Merge branch 'dev' of https://github.com/MaibornWolff/SecObserve into stackable

Author: dervoeti

.github/workflows/build_push_dev.yml

@@ -36,8 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        id: build-and-push-backend
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -52,8 +51,7 @@ jobs:
         run: cosign sign -y oci.stackable.tech/stackable/secobserve-backend@${{ steps.build-and-push-backend.outputs.digest }}
       -
         name: Build and push frontend
-        id: build-and-push-frontend
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile

.github/workflows/build_push_release.yml

@@ -36,7 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -50,7 +50,7 @@ jobs:
             VERSION=${{ github.event.inputs.release }}
       -
         name: Build and push frontend
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile

.github/workflows/publish_docs.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: 3.x
-      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           key: ${{ github.ref }}
           path: .cache

.github/workflows/scan_sca_current.yml

@@ -15,7 +15,7 @@ jobs:
         name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: 'v1.22.2'
+          ref: 'v1.23.0'
       -
         name: Run SCA vulnerability scanners
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@5476f0de11c46875081d9767ec166c1e030e9ef0 # main

.github/workflows/scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           sarif_file: results.sarif

backend/application/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "1.22.4"
+__version__ = "1.23.0"
 
 import pymysql
 

backend/application/access_control/api/serializers.py

@@ -1,9 +1,8 @@
 from typing import Optional
 
-from django.core.validators import MinValueValidator
+from django.core.validators import MaxValueValidator, MinValueValidator
 from rest_framework.serializers import (
     CharField,
-    ChoiceField,
     IntegerField,
     ModelSerializer,
     Serializer,
@@ -21,7 +20,7 @@
     get_authorization_group_member,
 )
 from application.access_control.services.authorization import get_user_permissions
-from application.access_control.services.roles_permissions import Permissions, Roles
+from application.access_control.services.roles_permissions import Permissions
 from application.commons.services.global_request import get_current_user
 from application.core.models import Product_Authorization_Group_Member, Product_Member
 
@@ -283,7 +282,7 @@ class AuthenticationResponseSerializer(Serializer):
 
 class ProductApiTokenSerializer(Serializer):
     id = IntegerField(validators=[MinValueValidator(0)])
-    role = ChoiceField(choices=Roles)
+    role = IntegerField(validators=[MinValueValidator(1), MaxValueValidator(5)])
 
 
 class ApiTokenSerializer(ModelSerializer):

backend/application/core/api/filters.py

@@ -339,17 +339,58 @@ class ObservationLogFilter(FilterSet):
     origin_component_name_version = CharFilter(
         field_name="observation__origin_component_name_version", lookup_expr="icontains"
     )
+    origin_docker_image_name_tag_short = CharFilter(
+        field_name="observation__origin_docker_image_name_tag_short",
+        lookup_expr="icontains",
+    )
+    origin_endpoint_hostname = CharFilter(
+        field_name="observation__origin_endpoint_hostname", lookup_expr="icontains"
+    )
+    origin_source_file = CharFilter(
+        field_name="observation__origin_source_file", lookup_expr="icontains"
+    )
+    origin_cloud_qualified_resource = CharFilter(
+        field_name="observation__origin_cloud_qualified_resource",
+        lookup_expr="icontains",
+    )
+    origin_kubernetes_qualified_resource = CharFilter(
+        field_name="observation__origin_kubernetes_qualified_resource",
+        lookup_expr="icontains",
+    )
 
     ordering = OrderingFilter(
         # tuple-mapping retains order
         fields=(
             ("id", "id"),
             ("user__full_name", "user_full_name"),
-            ("observation__product__name", "product_name"),
-            ("observation__branch__name", "branch_name"),
-            ("observation__origin_component_name_version", "origin_component_name_version"),
-            ("product__product_group__name", "product.product_group_name"),
-            ("observation__title", "observation"),
+            ("observation__product__name", "observation_data.product_data.name"),
+            (
+                "observation__product__product_group__name",
+                "observation_data.product_data.product_group_name",
+            ),
+            ("observation__branch__name", "observation_data.branch_name"),
+            ("observation__title", "observation_data.title"),
+            (
+                "observation__origin_component_name_version",
+                "observation_data.origin_component_name_version",
+            ),
+            (
+                "observation__origin_docker_image_name_tag_short",
+                "observation_data.origin_docker_image_name_tag_short",
+            ),
+            (
+                "observation__origin_endpoint_hostname",
+                "observation_data.origin_endpoint_hostname",
+            ),
+            ("observation__origin_source_file", "observation_data.origin_source_file"),
+            (
+                "observation__origin_cloud_qualified_resource",
+                "observation_data.origin_cloud_qualified_resource",
+            ),
+            (
+                "observation__origin_kubernetes_qualified_resource",
+                "observation_data.origin_kubernetes_qualified_resource",
+            ),
             ("severity", "severity"),
             ("status", "status"),
             ("comment", "comment"),

backend/application/core/api/serializers_observation.py

@@ -301,6 +301,7 @@ def update(self, instance: Observation, validated_data: dict):
         actual_status = instance.current_status
         actual_vex_justification = instance.current_vex_justification
         actual_vex_remediations = instance.current_vex_remediations
+        actual_risk_acceptance_expiry_date = instance.risk_acceptance_expiry_date
 
         instance.origin_component_name = ""
         instance.origin_component_version = ""
@@ -317,36 +318,52 @@ def update(self, instance: Observation, validated_data: dict):
 
         observation: Observation = super().update(instance, validated_data)
 
