From 28e426a90e7d9fa26c0843f62b5afb88450b9532 Mon Sep 17 00:00:00 2001 From: Monica Pastor Date: Mon, 2 Jan 2023 16:04:38 +0100 Subject: [PATCH 01/26] bug: fix #74 and semgrep issues --- Dockerfile | 3 +++ app/templates/app.html | 2 +- app/templates/export.html | 20 ++++++++++---------- app/templates/finding.html | 6 +++--- app/templates/findings.html | 12 ++++++------ app/templates/home.html | 2 +- app/templates/patterns.html | 4 ++-- app/templates/scan.html | 28 ++++++++++++++-------------- 8 files changed, 40 insertions(+), 37 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5e8b9e8..b1bbf8a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,9 @@ RUN apt-get update && \ apt-get clean && \ update-ca-certificates -f +# Avoid issue in libqt5gui5 #73 +RUN strip --remove-section=.note.ABI-tag /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 + # Get JADX Tool ENV JADX_VERSION 1.4.5 diff --git a/app/templates/app.html b/app/templates/app.html index 0a26c2e..857fce1 100755 --- a/app/templates/app.html +++ b/app/templates/app.html @@ -63,7 +63,7 @@
Scans
{% else %} {% fa5_icon 'shield-alt' color='green' %} {{ scan_data.antivirus.malicious }} {% endif %} {% endif %} - {{ scan.findings }} + {{ scan.findings }} {% for severity, number in scan_data.findings.items %} diff --git a/app/templates/export.html b/app/templates/export.html index d0a81f7..a5cba16 100644 --- a/app/templates/export.html +++ b/app/templates/export.html @@ -506,17 +506,17 @@
Findings
{% for finding in findings_ordered|lookup:id %} - + - - + + - + {% if settings.DEFECTDOJO_ENABLED %} {% endif %} @@ -563,9 +563,9 @@
Security Best Practices
{% for finding in best_practices %} {% if finding.type.id == practice.id %} - - - + + + @@ -601,7 +601,7 @@
Files
{% if file.type == 'html' %} {% else %} - + {% endif %} @@ -632,7 +632,7 @@
Strings
- + {% endfor %} diff --git a/app/templates/finding.html b/app/templates/finding.html index 6d431c2..3c0f6f9 100755 --- a/app/templates/finding.html +++ b/app/templates/finding.html @@ -15,11 +15,11 @@ - + - + @@ -55,6 +55,6 @@
{{ finding.id }}{{ finding.id }} {{ finding.get_severity_display }}{{ finding.path }}{{ finding.line_number }}{{ finding.path }}{{ finding.line_number }} {{ finding.line }} {{ finding.get_status_display }}{{ finding.cwe.cwe }} {{ finding.cwe.cwe }} {% if finding.defectdojo_id > 0 %} - {{ finding.defectdojo_id }} {% else %} N/A{% endif %} + {{ finding.defectdojo_id }} {% else %} N/A{% endif %}
{{ finding.id }}{{ finding.path }}{{ finding.line_number }}{{ finding.id }}{{ finding.path }}{{ finding.line_number }} {{ finding.line }}
{{ file.name }}{{ file.name }} {{ file.name }} {{ file.type }}
{{ string.id }} {{ string.type }} {{ string.value }} {{ string.finding.id }}{{ string.finding.id }}
CWE{{ finding.cwe.cwe }} {{ finding.cwe.cwe }}
OWASP TOP 10 Mobile RiskM{{ pattern.default_risk.risk }} M{{ pattern.default_risk.risk }}
Finding
{% if settings.DEFECTDOJO_ENABLED and finding.defectdojo_id > 0 %} -DefectDojo{% fa5_icon 'external-link-alt' %} {% endif %} +DefectDojo{% fa5_icon 'external-link-alt' %} {% endif %} Edit {% endblock %} \ No newline at end of file diff --git a/app/templates/findings.html b/app/templates/findings.html index b6faef9..1640e5d 100755 --- a/app/templates/findings.html +++ b/app/templates/findings.html @@ -57,19 +57,19 @@ {% for finding in findings %} - {{ finding.id }} + {{ finding.id }} {{ finding.name }} {{ finding.get_severity_display }} - {{ finding.path }} - {{ finding.line_number }} + {{ finding.path }} + {{ finding.line_number }} {{ finding.line }} {{ finding.get_status_display }} - {{ finding.cwe.cwe }} - M{{ pattern.default_risk.risk }} + {{ finding.cwe.cwe }} + M{{ pattern.default_risk.risk }} {% if settings.DEFECTDOJO_ENABLED %} {% if finding.defectdojo_id > 0 %} - {{ finding.defectdojo_id }} {% else %} 'N/A'{% endif %} + {{ finding.defectdojo_id }} {% else %} 'N/A'{% endif %} {% endif %} diff --git a/app/templates/home.html b/app/templates/home.html index 1733edb..5fee322 100755 --- a/app/templates/home.html +++ b/app/templates/home.html @@ -67,7 +67,7 @@
