mpast · mpast · May 21, 2024 · Jan 2, 2023 · Jan 2, 2023 · Feb 2, 2023
diff --git a/.env.example b/.env.example
@@ -1,6 +1,7 @@
 SECRET_KEY='akj)aa@2rp+$duf_m$)4!@cc#()h@q(ag0f=h8#1@dlpdouni5'
 DEBUG=0
 DJANGO_ALLOWED_HOSTS=['web','app','localhost','127.0.0.1']
+CSRF_TRUSTED_ORIGINS=['http://localhost','http://localhost:8888','http://127.0.0.1:8888']
 ENV=PROD
 SQL_ENGINE=django.db.backends.postgresql
 SQL_DATABASE=postgres

diff --git a/.github/workflows/anchore-analysis.yml b/.github/workflows/anchore-analysis.yml
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -2,33 +2,33 @@ name: Semgrep
 
 on:
   pull_request_target: {}
+  workflow_dispatch: {}
   push:
-    branches: ["main"]
-  # Schedule the CI job (this method uses cron syntax):
+    branches: ["master", "main"]
   schedule:
-    - cron: '0 0 1 * *' # Sets Semgrep to scan every month
+    - cron: '30 15 */15 * *' # Sets Semgrep to scan every 15 days.
 
 jobs:
   semgrep:
-    name: Scan
+    name: semgrep/ci 
     runs-on: ubuntu-latest
 
     container:
-      image: returntocorp/semgrep
+      image: semgrep/semgrep
 
-    # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
-
     steps:
-      # Fetch project source with GitHub Actions Checkout.
-      - uses: actions/checkout@v3
-      # Run the "semgrep ci" command on the command line of the docker image.
-      - run: semgrep ci --sarif --output=semgrep.sarif
+      - uses: actions/checkout@v4
+      - run: semgrep ci --sarif > semgrep.sarif
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-      # Upload the results to Github Advanced Security
+
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: semgrep.sarif
         if: always()
+
+
+
+
diff --git a/.github/workflows/shiftleft-analysis.yml b/.github/workflows/shiftleft-analysis.yml
diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml
diff --git a/.gitignore b/.gitignore
@@ -2,7 +2,7 @@
 .env
 .vscode
 app/logs/*
-rabbitmq/logs/*
+rabbitmq/logs/*.log
 nginx/logs/*
 app/media/*
 *.sqlite3

diff --git a/Dockerfile b/Dockerfile
@@ -1,19 +1,15 @@
-FROM python:3.9.16-buster@sha256:5e28891402c02291f65c6652a8abddedcb5af15933e923c07c2670f836243833
+FROM python:3.10-bullseye@sha256:02c7cb92b8f23908de6457f7800c93b84ed8c6e7201da7935443d4c5eca7b381
 
 # Update and package installation
 RUN apt-get update && \
 	apt-get clean && \
 	apt-get install -y ca-certificates-java --no-install-recommends && \
-	apt-get clean
-
-RUN apt-get update && \
 	apt-get install -y openjdk-11-jdk p11-kit wkhtmltopdf libqt5gui5 && \
-	apt-get install -y  && \
 	apt-get clean && \
 	update-ca-certificates -f
 
 # Get JADX Tool
-ENV JADX_VERSION 1.4.5
+ENV JADX_VERSION 1.4.7
 
 RUN \
     wget "https://github.com/skylot/jadx/releases/download/v$JADX_VERSION/jadx-$JADX_VERSION.zip" && \

diff --git a/app/config/settings.py b/app/config/settings.py
@@ -1,5 +1,4 @@
 import os
-import logging
 from getenv import env
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -65,6 +64,7 @@
 DEBUG = int(env("DEBUG", 0))
 
 ALLOWED_HOSTS = tuple(env("DJANGO_ALLOWED_HOSTS", ['web','app','localhost','127.0.0.1']))
+CSRF_TRUSTED_ORIGINS=tuple(env("CSRF_TRUSTED_ORIGINS", ['http://web','http://app','http://localhost','http://127.0.0.1']))
 
 # Database
 # https://docs.djangoproject.com/en/3.0/ref/settings/#databases
@@ -140,8 +140,6 @@
 
 LANGUAGE_CODE = 'en-us'
 
