Merge pull request #2452 from MaibornWolff/dev

chore: merge to main for release 1.26.0

.github/workflows/build_push_dev.yml

@@ -5,15 +5,15 @@ on: workflow_dispatch
 permissions: read-all
 
 jobs:
-  docker:
+  docker_backend_dev:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
@@ -28,7 +28,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -38,9 +38,31 @@ jobs:
             CREATED=${{ env.CREATED }}
             REVISION=${{ github.sha }}
             VERSION=dev
+
+  docker_frontend_dev:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set current date as env variable
+        run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push frontend
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
@@ -50,6 +72,14 @@ jobs:
             CREATED=${{ env.CREATED }}
             REVISION=${{ github.sha }}
             VERSION=dev
+
+  sca_dev:
+    runs-on: ubuntu-latest
+    needs: [docker_backend_dev, docker_frontend_dev]
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - 
         name: Run SCA vulnerability scanners
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main

.github/workflows/build_push_release.yml

@@ -11,7 +11,7 @@ on:
 permissions: read-all
 
 jobs:
-  docker:
+  docker_backend_release:
     runs-on: ubuntu-latest
     steps:
       -
@@ -21,7 +21,7 @@ jobs:
           ref: 'v${{ github.event.inputs.release }}'
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
@@ -36,7 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -48,9 +48,33 @@ jobs:
             CREATED=${{ env.CREATED }}
             REVISION=${{ github.sha }}
             VERSION=${{ github.event.inputs.release }}
+
+  docker_frontend_release:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: 'v${{ github.event.inputs.release }}'
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set current date as env variable
+        run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push frontend
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
@@ -62,6 +86,16 @@ jobs:
             CREATED=${{ env.CREATED }}
             REVISION=${{ github.sha }}
             VERSION=${{ github.event.inputs.release }}
+
+  vulnerability_scans_release:
+    runs-on: ubuntu-latest
+    needs: [docker_backend_release, docker_frontend_release]
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: 'v${{ github.event.inputs.release }}'
       - 
         name: Run vulnerability scanners for images
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
@@ -74,3 +108,106 @@ jobs:
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
+
+  generate_sboms:
+    runs-on: ubuntu-latest
+    needs: [docker_backend_release, docker_frontend_release]
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: 20
+      -
+        name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: 'v${{ github.event.inputs.release }}'
+      - 
+        name: Install programs
+        env:
+          CDXGEN_VERSION: 10.9.4
+          SBOM_UTILITY_VERSION: 0.16.0
+          CYCLONE_DX_CLI_VERSION: 0.25.1
+        run: |
+          npm install -g @cyclonedx/cdxgen@"$CDXGEN_VERSION"
+          cd /usr/local/bin
+          wget --no-verbose https://github.com/CycloneDX/sbom-utility/releases/download/v"$SBOM_UTILITY_VERSION"/sbom-utility-v"$SBOM_UTILITY_VERSION"-linux-amd64.tar.gz -O - | tar -zxf -
+          wget --no-verbose https://github.com/CycloneDX/cyclonedx-cli/releases/download/v"$CYCLONE_DX_CLI_VERSION"/cyclonedx-linux-x64
+          cp cyclonedx-linux-x64 /usr/local/bin/cyclonedx
+          chmod +x /usr/local/bin/cyclonedx
+      - 
+        name: Generate SBOM for backend application
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+          FETCH_LICENSE: 1
+        working-directory: ./sbom
+        run: |
+          mv ../backend/poetry_requirements.txt ../backend/poetry_requirements.sic
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_application.json
+          cdxgen ../backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json
+          sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_backend_application.json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_backend_application.json --quiet --input-file - --output-file sbom_backend_application_"$VERSION".json
+          sbom-utility validate --input-file sbom_backend_application_"$VERSION".json
+          rm sbom_backend_application.json
+          mv ../backend/poetry_requirements.sic ../backend/poetry_requirements.txt
+      - 
+        name: Generate SBOM for frontend application
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_application.json
+          cdxgen ../frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
+          sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_frontend_application.json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_frontend_application.json --quiet --input-file - --output-file sbom_frontend_application_"$VERSION".json
+          sbom-utility validate --input-file sbom_frontend_application_"$VERSION".json
+          rm sbom_frontend_application.json
+      - 
+        name: Generate SBOM for backend container
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_container.json
+          cdxgen maibornwolff/secobserve-backend:$VERSION --type container --exclude-type python --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_backend_container.json
+          sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_backend_container.json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_backend_container.json --quiet --input-file - --output-file sbom_backend_container_"$VERSION".json
+          sbom-utility validate --input-file sbom_backend_container_"$VERSION".json
+          rm sbom_backend_container.json
+      - 
+        name: Generate SBOM for frontend container
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_container.json
+          cdxgen maibornwolff/secobserve-frontend:$VERSION --type container --exclude-type npm --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_frontend_container.json
+          sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_frontend_container.json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_frontend_container.json --quiet --input-file - --output-file sbom_frontend_container_"$VERSION".json
+          sbom-utility validate --input-file sbom_frontend_container_"$VERSION".json
+          rm sbom_frontend_container.json
+      - 
+        name: Merge SBOMs
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_complete.json
+          cyclonedx merge --hierarchical --name "SecObserve" --version "$VERSION" --input-files sbom_backend_application_"$VERSION".json sbom_frontend_application_"$VERSION".json sbom_backend_container_"$VERSION".json sbom_frontend_container_"$VERSION".json --output-format json \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_complete.json --quiet --input-file - --output-file sbom_"$VERSION".json
+          sbom-utility validate --input-file sbom_"$VERSION".json
+      - 
+        name: Commit SBOMs
+        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+        with:
+          skip_fetch: true
+          create_branch: true
+          commit_message: "chore: generate SBOMs for release ${{ github.event.inputs.release }}"
+          branch: "chore/sboms_release_${{ github.event.inputs.release }}"
+          file_pattern: "sbom/sbom*.json"

