Merge pull request #226 from MaibornWolff/dev

chore: merge to main for release 2024_11_2

actions/check_security_gate/action.yaml

@@ -0,0 +1,23 @@
+name: 'SecObserve Check Security Gate'
+description: 'Checks SecObserve security gate of a product'
+author: 'MaibornWolff'
+
+inputs:
+  so_api_base_url:
+    description: 'Base URL of the SecObserve backend'
+    required: true
+  so_api_token:
+    description: 'API token of the user to be used for the check.'
+    required: true
+  so_product_name:
+    description: 'Name of the product for which the security gate check is being performed.'
+    required: true
+
+runs:
+  using: 'docker'
+  image: 'docker://maibornwolff/secobserve-scanners:latest'
+  entrypoint: 'check_security_gate.sh'
+  env:
+    SO_API_BASE_URL: ${{ inputs.so_api_base_url }}
+    SO_API_TOKEN: ${{ inputs.so_api_token }}
+    SO_PRODUCT_NAME: ${{ inputs.so_product_name }}

dev/actions/check_security_gate/action.yaml

@@ -0,0 +1,23 @@
+name: 'SecObserve Check Security Gate'
+description: 'Checks SecObserve security gate for a product'
+author: 'MaibornWolff'
+
+inputs:
+  so_api_base_url:
+    description: 'Base URL of the SecObserve backend'
+    required: true
+  so_api_token:
+    description: 'API token of the user to be used for the check.'
+    required: true
+  so_product_name:
+    description: 'Name of the product for which the security gate check is being performed.'
+    required: true
+
+runs:
+  using: 'docker'
+  image: 'docker://maibornwolff/secobserve-scanners:dev'
+  entrypoint: 'check_security_gate.sh'
+  env:
+    SO_API_BASE_URL: ${{ inputs.so_api_base_url }}
+    SO_API_TOKEN: ${{ inputs.so_api_token }}
+    SO_PRODUCT_NAME: ${{ inputs.so_product_name }}

dev/templates/check_security_gate.yml

@@ -0,0 +1,8 @@
+.check_security_gate:
+  image:
+    name: maibornwolff/secobserve-scanners:dev
+  stage: post_test
+  variables:
+    GIT_STRATEGY: none
+  script:
+    - check_security_gate.sh

docker/entrypoints/entrypoint_bandit.sh

@@ -12,7 +12,7 @@ else
 fi
 
 export SO_FILE_NAME="${REPORT_NAME}"
-export SO_PARSER_NAME="Sarif"
+export SO_PARSER_NAME="SARIF"
 
 echo ----------------------------------------
 echo Bandit

docker/entrypoints/entrypoint_check_security_gate.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+set -e
+source check_security_gate.sh

docker/entrypoints/entrypoint_checkov.sh

@@ -12,7 +12,7 @@ else
 fi
 
 export SO_FILE_NAME="${REPORT_NAME}"
-export SO_PARSER_NAME="Sarif"
+export SO_PARSER_NAME="SARIF"
 
 echo ----------------------------------------
 echo Checkov

docker/entrypoints/entrypoint_eslint.sh

@@ -12,7 +12,7 @@ else
 fi
 
 export SO_FILE_NAME="${REPORT_NAME}"
-export SO_PARSER_NAME="Sarif"
+export SO_PARSER_NAME="SARIF"
 
 echo ----------------------------------------
 echo ESLint

docker/entrypoints/entrypoint_gitleaks.sh

@@ -12,7 +12,7 @@ else
 fi
 
 export SO_FILE_NAME="${REPORT_NAME}"
-export SO_PARSER_NAME="Sarif"
+export SO_PARSER_NAME="SARIF"
 
 echo ----------------------------------------
 echo GitLeaks

docker/entrypoints/entrypoint_kics.sh

@@ -16,7 +16,7 @@ if [[ -z "${OUTPUT_PATH}" ]]; then
 fi
 
 export SO_FILE_NAME="${OUTPUT_PATH}"/"${REPORT_NAME}"
-export SO_PARSER_NAME="Sarif"
+export SO_PARSER_NAME="SARIF"
 