-TIME_ZONE = 'UTC'
-
 USE_I18N = True
 
 USE_L10N = True

diff --git a/app/config/urls.py b/app/config/urls.py
@@ -1,10 +1,8 @@
 from django.contrib import admin
-from django.urls import path, include
+from django.urls import path, include, re_path
 from app import views, api
-from django.conf.urls import url
 from rest_framework import routers
 from rest_framework.authtoken.views import obtain_auth_token
-from rest_framework import permissions
 from drf_yasg.views import get_schema_view
 from drf_yasg import openapi
 from app.worker.tasks import scan_state
@@ -58,8 +56,8 @@
     path('api/v1/auth-token/', obtain_auth_token, name='api_token_auth'),
     path('api/v1/', include(router.urls)),
     path('scan_state/<int:id>', scan_state, name="scan_state"),
-    url(r'^swagger(?P<format>\.json|\.yaml)$', schema_view.without_ui(cache_timeout=0), name='schema-json'),
-    url(r'^swagger/$', schema_view.with_ui('swagger', cache_timeout=0), name='schema-swagger-ui'),
-    url(r'^redoc/$', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'),
+    re_path(r'^swagger(?P<format>\.json|\.yaml)$', schema_view.without_ui(cache_timeout=0), name='schema-json'),
+    re_path(r'^swagger/$', schema_view.with_ui('swagger', cache_timeout=0), name='schema-swagger-ui'),
+    re_path(r'^redoc/$', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'),
 
 ]
diff --git a/app/templates/app.html b/app/templates/app.html
@@ -63,7 +63,7 @@ <h5>Scans</h5>
             {% else %}
             <td> {% fa5_icon 'shield-alt' color='green' %} {{ scan_data.antivirus.malicious }}</td>
             {% endif %} {% endif %}
-            <td><a href="{% url 'findings' scan_id=scan.id %}" target="_blank">{{ scan.findings }}</a></td>
+            <td><a href="{% url 'findings' scan_id=scan.id %}" target="_blank" rel="noopener noreferrer">{{ scan.findings }}</a></td>
             <td>
                 <table class="table table-borderless">
                     {% for severity, number in scan_data.findings.items %}

diff --git a/app/templates/export.html b/app/templates/export.html
@@ -506,17 +506,17 @@
                                 <tbody>
                                     {% for finding in findings_ordered|lookup:id %}
                                     <tr>
-                                        <td><a href="{% url 'finding' id=finding.id %}" target="_blank">{{ finding.id }}</a></td>
+                                        <td><a href="{% url 'finding' id=finding.id %}" target="_blank" rel="noopener noreferrer">{{ finding.id }}</a></td>
                                         <td>{{ finding.get_severity_display }}</td>
-                                        <td><a href="{% url 'finding_view_file' id=finding.id %}" target="_blank">{{ finding.path }}</a></td>
-                                        <td><a href="{% url 'finding_view_file' id=finding.id %}#finding" target="_blank">{{ finding.line_number }}</a></td>
+                                        <td><a href="{% url 'finding_view_file' id=finding.id %}" target="_blank" rel="noopener noreferrer">{{ finding.path }}</a></td>
+                                        <td><a href="{% url 'finding_view_file' id=finding.id %}#finding" target="_blank" rel="noopener noreferrer">{{ finding.line_number }}</a></td>
                                         <td>{{ finding.line }}</td>
                                         <td>{{ finding.get_status_display }}</td>
-                                        <td><a href="{{ settings.CWE_URL }}{{ finding.cwe.cwe }}.html" target="_blank">{{ finding.cwe.cwe }} </a></td>
+                                        <td><a href="{{ settings.CWE_URL }}{{ finding.cwe.cwe }}.html" target="_blank" rel="noopener noreferrer">{{ finding.cwe.cwe }} </a></td>
                                         {% if settings.DEFECTDOJO_ENABLED %}
                                         <td>
                                             {% if finding.defectdojo_id > 0 %}
-                                            <a href="{{ settings.DEFECTDOJO_URL }}{{ finding.defectdojo_id }}" target="_blank">{{ finding.defectdojo_id }}</a> {% else %} <span>N/A</span>{% endif %}
+                                            <a href="{{ settings.DEFECTDOJO_URL }}{{ finding.defectdojo_id }}" target="_blank" rel="noopener noreferrer">{{ finding.defectdojo_id }}</a> {% else %} <span>N/A</span>{% endif %}
                                         </td>
                                         {% endif %}
                                     </tr>
@@ -563,9 +563,9 @@
                             <tbody>
                                 {% for finding in best_practices %} {% if finding.type.id == practice.id %}
                                 <tr>
-                                    <td><a href="{% url 'finding' id=finding.id %}" target="_blank">{{ finding.id }}</a></td>
-                                    <td><a href="{% url 'finding_view_file' id=finding.id %}" target="_blank">{{ finding.path }}</a></td>
-                                    <td><a href="{% url 'finding_view_file' id=finding.id %}#finding" target="_blank">{{ finding.line_number }}</a></td>
+                                    <td><a href="{% url 'finding' id=finding.id %}" target="_blank" rel="noopener noreferrer">{{ finding.id }}</a></td>
+                                    <td><a href="{% url 'finding_view_file' id=finding.id %}" target="_blank" rel="noopener noreferrer">{{ finding.path }}</a></td>
+                                    <td><a href="{% url 'finding_view_file' id=finding.id %}#finding" target="_blank" rel="noopener noreferrer">{{ finding.line_number }}</a></td>
                                     <td>{{ finding.line }}
                                     </td>
                                 </tr>
@@ -601,7 +601,7 @@
                     {% if file.type == 'html' %}
                     <td>{{ file.name }}</td>
                     {% else %}
-                    <td><a href="{% url 'view_file' id=file.id %}" target="_blank">{{ file.name }} </a></td>
+                    <td><a href="{% url 'view_file' id=file.id %}" target="_blank" rel="noopener noreferrer">{{ file.name }} </a></td>
                     {% endif %}
                     <td>{{ file.type }} </td>
                 </tr>
@@ -632,7 +632,7 @@
                     <td>{{ string.id }}</td>
                     <td>{{ string.type }} </td>
                     <td>{{ string.value }} </td>
-                    <td><a href="{% url 'finding' id=string.finding.id %}" target="_blank">{{ string.finding.id }}</a></td>
+                    <td><a href="{% url 'finding' id=string.finding.id %}" target="_blank" rel="noopener noreferrer">{{ string.finding.id }}</a></td>
                 </tr>
                 {% endfor %}
             </tbody>

