a030e0d1db793 + image: nginx:stable-bullseye@sha256:ee187e563496b690edaab157f89db924cd35fab42631309f4d62957baecf7d6c ports: - "8888:8888" volumes: @@ -39,7 +39,7 @@ services: - web restart: on-failure rabbitmq: - image: rabbitmq:3.11.5-management-alpine@sha256:826a39d68330e7c380f527d0ac31e87999ade0afa6747e688c9d56989319a2c2 + image: rabbitmq:3.13.0-management@sha256:ba406c7daaef53b59c92a13db37a27d0425579a40c59266d10022a40a8ba7242 env_file: - ./.env.example environment: diff --git a/requirements.txt b/requirements.txt index ea59269..19afafb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,21 +1,75 @@ -django==3.2.23 -psycopg2==2.9.3 +amqp==5.2.0 +androguard==3.4.0a1 +asgiref==3.7.2 +asn1crypto==1.5.1 +asttokens==2.4.1 +beautifulsoup4==4.12.3 +billiard==3.6.4.0 +celery==5.2.2 +certifi==2024.2.2 +charset-normalizer==3.3.2 +click==8.1.7 +click-didyoumean==0.3.0 +click-plugins==1.1.1 +click-repl==0.3.0 +colorama==0.4.6 +contourpy==1.2.0 +coreapi==2.3.3 +coreschema==0.0.4 +cycler==0.12.1 +decorator==5.1.1 +Django==4.1.6 django-bootstrap4==3.0.1 -django-widget-tweaks==1.4.8 +django-extensions==3.1.3 +django-filter==2.4.0 django-fontawesome-5==1.0.18 django-getenv==1.3.2 -androguard==3.4.0a1 -requests==2.31.0 -pdfkit==0.6.1 -uwsgi==2.0.22 -Pygments==2.15.0 +django-widget-tweaks==1.4.8 djangorestframework==3.12.4 drf-yasg==1.20.0 -Celery==5.2.2 -django-filter==2.4.0 -sqlalchemy==1.4.23 -django-extensions==3.1.3 -setuptools==65.5.1 -ipython>=8.10.0 -numpy>=1.22.2 -pillow>=10.0.1 \ No newline at end of file +executing==2.0.1 +fonttools==4.49.0 +idna==3.6 +inflection==0.5.1 +ipython==8.22.2 +itypes==1.2.0 +jedi==0.19.1 +Jinja2==3.1.3 +kiwisolver==1.4.5 +kombu==5.3.5 +lxml==5.1.0 +MarkupSafe==2.1.5 +matplotlib==3.8.3 +matplotlib-inline==0.1.6 +networkx==3.2.1 +numpy==1.26.4 +packaging==23.2 +parso==0.8.3 +pdfkit==0.6.1 +pexpect==4.9.0 +pillow==10.2.0 +prompt-toolkit==3.0.43 +psycopg2-binary==2.9.9 +psycopg2==2.9.9 +ptyprocess==0.7.0 +pure-eval==0.2.2 +pydot==2.0.0 +Pygments==2.15.0 +pyparsing==3.1.2 +python-dateutil==2.9.0.post0 +pytz==2024.1 +requests==2.31.0 +ruamel.yaml==0.18.6 +ruamel.yaml.clib==0.2.8 +six==1.16.0 +soupsieve==2.5 +SQLAlchemy==1.4.23 +sqlparse==0.4.4 +stack-data==0.6.3 +traitlets==5.14.1 +uritemplate==4.1.1 +urllib3==2.2.1 +uWSGI==2.0.22 +vine==5.1.0 +wcwidth==0.2.13 +setuptools==65.5.1 \ No newline at end of file