Merge branch 'dev' into ruff_A002

.github/workflows/k8s-tests.yml

@@ -85,6 +85,7 @@ jobs:
                ./helm/defectdojo \
                --set django.ingress.enabled=true \
                --set imagePullPolicy=Never \
+               --set initializer.keepSeconds="-1" \
                ${{ env[matrix.databases] }} \
                ${{ env[matrix.brokers] }} \
                --set createSecret=true \
@@ -124,10 +125,15 @@ jobs:
              RETRY=0
              while :
                do
+               DJANGO_IP=$(kubectl get svc defectdojo-django -o jsonpath='{.spec.clusterIP}')
                OUT=$(kubectl run  curl --quiet=true --image=curlimages/curl:7.73.0 \
                   --overrides='{ "apiVersion": "v1" }' \
-                  --restart=Never -i --rm -- -s -m 20 -I --header "Host: $DD_HOSTNAME" http://`kubectl get service defectdojo-django -o json \
-                 |  jq -r '.spec.clusterIP'`/login?next=/)
+                  --restart=Never -i --rm -- \
+                    --silent \
+                    --max-time 20 \
+                    --head \
+                    --header "Host: $DD_HOSTNAME" \
+                    http://$DJANGO_IP/login?next=/)
                echo $OUT
                CR=`echo $OUT | egrep "^HTTP" | cut -d' ' -f2`
                echo $CR
@@ -148,6 +154,26 @@ jobs:
                 break
                fi
              done
+             ADMIN_PASS=$(kubectl get secret/defectdojo -o jsonpath='{.data.DD_ADMIN_PASSWORD}' | base64 -d)
+             echo "Simple API check"
+             DJANGO_IP=$(kubectl get svc defectdojo-django -o jsonpath='{.spec.clusterIP}')
+             CR=$(kubectl run  curl --quiet=true --image=curlimages/curl:7.73.0 \
+               --overrides='{ "apiVersion": "v1" }' \
+               --restart=Never -i --rm -- \
+                 --silent \
+                 --max-time 20 \
+                 --header "Host: $DD_HOSTNAME" \
+                 --data-raw "username=admin&password=$ADMIN_PASS" \
+                 --output /dev/null \
+                 --write-out "%{http_code}\n" \
+                 http://$DJANGO_IP/api/v2/api-token-auth/)
+             echo $CR
+             if [[ $CR -ne 200 ]]; then
+              echo "ERROR: login is not possible; got HTTP code $CR"
+              exit 1
+             else
+              echo "Result received"
+             fi
              echo "Final Check of components"
              errors=`kubectl get pods | grep Error | awk '{print  $1}'`
              if [[ ! -z  $errors ]]; then

.github/workflows/update-sample-data.yml

@@ -16,7 +16,7 @@ jobs:
     steps:
       # Checkout the repository
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.ref_name || 'dev'}}
 
@@ -43,7 +43,7 @@ jobs:
           git push --set-upstream origin $(git rev-parse --abbrev-ref HEAD)
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "Update sample data"

Dockerfile.django-alpine

@@ -5,7 +5,7 @@
 # Dockerfile.nginx to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.11.9-alpine3.20@sha256:df44c0c0761ddbd6388f4549cab42d24d64d257c2a960ad5b276bb7dab9639c7 AS base
+FROM python:3.11.9-alpine3.20@sha256:f9ce6fe33d9a5499e35c976df16d24ae80f6ef0a28be5433140236c2ca482686 AS base
 FROM base AS build
 WORKDIR /app
 RUN \
@@ -31,7 +31,7 @@ COPY requirements.txt ./
 # https://github.com/unbit/uwsgi/issues/1318#issuecomment-542238096
 RUN CPUCOUNT=1 pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
 
-FROM base AS django-alpine
+FROM base AS django
 WORKDIR /app
 ARG uid=1001
 ARG gid=1337
@@ -135,5 +135,5 @@ ENV \
   DD_UWSGI_NUM_OF_THREADS="2"
 ENTRYPOINT ["/entrypoint-uwsgi.sh"]
 