diff --git a/app/templates/finding.html b/app/templates/finding.html
@@ -15,11 +15,11 @@
     </tr>
     <tr>
         <th>CWE</th>
-        <td><a class="link" href="{{ settings.CWE_URL }}{{finding.cwe.cwe}}.html" target="_blank">{{ finding.cwe.cwe }} </a></td>
+        <td><a class="link" href="{{ settings.CWE_URL }}{{finding.cwe.cwe}}.html" target="_blank" rel="noopener noreferrer">{{ finding.cwe.cwe }} </a></td>
     </tr>
     <tr>
         <th>OWASP TOP 10 Mobile Risk</th>
-        <td><a class="link" href="{{ pattern.default_risk.reference }}" target="_blank">M{{ pattern.default_risk.risk }} </a></td>
+        <td><a class="link" href="{{ pattern.default_risk.reference }}" target="_blank" rel="noopener noreferrer">M{{ pattern.default_risk.risk }} </a></td>
     </tr>
     <tr>
         <th>Finding</th>
@@ -55,6 +55,6 @@
     </tr>
 </table>
 {% if settings.DEFECTDOJO_ENABLED and finding.defectdojo_id > 0 %}
-<a href="{{ settings.DEFECTDOJO_URL }}{{ finding.defectdojo_id }}" target="_blank" class="btn btn-outline-dark">DefectDojo{% fa5_icon 'external-link-alt' %}</a> {% endif %}
+<a href="{{ settings.DEFECTDOJO_URL }}{{ finding.defectdojo_id }}" target="_blank" rel="noopener noreferrer" class="btn btn-outline-dark">DefectDojo{% fa5_icon 'external-link-alt' %}</a> {% endif %}
 