 echo ----------------------------------------
 echo KICS

docker/entrypoints/entrypoint_semgrep.sh

@@ -12,7 +12,7 @@ else
 fi
 
 export SO_FILE_NAME="${REPORT_NAME}"
-export SO_PARSER_NAME="Sarif"
+export SO_PARSER_NAME="SARIF"
 
 echo ----------------------------------------
 echo Semgrep

docker/entrypoints/entrypoint_tfsec.sh

@@ -12,7 +12,7 @@ else
 fi
 
 export SO_FILE_NAME="${REPORT_NAME}"
-export SO_PARSER_NAME="Sarif"
+export SO_PARSER_NAME="SARIF"
 
 echo ----------------------------------------
 echo tfsec

importer/bin/check_security_gate.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+export PYTHONPATH="${PYTHONPATH}:/usr/local/importer"
+python -m importer.check_security_gate

importer/importer/check_security_gate.py

@@ -0,0 +1,33 @@
+from importer.secobserve_api import Api
+from importer.environment import Environment
+from requests.exceptions import HTTPError
+
+
+def check_security_gate():
+    try:
+        environment = Environment()
+        environment.check_environment_common()
+        api = Api()
+        product = api.get_product()
+        if product.get("security_gate_passed") == None:
+            print(f"Product {product.get('name')}: Security gate DISABLED")            
+            exit(0)
+
+        if product.get("security_gate_passed") == True:
+            print(f"Product {product.get('name')}: Security gate PASSED")
+            exit(0)
+
+        print(f"Product {product.get('name')}: Security gate FAILED")            
+        exit(1)
+
+    except Exception as e:
+        print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>")
+        print(f"{e.__class__.__name__}: {str(e)}")
+        if isinstance(e, HTTPError):
+            print(f"Response: {e.response.content.decode('utf-8')}")
+        print("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<")
+        exit(1)
+
+
+if __name__ == "__main__":
+    check_security_gate()

importer/importer/file_upload_observations.py

@@ -10,9 +10,11 @@ def file_upload_observations():
         api = Api()
         api.file_upload_observations()
     except Exception as e:
+        print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>")
         print(f"{e.__class__.__name__}: {str(e)}")
         if isinstance(e, HTTPError):
             print(f"Response: {e.response.content.decode('utf-8')}")
+        print("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<")
         exit(1)
 
 

importer/importer/secobserve_api.py

@@ -1,5 +1,4 @@
 import requests
-from http import HTTPStatus
 
 from importer.environment import Environment
 
@@ -55,3 +54,25 @@ def file_upload_observations(self):
             response.raise_for_status()
 
             print(response.json())
+
+    def get_product(self) -> dict:
+        response = requests.get(
+            f"{self.environment.api_base_url}/api/products/?name={self.environment.product_name}",
+            headers=self.headers,
+        )
+        response.raise_for_status()
+
+        data = response.json()
+
+        count = data.get("count", None)
+        if count == None:
+            raise ValueError("Count not found in response")
+        if count == 0:
+            raise ValueError(f"Product {self.environment.product_name} not found")
+
+        results = data.get("results", [])
+        for result in results:
+            if result["name"] == self.environment.product_name:
+                return result
+
+        raise ValueError(f"Product {self.environment.product_name} not found")

templates/check_security_gate.yml

@@ -0,0 +1,8 @@
+.check_security_gate:
+  image:
+    name: maibornwolff/secobserve-scanners:latest
+  stage: post_test
+  variables:
+    GIT_STRATEGY: none
+  script:
+    - check_security_gate.sh

vulnerability_scanner/vulnerability_scanner/scan_vulnerabilities.py

@@ -48,7 +48,9 @@ def scan_vulnerabilities():
         if error:
             exit(1)
     except Exception as e:
+        print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>")
         print(f"{e.__class__.__name__}: {str(e)}")
+        print("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<")
         exit(1)