Merge pull request #2522 from MaibornWolff/dev

chore: merge to main for release 1.27.0

.github/workflows/build_push_dev.yml

@@ -28,7 +28,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -62,7 +62,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push frontend
-        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile

.github/workflows/build_push_release.yml

@@ -36,7 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -74,7 +74,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push frontend
-        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
@@ -115,7 +115,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: 20
       -

.github/workflows/check_backend.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python 3.12
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.12
 

.github/workflows/check_frontend.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: 20
 

.github/workflows/check_licenses_dev.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - 
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: 20
       - 

.github/workflows/generate_sboms.yml

@@ -16,7 +16,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: 20
       -

.github/workflows/publish_docs.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-      - chore/documentation_check_security_gate
+      - chore/documentation_sbom
 
 permissions: read-all
 
@@ -15,7 +15,7 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.x
       - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0

.github/workflows/scan_sca_current.yml

@@ -15,7 +15,7 @@ jobs:
         name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: 'v1.26.0'
+          ref: 'v1.27.0'
       -
         name: Run SCA vulnerability scanners
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main

.github/workflows/scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: results.sarif

backend/application/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "1.26.0"
+__version__ = "1.27.0"
 
 import pymysql
 

backend/application/access_control/services/oidc_authentication.py

@@ -179,7 +179,14 @@ def _get_groups_from_token(self, payload: dict) -> list:
             return []
 
         groups = payload.get(os.environ["OIDC_GROUPS"])
-        if not groups or not isinstance(groups, list):
+
+        if not groups:
+            return []
+
+        if isinstance(groups, str):
+            groups = [groups]
+
+        if not isinstance(groups, list):
             return []
 
         return sorted(groups)

backend/application/access_control/services/roles_permissions.py

@@ -29,6 +29,7 @@ class Permissions(IntEnum):
     Product_Delete = 1103
     Product_Create = 1104
     Product_Import_Observations = 1105
+    Product_Scan_OSV = 1106
 
     Product_Member_View = 1201
     Product_Member_Edit = 1202
@@ -206,6 +207,7 @@ def get_roles_with_permissions():
             Permissions.Product_Group_View,
             Permissions.Product_View,
             Permissions.Product_Import_Observations,
+            Permissions.Product_Scan_OSV,
             Permissions.Product_Member_View,
             Permissions.Product_Authorization_Group_Member_View,
             Permissions.Product_Rule_View,
@@ -225,6 +227,7 @@ def get_roles_with_permissions():
             Permissions.Product_View,
             Permissions.Product_Edit,
             Permissions.Product_Import_Observations,
+            Permissions.Product_Scan_OSV,
             Permissions.Product_Member_View,
             Permissions.Product_Member_Edit,
             Permissions.Product_Member_Delete,
@@ -268,6 +271,7 @@ def get_roles_with_permissions():
             Permissions.Product_Edit,
             Permissions.Product_Delete,
             Permissions.Product_Import_Observations,
+            Permissions.Product_Scan_OSV,
             Permissions.Product_Member_View,
             Permissions.Product_Member_Edit,
             Permissions.Product_Member_Delete,

backend/application/commons/services/functions.py

@@ -39,3 +39,8 @@ def clip_fields(application: str, model: str, my_object) -> None:
                             field.name,
                             value[: max_length - 9] + "\n```\n\n...",
                         )
+
+
+def get_comma_separated_as_list(comma_separated_string: str) -> list[str]:
+    return_list = comma_separated_string.split(",") if comma_separated_string else []
+    return [x.strip() for x in return_list]

backend/application/core/api/filters.py

@@ -1,13 +1,13 @@
 from datetime import timedelta
 
+from django.db.models import Q
 from django.utils import timezone
 from django_filters import (
     BooleanFilter,
     CharFilter,
     ChoiceFilter,
     FilterSet,
     ModelChoiceFilter,
-    NumberFilter,
     OrderingFilter,
 )
 