Apps
{% else %} {% fa5_icon 'shield-alt' color='green' %} {{ scan_data.antivirus.malicious }} {% endif %} {% endif %} - {{ scan.findings }} + {{ scan.findings }} {% for severity, number in scan_data.findings.items %} diff --git a/app/templates/patterns.html b/app/templates/patterns.html index cfd82b1..169a29a 100755 --- a/app/templates/patterns.html +++ b/app/templates/patterns.html @@ -50,8 +50,8 @@ {% endif %} - - + + {% endfor %} diff --git a/app/templates/scan.html b/app/templates/scan.html index f241f54..bb89e16 100644 --- a/app/templates/scan.html +++ b/app/templates/scan.html @@ -161,7 +161,7 @@
Security info
No {% fa5_icon 'exclamation-circle' color='red' %}{{ pattern.default_cwe.cwe }} M{{ pattern.default_risk.risk }} {{ pattern.default_cwe.cwe }} M{{ pattern.default_risk.risk }}
- + @@ -361,7 +361,7 @@
Certificates
Virus Total Scan
{% if antivirus_scan.link %} - VT Link {% fa5_icon 'external-link-alt' %} {% endif %} + VT Link {% fa5_icon 'external-link-alt' %} {% endif %}
Number of findings{{ scan.findings }}{{ scan.findings }}
By Severity
@@ -532,7 +532,7 @@
Virus Total Scan
Findings
- New Finding + New Finding

Number of findings: {{ scan.findings }}

@@ -614,18 +614,18 @@
Findings
{% for finding in findings_ordered|lookup:id %}
- + - - + + - - + + {% if settings.DEFECTDOJO_ENABLED %} {% endif %} @@ -673,9 +673,9 @@
Security Best Practices
{% for finding in best_practices %} {% if finding.type.id == practice.id %} - - - + + + @@ -711,7 +711,7 @@
Files
{% if file.type == 'html' %} {% else %} - + {% endif %} @@ -742,7 +742,7 @@
Strings
- + {% endfor %} From b1b609c04c926da1a189cdfd8db3574480aaa3b9 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Thu, 2 Feb 2023 21:49:59 +0000 Subject: [PATCH 02/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-3266406 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 06b2c4b..4266687 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -django==3.2.16 +django==3.2.17 psycopg2-binary==2.9.1 django-bootstrap4==3.0.1 django-widget-tweaks==1.4.8 From 4820f6fe649f5e04453ea56276222b2109f53fc1 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 11 Feb 2023 20:59:59 +0000 Subject: [PATCH 03/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-IPYTHON-3318382 --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 4266687..cd55338 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,4 +15,5 @@ Celery==5.2.2 django-filter==2.4.0 sqlalchemy==1.4.23 django-extensions==3.1.3 -setuptools==65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file +setuptools==65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability +ipython>=8.10.0 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file From 508ed111f751420e55e62c4fd4e2923904d4b101 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 14 Feb 2023 23:29:47 +0000 Subject: [PATCH 04/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-3319450 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 4266687..49819f6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -django==3.2.17 +django==3.2.18 psycopg2-binary==2.9.1 django-bootstrap4==3.0.1 django-widget-tweaks==1.4.8 From d62b6ec470d7d1f57b76d7523e4402da8813a513 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 19 Feb 2023 21:20:24 +0000 Subject: [PATCH 05/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970 --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 4309116..2238a3b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,4 +16,5 @@ django-filter==2.4.0 sqlalchemy==1.4.23 django-extensions==3.1.3 setuptools==65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability -ipython>=8.10.0 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file +ipython>=8.10.0 # not directly required, pinned by Snyk to avoid a vulnerability +numpy>=1.22.2 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file From c7da64befa0af29219f0b20a7dca6745da25b9f2 