-FROM django-alpine AS django-unittests
+FROM django AS django-unittests
 COPY unittests/ ./unittests/

Dockerfile.django-debian

@@ -5,7 +5,7 @@
 # Dockerfile.nginx to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS base
+FROM python:3.11.9-slim-bookworm@sha256:6ed5bff4d7d377e2a27d9285553b8c21cfccc4f00881de1b24c9bc8d90016e82 AS base
 FROM base AS build
 WORKDIR /app
 RUN \

Dockerfile.integration-tests-debian

@@ -2,6 +2,7 @@
 # code: language=Dockerfile
 
 FROM openapitools/openapi-generator-cli:v7.11.0@sha256:a9e7091ac8808c6835cf8ec88252bca603f1f889ef1456b63d8add5781feeca7 AS openapitools
+# currently only supports x64, no arm yet due to chrome and selenium dependencies
 FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS build
 WORKDIR /app
 RUN \

Dockerfile.nginx-alpine

@@ -5,7 +5,10 @@
 # Dockerfile.django-alpine to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.11.9-alpine3.20@sha256:df44c0c0761ddbd6388f4549cab42d24d64d257c2a960ad5b276bb7dab9639c7 AS base
+FROM node:20.18.2-alpine3.20@sha256:40cbd847a2db119ba716f2861b04076bcb575a0051923459271a18ff80944f7f AS node
+
+FROM python:3.11.9-alpine3.20@sha256:f9ce6fe33d9a5499e35c976df16d24ae80f6ef0a28be5433140236c2ca482686 AS base
+
 FROM base AS build
 WORKDIR /app
 RUN \
@@ -31,98 +34,11 @@ COPY requirements.txt ./
 # https://github.com/unbit/uwsgi/issues/1318#issuecomment-542238096
 RUN CPUCOUNT=1 pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
 
-FROM build AS collectstatic
-
-# Node installation from https://github.com/nodejs/docker-node
-ENV NODE_VERSION=20.11.0
-
-RUN addgroup -g 1000 node \
-    && adduser -u 1000 -G node -s /bin/sh -D node \
-    && apk add --no-cache \
-        libstdc++ \
-    && apk add --no-cache --virtual .build-deps \
-        curl \
-    && ARCH= && alpineArch="$(apk --print-arch)" \
-      && case "${alpineArch##*-}" in \
-        x86_64) \
-          ARCH='x64' \
-          CHECKSUM=$(curl -sSL --compressed "https://unofficial-builds.nodejs.org/download/release/v${NODE_VERSION}/SHASUMS256.txt" | grep "node-v${NODE_VERSION}-linux-x64-musl.tar.xz" | cut -d' ' -f1) \
-          ;; \
-        *) ;; \
-      esac \
-  && if [ -n "${CHECKSUM}" ]; then \
-    set -eu; \
-    curl -fsSLO --compressed "https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz"; \
-    echo "$CHECKSUM  node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" | sha256sum -c - \
-      && tar -xJf "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
-      && ln -s /usr/local/bin/node /usr/local/bin/nodejs; \
-  else \
-    echo "Building from source" \
-    # backup build
-    && apk add --no-cache --virtual .build-deps-full \
-        binutils-gold \
-        g++ \
-        gcc \
-        gnupg \
-        libgcc \
-        linux-headers \
-        make \
-        python3 \
-    # gpg keys listed at https://github.com/nodejs/node#release-keys
-    && for key in \
-      4ED778F539E3634C779C87C6D7062848A1AB005C \
-      141F07595B7B3FFE74309A937405533BE57C7D57 \
-      74F12602B6F1C4E913FAA37AD3A89613643B6201 \
-      61FC681DFB92A079F1685E77973F295594EC4689 \
-      8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
-      C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
-      890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \
-      C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \
-      108F52B48DB57BB0CC439B2997B01419BD92F80A \
-    ; do \
-      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
-      gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
-    done \
-    && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
-    && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
-    && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \
-    && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \
-    && tar -xf "node-v$NODE_VERSION.tar.xz" \
-    && cd "node-v$NODE_VERSION" \
-    && ./configure \
-    && make -j$(getconf _NPROCESSORS_ONLN) V= \
-    && make install \
-    && apk del .build-deps-full \
-    && cd .. \
-    && rm -Rf "node-v$NODE_VERSION" \
-    && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \
-  fi \
-  && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \
-  && apk del .build-deps \
-  # smoke tests
-  && node --version \
-  && npm --version
 