@@ -24,6 +24,7 @@
     Service,
 )
 from application.core.types import Status
+from application.licenses.models import License_Component
 
 
 class ProductGroupFilter(FilterSet):
@@ -73,7 +74,6 @@ class Meta:
 
 
 class ProductMemberFilter(FilterSet):
-    product = NumberFilter(field_name="product")
     is_product_group = BooleanFilter(field_name="product__is_product_group")
 
     ordering = OrderingFilter(
@@ -91,7 +91,6 @@ class Meta:
 
 
 class ProductAuthorizationGroupMemberFilter(FilterSet):
-    product = NumberFilter(field_name="product")
     is_product_group = BooleanFilter(field_name="product__is_product_group")
 
     ordering = OrderingFilter(
@@ -109,7 +108,71 @@ class Meta:
 
 
 class BranchFilter(FilterSet):
-    product = NumberFilter(field_name="product")
+    for_observations = BooleanFilter(
+        field_name="for_observations",
+        method="get_for_observations",
+    )
+    for_license_components = BooleanFilter(
+        field_name="for_license_components",
+        method="get_for_license_components",
+    )
+
+    def get_for_observations(
+        self, queryset, field_name, value
+    ):  # pylint: disable=unused-argument
+        # field_name is used as a positional argument
+        if value:
+            product_data = self.data.get("product")
+            if product_data:
+                product_id = int(product_data)
+                observation_branches = (
+                    Observation.objects.filter(
+                        product_id=product_id, branch__isnull=False
+                    )
+                    .values("branch_id")
+                    .distinct()
+                )
+                product_default_branches = (
+                    Product.objects.filter(
+                        id=product_id, repository_default_branch__isnull=False
+                    )
+                    .values("repository_default_branch")
+                    .distinct()
+                )
+                return queryset.filter(
+                    Q(id__in=observation_branches) | Q(id__in=product_default_branches)
+                )
+
+        return queryset
+
+    def get_for_license_components(
+        self, queryset, field_name, value
+    ):  # pylint: disable=unused-argument
+        # field_name is used as a positional argument
+        if value:
+            product_data = self.data.get("product")
+            if product_data:
+                product_id = int(product_data)
+                license_component_branches = (
+                    License_Component.objects.filter(
+                        product_id=product_id, branch__isnull=False
+                    )
+                    .values("branch_id")
+                    .distinct()
+                )
+                product_default_branches = (
+                    Product.objects.filter(
+                        id=product_id, repository_default_branch__isnull=False
+                    )
+                    .values("repository_default_branch")
+                    .distinct()
+                )
+                return queryset.filter(
+                    Q(id__in=license_component_branches)
+                    | Q(id__in=product_default_branches)
+                )
+
+        return queryset
 
     ordering = OrderingFilter(
         # tuple-mapping retains order
@@ -169,33 +232,6 @@ class ObservationFilter(FilterSet):
         queryset=Product.objects.filter(is_product_group=True),
     )
 
-    has_pending_assessment = ChoiceFilter(
-        field_name="has_pending_assessment",
-        method="get_has_pending_assessment",
-        choices=[
-            ("true", "true"),
-            ("false", "false"),
-        ],
-    )
-
-    def get_has_pending_assessment(
-        self, queryset, field_name, value
-    ):  # pylint: disable=unused-argument
-        # field_name is used as a positional argument
-
-        if value == "true":
-            return queryset.filter(
-                id__in=Observation_Log.objects.filter(
-                    assessment_status="Needs approval"
-                ).values("observation_id")
-            )
-
-        return queryset.exclude(
-            id__in=Observation_Log.objects.filter(
-                assessment_status="Needs approval"
-            ).values("observation_id")
-        )
-
     ordering = OrderingFilter(
         # tuple-mapping retains order
         fields=(

backend/application/core/api/serializers_helpers.py

@@ -31,10 +31,10 @@ def get_origin_component_name_version(observation: Observation) -> str:
         return ""
 
     origin_component_name_version_with_type = observation.origin_component_name_version
-    if observation.origin_component_purl:
-        purl = PackageURL.from_string(observation.origin_component_purl)
-        if purl.type:
-            origin_component_name_version_with_type += f" ({purl.type})"
+    if observation.origin_component_purl_type:
+        origin_component_name_version_with_type += (
+            f" ({observation.origin_component_purl_type})"
+        )
 
     return origin_component_name_version_with_type