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 19 Feb 2023 22:47:31 +0000 Subject: [PATCH 06/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970 From 71eb6d5489c3c3c7a27892c61dc777545fe8c50d Mon Sep 17 00:00:00 2001 From: Monica Pastor Date: Tue, 25 Apr 2023 20:21:18 +0200 Subject: [PATCH 07/26] #88 Bug upgrade jadx --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b1bbf8a..7d063e9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN apt-get update && \ RUN strip --remove-section=.note.ABI-tag /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 # Get JADX Tool -ENV JADX_VERSION 1.4.5 +ENV JADX_VERSION 1.4.7 RUN \ wget "https://github.com/skylot/jadx/releases/download/v$JADX_VERSION/jadx-$JADX_VERSION.zip" && \ From 474af3ba41f383eb6ba9096aa11537ce472d87d3 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 5 May 2023 03:12:33 +0000 Subject: [PATCH 08/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-5496950 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2238a3b..37e033c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -django==3.2.18 +django==3.2.19 psycopg2-binary==2.9.1 django-bootstrap4==3.0.1 django-widget-tweaks==1.4.8 From 3eb3480cdc013e4ca5c04abbe0221862fd9f2ab5 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 23 May 2023 17:33:51 +0000 Subject: [PATCH 09/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-5595532 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 37e033c..0148e16 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,7 +5,7 @@ django-widget-tweaks==1.4.8 django-fontawesome-5==1.0.18 django-getenv==1.3.2 androguard==3.4.0a1 -requests==2.27.1 +requests==2.31.0 pdfkit==0.6.1 uwsgi==2.0.19.1 Pygments==2.10.0 From 1bed76a8f4baa1cc44be9d56fb9bf67a94538784 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 2 Jul 2023 16:04:56 +0000 Subject: [PATCH 10/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PYGMENTS-5750273 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0148e16..5e4b4f8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,7 +8,7 @@ androguard==3.4.0a1 requests==2.31.0 pdfkit==0.6.1 uwsgi==2.0.19.1 -Pygments==2.10.0 +Pygments==2.15.0 djangorestframework==3.12.4 drf-yasg==1.20.0 Celery==5.2.2 From 4a61f36707040ca26c1cf5dcd0a0144efed25370 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Mon, 3 Jul 2023 16:05:23 +0000 Subject: [PATCH 11/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-5750790 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0148e16..7abcd12 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -django==3.2.19 +django==3.2.20 psycopg2-binary==2.9.1 django-bootstrap4==3.0.1 django-widget-tweaks==1.4.8 From bbd49fc5d9f29bdae3aeac0df3b7dc11f41600f2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Aug 2023 20:14:54 +0000 Subject: [PATCH 12/26] build(deps): bump uwsgi from 2.0.19.1 to 2.0.22 Bumps [uwsgi](https://github.com/unbit/uwsgi-docs) from 2.0.19.1 to 2.0.22. - [Commits](https://github.com/unbit/uwsgi-docs/commits) --- updated-dependencies: - dependency-name: uwsgi dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 8f8f342..1c29ed8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,7 @@ django-getenv==1.3.2 androguard==3.4.0a1 requests==2.31.0 pdfkit==0.6.1 -uwsgi==2.0.19.1 +uwsgi==2.0.22 Pygments==2.15.0 djangorestframework==3.12.4 drf-yasg==1.20.0 From 3f77987789c1e233ded5a351cd44e93792ba68b4 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 26 Sep 2023 16:43:07 +0000 Subject: [PATCH 13/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878 --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 1c29ed8..2196662 100644 --- a/requirements.txt +++ b/requirements.txt @@ -17,4 +17,5 @@ sqlalchemy==1.4.23 django-extensions==3.1.3 setuptools==65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability ipython>=8.10.0 # not directly required, pinned by Snyk to avoid a vulnerability -numpy>=1.22.2 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file +numpy>=1.22.2 # not directly required, pinned by Snyk to