-ENV YARN_VERSION=1.22.19
+FROM build AS collectstatic
+RUN apk add nodejs npm
+RUN npm install -g yarn --force
 
-RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar \
-  && for key in \
-    6A010C5166006599AA17F08146C2130DFD2497F5 \
-  ; do \
-    gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
-  done \
-  && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
-  && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \
-  && gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \
-  && mkdir -p /opt \
-  && tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ \
-  && ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn \
-  && ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg \
-  && rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \
-  && apk del .build-deps-yarn \
-  # smoke test
-  && yarn --version
 
 # installing DefectDojo packages
 RUN pip3 install \

Dockerfile.nginx-debian

@@ -5,7 +5,7 @@
 # Dockerfile.django-debian to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS base
+FROM python:3.11.9-slim-bookworm@sha256:6ed5bff4d7d377e2a27d9285553b8c21cfccc4f00881de1b24c9bc8d90016e82 AS base
 FROM base AS build
 WORKDIR /app
 RUN \
@@ -42,8 +42,8 @@ RUN \
   apt-get -y update && \
   apt-get -y install --no-install-recommends apt-transport-https ca-certificates curl wget gnupg && \
   curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add --no-tty - && \
-  echo 'deb https://deb.nodesource.com/node_20.x bullseye main' > /etc/apt/sources.list.d/nodesource.list && \
-  echo 'deb-src https://deb.nodesource.com/node_20.x bullseye main' >> /etc/apt/sources.list.d/nodesource.list && \
+  echo 'deb https://deb.nodesource.com/node_20.x bookworm main' > /etc/apt/sources.list.d/nodesource.list && \
+  echo 'deb-src https://deb.nodesource.com/node_20.x bookworm main' >> /etc/apt/sources.list.d/nodesource.list && \
   apt-get update -y -o Dir::Etc::sourcelist="sources.list.d/nodesource.list" \
   -o Dir::Etc::sourceparts="-" -o APT::Get::List-Cleanup="0" && \
   curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \

docker-compose.yml

@@ -105,7 +105,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   postgres:
-    image: postgres:17.2-alpine@sha256:0bcc5bbbb2aa9c9b4c6505845918c7eb55d783cf5c1f434fac33012579fb149d
+    image: postgres:17.2-alpine@sha256:7e5df973a74872482e320dcbdeb055e178d6f42de0558b083892c50cda833c96
     environment:
       POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
       POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}

docker/entrypoint-celery-beat.sh

@@ -1,13 +1,16 @@
 #!/bin/bash
 
+set -e  # needed to handle "exit" correctly
+
+. /secret-file-loader.sh
 . /reach_database.sh
 
 umask 0002
 
 id
 
 # Allow for bind-mount multiple settings.py overrides
-FILES=$(ls /app/docker/extra_settings/* 2>/dev/null)
+FILES=$(ls /app/docker/extra_settings/* 2>/dev/null || true)
 NUM_FILES=$(echo "$FILES" | wc -w)
 if [ "$NUM_FILES" -gt 0 ]; then
     COMMA_LIST=$(echo "$FILES" | tr -s '[:blank:]' ', ')

docker/entrypoint-celery-worker.sh

@@ -3,11 +3,13 @@ umask 0002
 
 id
 
+set -e  # needed to handle "exit" correctly
+
 . /secret-file-loader.sh
 . /reach_database.sh
 