-        if actual_severity != observation.current_severity:
-            actual_severity = observation.current_severity
-        else:
-            actual_severity = ""
+        log_severity = (
+            observation.current_severity
+            if actual_severity != observation.current_severity
+            else ""
+        )
 
-        if actual_status != observation.current_status:
-            actual_status = observation.current_status
-        else:
-            actual_status = ""
+        log_status = (
+            observation.current_status
+            if actual_status != observation.current_status
+            else ""
+        )
 
-        if actual_vex_justification != observation.current_vex_justification:
-            actual_vex_justification = observation.current_vex_justification
-        else:
-            actual_vex_justification = ""
+        log_vex_justification = (
+            observation.current_vex_justification
+            if actual_vex_justification != observation.current_vex_justification
+            else ""
+        )
 
         if actual_vex_remediations != observation.current_vex_remediations:
             actual_vex_remediations = observation.current_vex_remediations
         else:
             actual_vex_remediations = ""
 
-        if actual_severity or actual_status:
+        log_risk_acceptance_expiry_date = (
+            observation.risk_acceptance_expiry_date
+            if actual_risk_acceptance_expiry_date
+            != observation.risk_acceptance_expiry_date
+            else None
+        )
+
+        if (
+            log_severity
+            or log_status
+            or log_vex_justification
+            or log_risk_acceptance_expiry_date
+            or actual_vex_remediations
+        ):
             create_observation_log(
                 observation=observation,
-                severity=actual_severity,
-                status=actual_status,
+                severity=log_severity,
+                status=log_status,
                 comment="Observation changed manually",
                 vex_justification=actual_vex_justification,
                 vex_remediations=actual_vex_remediations,
                 assessment_status=Assessment_Status.ASSESSMENT_STATUS_AUTO_APPROVED,
-                risk_acceptance_expiry_date=observation.risk_acceptance_expiry_date,
+                risk_acceptance_expiry_date=log_risk_acceptance_expiry_date,
             )
 
         check_security_gate(observation.product)
@@ -577,10 +594,7 @@ class Meta:
 
 
 class ObservationLogListSerializer(ModelSerializer):
-    observation_title = SerializerMethodField()
-    product_name = SerializerMethodField()
-    branch_name = SerializerMethodField()
-    origin_component_name_version = SerializerMethodField()
+    observation_data = ObservationListSerializer(source="observation")
     user_full_name = SerializerMethodField()
     approval_user_full_name = SerializerMethodField()
 
@@ -590,9 +604,6 @@ def get_user_full_name(self, obj: Observation_Log) -> Optional[str]:
 
         return None
 
-    def get_observation_title(self, obj: Observation_Log) -> str:
-        return obj.observation.title
-
     def get_approval_user_full_name(self, obj: Observation_Log) -> Optional[str]:
         if obj.approval_user:
             return obj.approval_user.full_name
@@ -642,3 +653,7 @@ class PotentialDuplicateSerializer(ModelSerializer):
     class Meta:
         model = Potential_Duplicate
         fields = "__all__"
+
+
+class CountSerializer(Serializer):
+    count = IntegerField()

backend/application/core/api/views.py

@@ -12,7 +12,7 @@
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.status import HTTP_204_NO_CONTENT
+from rest_framework.status import HTTP_200_OK, HTTP_204_NO_CONTENT
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 
 from application.access_control.services.authorization import user_has_permission_or_403
@@ -40,6 +40,7 @@
     UserHasServicePermission,
 )
 from application.core.api.serializers_observation import (
+    CountSerializer,
     EvidenceSerializer,
     ObservationAssessmentSerializer,
     ObservationBulkAssessmentSerializer,
@@ -643,6 +644,18 @@ def bulk_assessment(self, request):
         )
         return Response(status=HTTP_204_NO_CONTENT)
 
+    @extend_schema(
+        methods=["GET"],
+        request=None,
+        responses={HTTP_200_OK: CountSerializer},
+    )
+    @action(detail=False, methods=["get"])
+    def count_reviews(self, request):
+        count = (
+            get_observations().filter(current_status=Status.STATUS_IN_REVIEW).count()
+        )
+        return Response(status=HTTP_200_OK, data={"count": count})
+
 
 class ObservationTitleViewSet(GenericViewSet, ListModelMixin, RetrieveModelMixin):
     serializer_class = ObservationTitleSerializer
@@ -701,11 +714,11 @@ def approval(self, request, pk=None):
         return Response()
 
     @extend_schema(
-        methods=["PATCH"],
+        methods=["POST"],
         request=ObservationLogBulkApprovalSerializer,
         responses={HTTP_204_NO_CONTENT: None},
     )
-    @action(detail=False, methods=["patch"])
+    @action(detail=False, methods=["post"])
     def bulk_approval(self, request):
         request_serializer = ObservationLogBulkApprovalSerializer(data=request.data)
         if not request_serializer.is_valid():
@@ -735,6 +748,22 @@ def bulk_delete(self, request):
         ).delete()
         return Response(status=HTTP_204_NO_CONTENT)
 
+    @extend_schema(
+        methods=["GET"],
+        request=None,
+        responses={HTTP_200_OK: CountSerializer},
+    )
+    @action(detail=False, methods=["get"])
+    def count_approvals(self, request):
+        count = (
+            get_observation_logs()
+            .filter(
+                assessment_status=Assessment_Status.ASSESSMENT_STATUS_NEEDS_APPROVAL
+            )
+            .count()
+        )
+        return Response(status=HTTP_200_OK, data={"count": count})
+
 
 class EvidenceViewSet(GenericViewSet, ListModelMixin, RetrieveModelMixin):
     serializer_class = EvidenceSerializer