 <a class="btn btn-outline-danger" href="{% url 'edit_finding' id=finding.id %}">Edit</a> {% endblock %}
diff --git a/app/templates/findings.html b/app/templates/findings.html
@@ -57,19 +57,19 @@
             {% for finding in findings %}
             <tr>
                 <td><input id="{{ finding.id }}" class="finding" name="{{ finding.id }}" type="checkbox" /></td>
-                <td><a class="btn btn-outline-success btn-round" href="{% url 'finding' id=finding.id %}" target="_blank">{{ finding.id }}</a></td>
+                <td><a class="btn btn-outline-success btn-round" href="{% url 'finding' id=finding.id %}" target="_blank" rel="noopener noreferrer">{{ finding.id }}</a></td>
                 <td>{{ finding.name }}</td>
                 <td>{{ finding.get_severity_display }}</td>
-                <td><a class="link" href="{% url 'finding_view_file' id=finding.id %}" target="_blank">{{ finding.path }}</a></td>
-                <td><a class="link" href="{% url 'finding_view_file' id=finding.id %}#finding" target="_blank">{{ finding.line_number }}</a></td>
+                <td><a class="link" href="{% url 'finding_view_file' id=finding.id %}" target="_blank" rel="noopener noreferrer">{{ finding.path }}</a></td>
+                <td><a class="link" href="{% url 'finding_view_file' id=finding.id %}#finding" target="_blank" rel="noopener noreferrer">{{ finding.line_number }}</a></td>
                 <td>{{ finding.line }}</td>
                 <td>{{ finding.get_status_display }}</td>
-                <td><a class="link" href="{{ settings.CWE_URL }}{{ finding.cwe.cwe }}.html" target="_blank">{{ finding.cwe.cwe }} </a></td>
-                <td><a class="link" href="{{ pattern.default_risk.reference }}" target="_blank">M{{ pattern.default_risk.risk }} </a></td>
+                <td><a class="link" href="{{ settings.CWE_URL }}{{ finding.cwe.cwe }}.html" target="_blank" rel="noopener noreferrer">{{ finding.cwe.cwe }} </a></td>
+                <td><a class="link" href="{{ pattern.default_risk.reference }}" target="_blank" rel="noopener noreferrer">M{{ pattern.default_risk.risk }} </a></td>
                 {% if settings.DEFECTDOJO_ENABLED %}
                 <td>
                     {% if finding.defectdojo_id > 0 %}
-                    <a href="{{ settings.DEFECTDOJO_URL }}{{ finding.defectdojo_id }}" target="_blank">{{ finding.defectdojo_id }}</a> {% else %} <span>'N/A'</span>{% endif %}
+                    <a href="{{ settings.DEFECTDOJO_URL }}{{ finding.defectdojo_id }}" target="_blank" rel="noopener noreferrer">{{ finding.defectdojo_id }}</a> {% else %} <span>'N/A'</span>{% endif %}
                 </td>
                 {% endif %}
             </tr>

diff --git a/app/templates/home.html b/app/templates/home.html
@@ -67,7 +67,7 @@ <h5>Apps</h5>
                             {% else %}
                             <td> {% fa5_icon 'shield-alt' color='green' %} {{ scan_data.antivirus.malicious }}</td>
                             {% endif %} {% endif %}
-                            <td><a href="{% url 'findings' scan_id=scan.id %}" target="_blank">{{ scan.findings }}</a></td>
+                            <td><a href="{% url 'findings' scan_id=scan.id %}" target="_blank" rel="noopener noreferrer">{{ scan.findings }}</a></td>
                             <td>
                                 <table class="table table-borderless">
                                     {% for severity, number in scan_data.findings.items %}

diff --git a/app/templates/patterns.html b/app/templates/patterns.html
@@ -50,8 +50,8 @@
                 <td>No</td>
                 <td>{% fa5_icon 'exclamation-circle' color='red' %}</td>
                 {% endif %}
-                <td><a class="link" href="https://cwe.mitre.org/data/definitions/{{finding.cwe.cwe}}.html" target="_blank">{{ pattern.default_cwe.cwe }} </a></td>
-                <td><a class="link" href="{{ pattern.default_risk.reference }}" target="_blank">M{{ pattern.default_risk.risk }} </a></td>
+                <td><a class="link" href="https://cwe.mitre.org/data/definitions/{{finding.cwe.cwe}}.html" target="_blank" rel="noopener noreferrer">{{ pattern.default_cwe.cwe }} </a></td>
+                <td><a class="link" href="{{ pattern.default_risk.reference }}" target="_blank" rel="noopener noreferrer">M{{ pattern.default_risk.risk }} </a></td>
             </tr>
             {% endfor %}
         </tbody>