merged with main

Author: timbastin

.env.example

@@ -18,8 +18,9 @@ FRONTEND_URL=http://localhost:3000
 
 OSI_LICENSES_API=https://opensource.org/api/license/
 
+PDF_GENERATION_API=https://dwt-api.dev-l3montree.cloud/pdf
 # comment to disable error tracking
-ERROR_TRACKING_DSN="https://3c5ae6e686b54ee39057194b6e6f6b8b@error-tracking.devguard.org/1"
+ERROR_TRACKING_DSN="https://<your-error-tracking-dsn>"
 
 # ENVIRONMENT can be dev, stage or prod
 ENVIRONMENT=dev

.github/ISSUE_TEMPLATE/test_report.yaml

@@ -18,9 +18,44 @@ body:
       label: ✅ Functional Test Scenarios
       description: Please test thoroughly and mark each scenario as you complete.
       options:
+        - label: Sign up with email and passkey
+        - label: Sign up with email and password
+        - label: E-mail verification works
+        - label: Login with email and passkey
+        - label: Login with email and password
         - label: User login works with GitHub account
         - label: User login works with GitLab account
         - label: User login works with openCode account
+        - label: Linking GitHub account works
+        - label: Linking GitLab account works
+        - label: Linking openCode account works
+        - label: Create a new organization
+        - label: Switching between light and dark mode works
+        - label: Invite other user to organization with existing account
+        - label: Invite other user to organization without existing account (Sign up during invite)
+        - label: Change members role in organization
+        - label: Remove user from organization
+        - label: Check that owner of organization can never be deleted
+        - label: Create a new group
+        - label: Test permissions for group, subgroup and repo creation (member vs. admin on org level, change to admin on test group level)
+        - label: Test group deletion
+        - label: Test subgroup creation
+        - label: Test subgroup deletion
+        - label: Test repository creation
+        - label: Test repository deletion
+        - label: Test that min org admin can only invite users
+        - label: Test linking org to GitHub
+        - label: Test linking org to GitLab
+        - label: Test linking org to Jira
+        - label: Test linking repo in DevGuard to GitLab
+        - label: Test automated issue creation
+        - label: Test reporting range setting
+        - label: Test auto setup feature
+        - label: Test whole DevSecOps integration flow
+        - label: Test partial scan setup flows
+        - label: Test working with tickets (slash commands, commenting, etc.)
+        - label: Test filter in risk tables
+        - label: Test sbom and vex download
 
   - type: textarea
     id: notes

.github/workflows/devguard-scanner.yaml

@@ -39,6 +39,8 @@ jobs:
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
+      fail-on-risk: high
+      fail-on-cvss: high
     secrets:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 
@@ -110,6 +112,8 @@ jobs:
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
+      fail-on-risk: high
+      fail-on-cvss: high
     secrets:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 

.kratos/identity.schema.json

@@ -53,7 +53,7 @@
                 },
                 "confirmedTerms": {
                     "type": "boolean",
-                    "title": "I agree to the terms of use (devguard.org/terms-of-use)",
+                    "title": "I agree to the terms of use ",
                     "description": "You must agree to the terms of use to use this service.",
                     "default": false,
                     "const": true

README.md

@@ -167,3 +167,4 @@ docker run -v "$(PWD):/app" scanner devguard-scanner container-scanning \
   --token="<TOKEN>" \
   --path="/app/image.tar"
 ```
+

charts/devguard/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.9.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.

charts/devguard/templates/devguard/deployment.yaml

@@ -79,6 +79,8 @@ spec:
             value: http://kratos:4434
           - name: GOMEMLIMIT
             value: 1024MiB
+          - name: PDF_GENERATION_API
+            value: https://dwt-api.dev-l3montree.cloud/pdf
         {{- range .Values.oidc.providers }}
             {{- if eq .provider "gitlab" }}
           - name: GITLAB_{{ .id | upper }}_APPID
@@ -136,6 +138,10 @@ spec:
                 key: webhookSecret
                 name: {{ .Values.api.github.existingWebhookSecretSecretName }}
                 optional: true
+          - name: ENVIRONMENT
+            value: {{ .Values.api.errorTracking.environment | quote }}
+          - name: ERROR_TRACKING_DSN
+            value: {{ .Values.api.errorTracking.dsn | quote }}
         {{- end }}
           ports:
             - name: http

charts/devguard/templates/kratos/kratos-config.yaml

@@ -13,7 +13,9 @@ data:
         "properties": {
             "traits": {
                 "required": [
-                    "email"
+                    "email",
+                    "name",
+                    "confirmedTerms"
                 ],
                 "additionalProperties": false,
                 "type": "object",
@@ -55,6 +57,13 @@ data:
                                 "type": "string"
                             }
                         }
+                    },
+                    "confirmedTerms": {
+                        "type": "boolean",
+                        "title": "I agree to the terms of use ",
+                        "description": "You must agree to the terms of use to use this service.",
+                        "default": false,
+                        "const": true
                     }
                 }
             }

charts/devguard/values.yaml

@@ -40,13 +40,13 @@ api:
   podLabels: {}
   podSecurityContext: {}
   # fsGroup: 2000
-  securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+    #readOnlyRootFilesystem: true
+    #runAsNonRoot: true
+    #runAsUser: 1000
 
   autoscaling:
     enabled: false
@@ -59,6 +59,12 @@ api:
   tolerations: []
   affinity: {}
 
+  errorTracking:
+    # https://<your-error-tracking-dsn>
+    dsn: ""
+    # can be dev, stage or prod
+    environment: "dev"
+
   ingress:
     enabled: true
     className: ""
@@ -91,15 +97,7 @@ web:
   imagePullSecrets: []
   podAnnotations: {}
   podLabels: {}
-  podSecurityContext: {}
-  # fsGroup: 2000
-  securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+
   autoscaling:
     enabled: false
     minReplicas: 1

cmd/devguard-cli/commands/daemon.go

@@ -51,7 +51,7 @@ func newTriggerCommand() *cobra.Command {
 		},
 	}
 
-	trigger.Flags().StringArrayP("daemons", "d", []string{"vulndb", "componentProperties", "risk", "tickets", "statistics"}, "List of daemons to trigger")
+	trigger.Flags().StringArrayP("daemons", "d", []string{"vulndb", "componentProperties", "risk", "tickets", "statistics", "deleteOldAssetVersions"}, "List of daemons to trigger")
 
 	return trigger
 }
@@ -76,6 +76,23 @@ func triggerDaemon(db core.DB, daemons []string) error {
 	// thus there is no need to recalculate the risk or anything earlier
 	slog.Info("starting background jobs", "time", time.Now())
 	var start time.Time
+	if emptyOrContains(daemons, "deleteOldAssetVersions") {
+		start = time.Now()
+		// delete old asset versions
+		err := daemon.DeleteOldAssetVersions(db)
+		if err != nil {
+			slog.Error("could not delete old asset versions", "err", err)
+			return nil
+		}
+
+		if err := markMirrored(configService, "vulndb.deleteOldAssetVersions"); err != nil {
+			slog.Error("could not mark assetVersionsDelete as mirrored", "err", err)
+			return nil
+		}
+
+		slog.Info("old asset versions deleted", "duration", time.Since(start))
+	}
+
 	if emptyOrContains(daemons, "depsDev") {
 		start = time.Now()
 		// update deps dev