.github/workflows/check_backend.yml

@@ -9,10 +9,8 @@ env:
   POETRY_NO_INTERACTION: 1
 
 jobs:
-  check_backend:
-
+  code_quality:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python 3.12
@@ -57,6 +55,10 @@ jobs:
         run: |
           lint-imports --no-cache
 
+  unittests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Unittests
         run: |
           docker build -f docker/backend/unittests/django/Dockerfile -t secobserve_backend_unittests:latest .

.github/workflows/check_frontend.yml

@@ -5,36 +5,38 @@ on: [push, pull_request]
 permissions: read-all
 
 jobs:
-  check_frontend:
-
+  code_quality:
     runs-on: ubuntu-latest
-
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
-      with:
-        node-version: 20
-
-    - name: Install dependencies
-      working-directory: ./frontend
-      run: |
-        npm ci
-
-    - name: Prettier
-      working-directory: ./frontend
-      run: |
-        npx prettier -c src
-
-    - name: ESLint
-      working-directory: ./frontend
-      run: |
-        npx eslint src
-
-    - name: End-to-end tests
-      working-directory: .
-      run: |
-        cd end_to_end_tests
-        npm install
-        cd ..
-        docker compose -f docker-compose-playwright.yml build
-        docker compose -f docker-compose-playwright.yml up --abort-on-container-exit --exit-code-from playwright
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: 20
+
+      - name: Install dependencies
+        working-directory: ./frontend
+        run: |
+          npm ci
+
+      - name: Prettier
+        working-directory: ./frontend
+        run: |
+          npx prettier -c src
+
+      - name: ESLint
+        working-directory: ./frontend
+        run: |
+          npx eslint src
+
+  end_to_end_tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: End-to-end tests
+        working-directory: .
+        run: |
+          cd end_to_end_tests
+          npm install
+          cd ..
+          docker compose -f docker-compose-playwright.yml build
+          docker compose -f docker-compose-playwright.yml up --abort-on-container-exit --exit-code-from playwright

.github/workflows/check_licenses_dev.yml

@@ -10,8 +10,6 @@ permissions: read-all
 jobs:
   scan_licenses:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
     steps:
       - 
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0

.github/workflows/generate_sboms.yml

@@ -105,7 +105,7 @@ jobs:
           sbom-utility validate --input-file sbom_"$VERSION".json
       - 
         name: Commit SBOMs
-        uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5
+        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
         with:
           skip_fetch: true
           create_branch: true

.github/workflows/scan_sca_current.yml

@@ -15,7 +15,7 @@ jobs:
         name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: 'v1.25.0'
+          ref: 'v1.26.0'
       -
         name: Run SCA vulnerability scanners
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main

.github/workflows/scorecard.yml

@@ -59,14 +59,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: results.sarif