avoid a vulnerability +pillow>=10.0.1 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file From e7f3d6959a1f8cd024850e1ef3f713e24c7117de Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Thu, 28 Sep 2023 08:35:58 +0000 Subject: [PATCH 14/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878 From 9d7145d5d91aacc721d7f81d39c594b540892268 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Thu, 5 Oct 2023 15:52:29 +0000 Subject: [PATCH 15/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-5932095 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2196662..0f3b28e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -django==3.2.20 +django==3.2.22 psycopg2-binary==2.9.1 django-bootstrap4==3.0.1 django-widget-tweaks==1.4.8 From 93b187e498fac9e9f73af17a6da941af69593a31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=B3nica=20Pastor?= Date: Thu, 7 Dec 2023 21:50:06 +0100 Subject: [PATCH 16/26] bug: fix #103 server error --- Dockerfile | 3 --- requirements.txt | 12 ++++++------ 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7d063e9..d3d2514 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,9 +12,6 @@ RUN apt-get update && \ apt-get clean && \ update-ca-certificates -f -# Avoid issue in libqt5gui5 #73 -RUN strip --remove-section=.note.ABI-tag /usr/lib/x86_64-linux-gnu/libQt5Core.so.5 - # Get JADX Tool ENV JADX_VERSION 1.4.7 diff --git a/requirements.txt b/requirements.txt index 0f3b28e..ea59269 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ -django==3.2.22 -psycopg2-binary==2.9.1 +django==3.2.23 +psycopg2==2.9.3 django-bootstrap4==3.0.1 django-widget-tweaks==1.4.8 django-fontawesome-5==1.0.18 @@ -15,7 +15,7 @@ Celery==5.2.2 django-filter==2.4.0 sqlalchemy==1.4.23 django-extensions==3.1.3 -setuptools==65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability -ipython>=8.10.0 # not directly required, pinned by Snyk to avoid a vulnerability -numpy>=1.22.2 # not directly required, pinned by Snyk to avoid a vulnerability -pillow>=10.0.1 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file +setuptools==65.5.1 +ipython>=8.10.0 +numpy>=1.22.2 +pillow>=10.0.1 \ No newline at end of file From 26bf5df4da47ab9fb8ed9235f99c093d3008a373 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=B3nica=20Pastor?= Date: Sat, 16 Dec 2023 18:58:06 +0100 Subject: [PATCH 17/26] chore: add rabbitmq logs file to avoid permission issues --- .gitignore | 2 +- rabbitmq/logs/.gitkeep | 0 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 rabbitmq/logs/.gitkeep diff --git a/.gitignore b/.gitignore index 2bb372a..b2083b0 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,7 @@ .env .vscode app/logs/* -rabbitmq/logs/* +rabbitmq/logs/*.log nginx/logs/* app/media/* *.sqlite3 diff --git a/rabbitmq/logs/.gitkeep b/rabbitmq/logs/.gitkeep new file mode 100644 index 0000000..e69de29 From 73962e1e279d6ce5cf0a899f6600d3ab289ddb3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=B3nica=20Pastor?= Date: Sat, 9 Mar 2024 18:20:25 +0100 Subject: [PATCH 18/26] chore: upgrade to django 4 and bump dependencies/containers --- .env.example | 1 + .github/workflows/anchore-analysis.yml | 28 -------- .github/workflows/semgrep.yml | 21 ++---- .github/workflows/shiftleft-analysis.yml | 26 -------- .github/workflows/trivy-analysis.yml | 30 --------- Dockerfile | 6 +- app/config/settings.py | 4 +- app/config/urls.py | 10 ++- docker-compose.prod.yaml | 6 +- docker-compose.yaml | 6 +- requirements.txt | 85 +++++++++++++++++++----- 11 files changed, 89 insertions(+), 134 deletions(-) delete mode 100644 .github/workflows/anchore-analysis.yml delete mode 100644 .github/workflows/shiftleft-analysis.yml delete mode 100644 .github/workflows/trivy-analysis.yml diff --git a/.env.example b/.env.example index c7bf02c..8d10c16 100644 --- a/.env.example +++ b/.env.example @@ -1,6 +1,7 @@ SECRET_KEY='akj)aa@2rp+$duf_m$)4!