 # Allow for bind-mount multiple settings.py overrides
-FILES=$(ls /app/docker/extra_settings/* 2>/dev/null)
+FILES=$(ls /app/docker/extra_settings/* 2>/dev/null || true)
 NUM_FILES=$(echo "$FILES" | wc -w)
 if [ "$NUM_FILES" -gt 0 ]; then
     COMMA_LIST=$(echo "$FILES" | tr -s '[:blank:]' ', ')

docker/entrypoint-initializer.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -e  # needed to handle "exit" correctly
+
 . /secret-file-loader.sh
 . /reach_database.sh
 
@@ -40,7 +42,7 @@ fi
 }
 
 # Allow for bind-mount multiple settings.py overrides
-FILES=$(ls /app/docker/extra_settings/* 2>/dev/null)
+FILES=$(ls /app/docker/extra_settings/* 2>/dev/null || true)
 NUM_FILES=$(echo "$FILES" | wc -w)
 if [ "$NUM_FILES" -gt 0 ]; then
     COMMA_LIST=$(echo "$FILES" | tr -s '[:blank:]' ', ')
@@ -127,7 +129,7 @@ echo "Migrating"
 python3 manage.py migrate
 
 echo "Admin user: ${DD_ADMIN_USER}"
-ADMIN_EXISTS=$(echo "SELECT * from auth_user;" | python manage.py dbshell | grep "${DD_ADMIN_USER}")
+ADMIN_EXISTS=$(echo "SELECT * from auth_user;" | python manage.py dbshell | grep "${DD_ADMIN_USER}" || true)
 # Abort if the admin user already exists, instead of giving a new fake password that won't work
 if [ -n "$ADMIN_EXISTS" ]
 then

docker/entrypoint-integration-tests.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -e  # needed to handle "exit" correctly
+
 . /secret-file-loader.sh
 
 echo "Testing DefectDojo Service"

docker/entrypoint-nginx.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -e  # needed to handle "exit" correctly
+
 umask 0002
 if [ "${GENERATE_TLS_CERTIFICATE}" = true ]; then
   openssl req  \

docker/entrypoint-unit-tests.sh

@@ -3,10 +3,9 @@
 # - Fail if migrations are not created
 # - Exit container after running tests to allow exit code to propagate as test result
 # set -x
-# set -e
+set -e
 # set -v
 
-
 . /secret-file-loader.sh
 . /reach_database.sh
 

docker/entrypoint-uwsgi-dev.sh

@@ -1,7 +1,12 @@
 #!/bin/sh
 
+set -e  # needed to handle "exit" correctly
+
 . /secret-file-loader.sh
+. /reach_database.sh
 
+wait_for_database_to_be_reachable
+echo
 
 cd /app || exit
 

docker/entrypoint-uwsgi.sh

@@ -1,9 +1,12 @@
 #!/bin/sh
 
+set -e  # needed to handle "exit" correctly
+
 . /secret-file-loader.sh
+. /reach_database.sh
 
 # Allow for bind-mount multiple settings.py overrides
-FILES=$(ls /app/docker/extra_settings/* 2>/dev/null)
+FILES=$(ls /app/docker/extra_settings/* 2>/dev/null || true)
 NUM_FILES=$(echo "$FILES" | wc -w)
 if [ "$NUM_FILES" -gt 0 ]; then
     COMMA_LIST=$(echo "$FILES" | tr -s '[:blank:]' ', ')
@@ -15,6 +18,9 @@ if [ "$NUM_FILES" -gt 0 ]; then
     rm -f /app/dojo/settings/README.md
 fi
 
+wait_for_database_to_be_reachable
+echo
+
 umask 0002
 
 # do the check with Django stack