@cc#()h@q(ag0f=h8#1@dlpdouni5' DEBUG=0 DJANGO_ALLOWED_HOSTS=['web','app','localhost','127.0.0.1'] +CSRF_TRUSTED_ORIGINS=['http://localhost','http://localhost:8888','http://127.0.0.1:8888'] ENV=PROD SQL_ENGINE=django.db.backends.postgresql SQL_DATABASE=postgres diff --git a/.github/workflows/anchore-analysis.yml b/.github/workflows/anchore-analysis.yml deleted file mode 100644 index c17e637..0000000 --- a/.github/workflows/anchore-analysis.yml +++ /dev/null @@ -1,28 +0,0 @@ -# This workflow checks out code, builds an image, performs a container image -# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security -# code scanning feature. For more information on the Anchore scan action usage -# and parameters, see https://github.com/anchore/scan-action. For more -# information on Anchore's container image scanning tool Grype, see -# https://github.com/anchore/grype -name: Anchore Container Scan -on: push -jobs: - Anchore-Build-Scan: - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v2 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag mpast/mobile_audit:latest - - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@main - id: scan - with: - image: "mpast/mobile_audit:latest" - acs-report-enable: true - - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} - - name: Inspect action SARIF report - run: cat ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f68aa09..77954d2 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -2,33 +2,26 @@ name: Semgrep on: pull_request_target: {} + workflow_dispatch: {} push: - branches: ["main"] - # Schedule the CI job (this method uses cron syntax): - schedule: - - cron: '0 0 1 * *' # Sets Semgrep to scan every month - + branches: ["master", "main"] jobs: semgrep: - name: Scan + name: semgrep/ci runs-on: ubuntu-latest container: - image: returntocorp/semgrep + image: semgrep/semgrep - # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') - steps: - # Fetch project source with GitHub Actions Checkout. - uses: actions/checkout@v3 - # Run the "semgrep ci" command on the command line of the docker image. - - run: semgrep ci --sarif --output=semgrep.sarif + - run: semgrep ci --sarif > semgrep.sarif env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - # Upload the results to Github Advanced Security + - name: Upload SARIF file for GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif - if: always() + if: always() \ No newline at end of file diff --git a/.github/workflows/shiftleft-analysis.yml b/.github/workflows/shiftleft-analysis.yml deleted file mode 100644 index a95371c..0000000 --- a/.github/workflows/shiftleft-analysis.yml +++ /dev/null @@ -1,26 +0,0 @@ -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -# This section configures the trigger for the workflow. Feel free to customize depending on your convention -on: push - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@master - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - - name: Upload report - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: reports diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml deleted file mode 100644 index c24aa47..0000000 --- a/.github/workflows/trivy-analysis.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: build -on: - push: - branches: [ main ] - pull_request: -jobs: - build: - name: Build - runs-on: "ubuntu-18.04" - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Build an image from Dockerfile - run: | - docker build -t mpast/mobile_audit:latest . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'mpast/mobile_audit:latest' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: 'trivy-results.sarif' diff --git a/Dockerfile b/Dockerfile index d3d2514..a1d754c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,10 @@ -FROM python:3.9.16-buster@sha256:5e28891402c02291f65c6652a8abddedcb5af15933e923c07c2670f836243833 +FROM python:3.10-bullseye@sha256:02c7cb92b8f23908de6457f7800c93b84ed8c6e7201da7935443d4c5eca7b381 # Update and package installation RUN apt-get update && \ apt-get clean && \ apt-get install -y ca-certificates-java --no-install-recommends && \ - apt-get clean - -RUN apt-get update && \ apt-get install -y openjdk-11-jdk p11-kit wkhtmltopdf libqt5gui5 && \ - apt-get install -y && \ apt-get clean && \ update-ca-certificates -f diff --git a/app/config/settings.py b/app/config/settings.py index 896f4d1..e056e0c 100755 --- a/app/config/settings.py +++ b/app/config/settings.py @@ -1,5 +1,4 @@ import os -import logging from getenv import env BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) @@ -65,6 +64,7 @@ DEBUG = int(env("DEBUG", 0)) ALLOWED_HOSTS = tuple(env("DJANGO_ALLOWED_HOSTS", ['web','app','localhost','127.0.0.1'])) +CSRF_TRUSTED_ORIGINS=tuple(env("CSRF_TRUSTED_ORIGINS", ['http://web','http://app','http://localhost','http://127.0.0.1'])) # Database # https://docs.djangoproject.com/en/3.0/ref/settings/#databases @@ -140,8 +140,6 @@ LANGUAGE_CODE = 'en-us' -TIME_ZONE = 'UTC' - USE_I18N = True USE_L10N = True diff --git a/app/config/urls.py b/app/config/urls.py index 64d5091..1e46002 100755 --- a/app/config/urls.py +++ b/app/config/urls.py @@ -1,10 +1,8 @@ from django.contrib import admin -from django.urls import path, include +from django.urls import path, include, re_path from app import views, api -from django.conf.urls import url from rest_framework import routers from rest_framework.authtoken.views import obtain_auth_token -from rest_framework import permissions from drf_yasg.views import get_schema_view from drf_yasg import openapi from app.worker.tasks import scan_state @@ -58,8 +56,8 @@ path('api/v1/auth-token/', obtain_auth_token, name='api_token_auth'), path('api/v1/', include(router.urls)), path('scan_state/', scan_state, name="scan_state"), - url(r'^swagger(?P\.json|\.yaml)$', schema_view.without_ui(cache_timeout=0), name='schema-json'), - url(r'^swagger/$', schema_view.with_ui('swagger', cache_timeout=0), name='schema-swagger-ui'), - url(r'^redoc/$', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'), + re_path(r'^swagger(?P\.json|\.yaml)$', schema_view.without_ui(cache_timeout=0), name='schema-json'), + re_path(r'^swagger/$', schema_view.with_ui('swagger', cache_timeout=0), name='schema-swagger-ui'), + re_path(r'^redoc/$', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'), ] \ No newline at end of file diff --git a/docker-compose.prod.yaml b/docker-compose.prod.yaml index dcfd377..cb9bf5a 100644 --- a/docker-compose.prod.yaml +++ b/docker-compose.prod.yaml @@ -1,7 +1,7 @@ version: '3.8' services: db: - image: postgres:15.1-alpine@sha256:07c3361c9e8e1d734dfc51e239327b11d25196347be630fbdc556ca41f219184 + image: postgres:16-bullseye@sha256:7174d2a352ad138906e3dc4a28a5d11b5a158180e9bff80beed8c8cc346f874c env_file: - ./.env.example environment: @@ -28,7 +28,7 @@ services: - db restart: on-failure nginx: - image: nginx:1.23.3-alpine@sha256:dd8a054d7ef030e94a6449783605d6c306c1f69c10c2fa06b66a030e0d1db793 + image: nginx:stable-bullseye@sha256:ee187e563496b690edaab157f89db924cd35fab42631309f4d62957baecf7d6c ports: - "443:443" volumes: @@ -40,7 +40,7 @@ services: - web restart: on-failure rabbitmq: - image: rabbitmq:3.11.5-management-alpine@sha256:826a39d68330e7c380f527d0ac31e87999ade0afa6747e688c9d56989319a2c2 + image: rabbitmq:3.13.0-management@sha256:ba406c7daaef53b59c92a13db37a27d0425579a40c59266d10022a40a8ba7242 env_file: - ./.env.example environment: diff --git a/docker-compose.yaml b/docker-compose.yaml index feaaa0c..7d49fcb 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,7 +1,7 @@ version: '3.8' services: db: - image: postgres:15.1-alpine@sha256:07c3361c9e8e1d734dfc51e239327b11d25196347be630fbdc556ca41f219184 + image: postgres:16-bullseye@sha256:7174d2a352ad138906e3dc4a28a5d11b5a158180e9bff80beed8c8cc346f874c env_file: - ./.env.example environment: @@ -28,7 +28,7 @@ services: - db restart: on-failure nginx: - image: nginx:1.23.3-alpine@sha256:dd8a054d7ef030e94a6449783605d6c306c1f69c10c2fa06b66a030e0d1db793 + image: nginx:stable-bullseye@sha256:ee187e563496b690edaab157f89db924cd35fab42631309f4d62957baecf7d6c ports: - "8888:8888" volumes: @@ -39,7 +39,7 @@ services: - web restart: on-failure rabbitmq: - image: rabbitmq:3.11.5-management-alpine@sha256:826a39d68330e7c380f527d0ac31e87999ade0afa6747e688c9d56989319a2c2 + image: rabbitmq:3.13.0-management@sha256:ba406c7daaef53b59c92a13db37a27d0425579a40c59266d10022a40a8ba7242 env_file: - ./.env.example environment: diff --git a/requirements.txt b/requirements.txt index ea59269..a95e205 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,21 +1,74 @@ -django==3.2.23 -psycopg2==2.9.3 +amqp==5.2.0 +androguard==3.4.0a1 +asgiref==3.7.2 +asn1crypto==1.5.1 +asttokens==2.4.1 +beautifulsoup4==4.12.3 +billiard==3.6.4.0 +celery==5.2.2 +certifi==2024.2.2 +charset-normalizer==3.3.2 +click==8.1.7 +click-didyoumean==0.3.0 +click-plugins==1.1.1 +click-repl==0.3.0 +colorama==0.4.6 +contourpy==1.2.0 +coreapi==2.3.3 +coreschema==0.0.4 +cycler==0.12.1 +decorator==5.1.1 +Django==4.1.0 django-bootstrap4==3.0.1 -django-widget-tweaks==1.4.8 +django-extensions==3.1.3 +django-filter==2.4.0 django-fontawesome-5==1.0.18 django-getenv==1.3.2 -androguard==3.4.0a1 -requests==2.31.0 -pdfkit==0.6.1 -uwsgi==2.0.22 -Pygments==2.15.0 +django-widget-tweaks==1.4.8 djangorestframework==3.12.4 drf-yasg==1.20.0 -Celery==5.2.2 -django-filter==2.4.0 -sqlalchemy==1.4.23 -django-extensions==3.1.3 -setuptools==65.5.1 -ipython>=8.10.0 -numpy>=1.22.2 -pillow>=10.0.1 \ No newline at end of file +executing==2.0.1 +fonttools==4.49.0 +idna==3.6 +inflection==0.5.1 +ipython==8.22.2 +itypes==1.2.0 +jedi==0.19.1 +Jinja2==3.1.3 +kiwisolver==1.4.5 +kombu==5.3.5 +lxml==5.1.0 +MarkupSafe==2.1.5 +matplotlib==3.8.3 +matplotlib-inline==0.1.6 +networkx==3.2.1 +numpy==1.26.4 +packaging==23.2 +parso==0.8.3 +pdfkit==0.6.1 +pexpect==4.9.0 +pillow==10.2.0 +prompt-toolkit==3.0.43 +psycopg2-binary==2.9.9 +psycopg2==2.9.9 +ptyprocess==0.7.0 +pure-eval==0.2.2 +pydot==2.0.0 +Pygments==2.15.0 +pyparsing==3.1.2 +python-dateutil==2.9.0.post0 +pytz==2024.1 +requests==2.31.0 +ruamel.yaml==0.18.6 +ruamel.yaml.clib==0.2.8 +six==1.16.0 +soupsieve==2.5 +SQLAlchemy==1.4.23 +sqlparse==0.4.4 +stack-data==0.6.3 +traitlets==5.14.1 +uritemplate==4.1.1 +urllib3==2.2.1 +uWSGI==2.0.22 +vine==5.1.0 +wcwidth==0.2.13 \ No newline at end of file From 77e1b14ebe86f8395802a152bfb8207ec0f41202 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=B3nica=20Pastor?= Date: Sat, 9 Mar 2024 18:29:51 +0100 Subject: [PATCH 19/26] chore: upgrade dependencies to avoid vulnerabilities --- requirements.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index a95e205..19afafb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,7 +18,7 @@ coreapi==2.3.3 coreschema==0.0.4 cycler==0.12.1 decorator==5.1.1 -Django==4.1.0 +Django==4.1.6 django-bootstrap4==3.0.1 django-extensions==3.1.3 django-filter==2.4.0 @@ -71,4 +71,5 @@ uritemplate==4.1.1 urllib3==2.2.1 uWSGI==2.0.22 vine==5.1.0 -wcwidth==0.2.13 \ No newline at end of file +wcwidth==0.2.13 +setuptools==65.5.1 \ No newline at end of file From 1ed8259e1e3dae8a12f9def631d5f3ed349c9f3d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 17:33:59 +0000 Subject: [PATCH 20/26] build(deps): bump django from 4.1.6 to 4.1.13 Bumps [django](https://github.com/django/django) from 4.1.6 to 4.1.13. - [Commits](https://github.com/django/django/compare/4.1.6...4.1.13) --- updated-dependencies: - dependency-name: django dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 19afafb..e4b2166 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,7 +18,7 @@ coreapi==2.3.3 coreschema==0.0.4 cycler==0.12.1 decorator==5.1.1 -Django==4.1.6 +Django==4.1.13 django-bootstrap4==3.0.1 django-extensions==3.1.3 django-filter==2.4.0 From 5d80194ac0e24c449b8d693ccda425e92cc70a03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 16:43:58 +0000 Subject: [PATCH 21/26] build(deps): bump pillow from 10.2.0 to 10.3.0 Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.2.0 to 10.3.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](https://github.com/python-pillow/Pillow/compare/10.2.0...10.3.0) --- updated-dependencies: - dependency-name: pillow dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e4b2166..74a169b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -47,7 +47,7 @@ packaging==23.2 parso==0.8.3 pdfkit==0.6.1 pexpect==4.9.0 -pillow==10.2.0 +pillow==10.3.0 prompt-toolkit==3.0.43 psycopg2-binary==2.9.9 psycopg2==2.9.9 From de174a51c49c4e8efd4a69950b48aa8a364a5f1d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 04:52:42 +0000 Subject: [PATCH 22/26] build(deps): bump idna from 3.6 to 3.7 Bumps [idna](https://github.com/kjd/idna) from 3.6 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.6...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e4b2166..0a40cdc 100644 --- a/requirements.txt +++ b/requirements.txt @@ -29,7 +29,7 @@ djangorestframework==3.12.4 drf-yasg==1.20.0 executing==2.0.1 fonttools==4.49.0 -idna==3.6 +idna==3.7 inflection==0.5.1 ipython==8.22.2 itypes==1.2.0 From 99230536c9d83fc1f5e35dfb8ce922eae41bdb96 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Wed, 17 Apr 2024 04:31:18 +0000 Subject: [PATCH 23/26] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e4b2166..e150c88 100644 --- a/requirements.txt +++ b/requirements.txt @@ -64,7 +64,7 @@ ruamel.yaml.clib==0.2.8 six==1.16.0 soupsieve==2.5 SQLAlchemy==1.4.23 -sqlparse==0.4.4 +sqlparse==0.5.0 stack-data==0.6.3 traitlets==5.14.1 uritemplate==4.1.1 From 771d93b747d1d3458cc63572601cee2335ff5d13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=B3nica=20Pastor?= Date: Wed, 17 Apr 2024 13:26:16 +0200 Subject: [PATCH 24/26] Update semgrep.yml --- .github/workflows/semgrep.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 77954d2..54c0b69 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -5,6 +5,9 @@ on: workflow_dispatch: {} push: branches: ["master", "main"] + schedule: + - cron: '30 15 */15 * *' # Sets Semgrep to scan every 15 days. + jobs: semgrep: name: semgrep/ci @@ -15,7 +18,7 @@ jobs: if: (github.actor != 'dependabot[bot]') steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: semgrep ci --sarif > semgrep.sarif env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} @@ -24,4 +27,8 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif - if: always() \ No newline at end of file + if: always() + + + + From a792bd228a4d8a1c6e1b58777557feadeef79ea0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 21:20:10 +0000 Subject: [PATCH 25/26] build(deps): bump jinja2 from 3.1.3 to 3.1.4 Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/3.1.3...3.1.4) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 576a17f..876d725 100644 --- a/requirements.txt +++ b/requirements.txt @@ -34,7 +34,7 @@ inflection==0.5.1 ipython==8.22.2 itypes==1.2.0 jedi==0.19.1 -Jinja2==3.1.3 +Jinja2==3.1.4 kiwisolver==1.4.5 kombu==5.3.5 lxml==5.1.0 From f66564dfe03bdd0acf23b92609f624134d9c6e29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 05:34:18 +0000 Subject: [PATCH 26/26] --- updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 576a17f..4f43445 100644 --- a/requirements.txt +++ b/requirements.txt @@ -58,7 +58,7 @@ Pygments==2.15.0 pyparsing==3.1.2 python-dateutil==2.9.0.post0 pytz==2024.1 -requests==2.31.0 +requests==2.32.0 ruamel.yaml==0.18.6 ruamel.yaml.clib==0.2.8 six==1.16.0
{{ finding.id }}{{ finding.id }} {{ finding.get_severity_display }}{{ finding.path }}{{ finding.line_number }}{{ finding.path }}{{ finding.line_number }} {{ finding.line }} {{ finding.get_status_display }}{{ finding.cwe.cwe }} M{{ pattern.default_risk.risk }} {{ finding.cwe.cwe }} M{{ pattern.default_risk.risk }} {% if finding.defectdojo_id > 0 %} - {{ finding.defectdojo_id }} {% else %} N/A{% endif %} + {{ finding.defectdojo_id }} {% else %} N/A{% endif %}
{{ finding.id }}{{ finding.path }}{{ finding.line_number }}{{ finding.id }}{{ finding.path }}{{ finding.line_number }} {{ finding.line }}
{{ file.name }}{{ file.name }} {{ file.name }} {{ file.type }}
{{ string.id }} {{ string.type }} {{ string.value }} {{ string.finding.id }}{{ string.finding.id }}