Merge branch 'main' of github.com:l3montree-dev/flawfix

Author: seb-kw

.github/workflows/devguard-scanner.yaml

@@ -6,6 +6,12 @@ on:
   workflow_dispatch:
   push:
 
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+  packages: write
+
 
 jobs:
   golangci:
@@ -57,7 +63,7 @@ jobs:
       fail-on-cvss: high
       web-ui: https://main.devguard.org
       should-deploy:  ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
-      continue-on-open-code-risk: false
+      continue-on-open-code-risk: true
     secrets:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}       
       build-args: "--context=. --dockerfile=Dockerfile --build-arg GITHUB_REF_NAME=$GITHUB_REF_NAME"       
@@ -129,4 +135,4 @@ jobs:
       api-url: https://api.main.devguard.org
       artifact-name: "scanner"
     secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
+      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

.github/workflows/postgresql.yaml

@@ -5,6 +5,10 @@ on:
     tags:
     - '*'
 
+permissions:
+  contents: read
+  packages: write
+
 # There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
 jobs:
   # Docker image build job

.github/workflows/vulndb.yaml

@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: '0 */6 * * *' # every hour
 
+permissions:
+  contents: read
+  packages: write
+
 env:
   POSTGRES_DB: devguard
   POSTGRES_USER: devguard

README.md

@@ -105,7 +105,7 @@ DevGuard uses [golang-migrate](https://github.com/golang-migrate/migrate) for da
 ### How Database Migrations Work
 
 1. **Automatic Migration**: By default, migrations run automatically when the application starts
-2. **Environment Control**: Set `AUTO_MIGRATE=false` to disable automatic migrations
+2. **Environment Control**: Set `DISABLE_AUTOMIGRATE=true` to disable automatic migrations
 3. **Embedded Migrations**: Migration files are embedded in the binary for easy deployment
 4. **Idempotent**: Migrations can be run multiple times safely
 

cmd/devguard-cli/commands/vulndb.go

@@ -1,13 +1,17 @@
 package commands
 
 import (
+	"errors"
 	"log/slog"
+	"os"
 	"regexp"
 	"strings"
 	"time"
 
 	"github.com/l3montree-dev/devguard/internal/core"
 	"github.com/l3montree-dev/devguard/internal/core/vulndb"
+	"github.com/l3montree-dev/devguard/internal/database"
+	"github.com/l3montree-dev/devguard/internal/database/models"
 	"github.com/l3montree-dev/devguard/internal/database/repositories"
 	"github.com/spf13/cobra"
 )
@@ -51,19 +55,41 @@ func isValidCVE(cveID string) bool {
 	return r.MatchString(cveID)
 }
 
+func migrateDB(db core.DB) {
+	// Run database migrations using the existing database connection
+	disableAutoMigrate := os.Getenv("DISABLE_AUTOMIGRATE")
+	if disableAutoMigrate != "true" {
+		slog.Info("running database migrations...")
+		if err := database.RunMigrationsWithDB(db); err != nil {
+			slog.Error("failed to run database migrations", "error", err)
+			panic(errors.New("Failed to run database migrations"))
+		}
+
+		// Run hash migrations if needed (when algorithm version changes)
+		if err := models.RunHashMigrationsIfNeeded(db); err != nil {
+			slog.Error("failed to run hash migrations", "error", err)
+			panic(errors.New("Failed to run hash migrations"))
+		}
+	} else {
+		slog.Info("automatic migrations disabled via DISABLE_AUTOMIGRATE=true")
+	}
+}
+
 func newImportCVECommand() *cobra.Command {
 	importCmd := &cobra.Command{
 		Use:   "import-cve",
 		Short: "Will import the vulnerability database",
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			core.LoadConfig() // nolint
-			database, err := core.DatabaseFactory()
+			db, err := core.DatabaseFactory()
 			if err != nil {
 				slog.Error("could not connect to database", "err", err)
 				return
 			}
 
+			migrateDB(db)
+
 			cveID := args[0]
 			cveID = strings.TrimSpace(strings.ToUpper(cveID))
 			// check if first argument is valid cve
@@ -72,9 +98,9 @@ func newImportCVECommand() *cobra.Command {
 				return
 			}
 
-			cveRepository := repositories.NewCVERepository(database)
+			cveRepository := repositories.NewCVERepository(db)
 			nvdService := vulndb.NewNVDService(cveRepository)
-			osvService := vulndb.NewOSVService(repositories.NewAffectedComponentRepository(database))
+			osvService := vulndb.NewOSVService(repositories.NewAffectedComponentRepository(db))
 
 			cve, err := nvdService.ImportCVE(cveID)
 
@@ -155,27 +181,29 @@ func newSyncCommand() *cobra.Command {
 
 			core.LoadConfig() // nolint
 
-			database, err := core.DatabaseFactory()
+			db, err := core.DatabaseFactory()
 			if err != nil {
 				slog.Error("could not connect to database", "err", err)
 				return
 			}
 
+			migrateDB(db)
+
 			databasesToSync, _ := cmd.Flags().GetStringArray("databases")
 
-			cveRepository := repositories.NewCVERepository(database)
-			cweRepository := repositories.NewCWERepository(database)
-			affectedCmpRepository := repositories.NewAffectedComponentRepository(database)
+			cveRepository := repositories.NewCVERepository(db)
+			cweRepository := repositories.NewCWERepository(db)
+			affectedCmpRepository := repositories.NewAffectedComponentRepository(db)
 			nvdService := vulndb.NewNVDService(cveRepository)
 			mitreService := vulndb.NewMitreService(cweRepository)
 			epssService := vulndb.NewEPSSService(nvdService, cveRepository)
 			osvService := vulndb.NewOSVService(affectedCmpRepository)
 			// cvelistService := vulndb.NewCVEListService(cveRepository)
 			debianSecurityTracker := vulndb.NewDebianSecurityTracker(affectedCmpRepository)
 
-			expoitDBService := vulndb.NewExploitDBService(nvdService, repositories.NewExploitRepository(database))
+			expoitDBService := vulndb.NewExploitDBService(nvdService, repositories.NewExploitRepository(db))
 
-			githubExploitDBService := vulndb.NewGithubExploitDBService(repositories.NewExploitRepository(database))
+			githubExploitDBService := vulndb.NewGithubExploitDBService(repositories.NewExploitRepository(db))
 
 			if emptyOrContains(databasesToSync, "cwe") {
 				now := time.Now()

cmd/devguard/api/api.go

@@ -20,6 +20,7 @@ import (
 	"os"
 	"sort"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -254,16 +255,20 @@ func neededScope(neededScopes []string) core.MiddlewareFunc {
 }
 
 func externalEntityProviderOrgSyncMiddleware(externalEntityProviderService core.ExternalEntityProviderService) core.MiddlewareFunc {
-	limiter := map[string]time.Time{}
+	limiter := &sync.Map{}
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(ctx core.Context) error {
 
 			key := core.GetSession(ctx).GetUserID()
-			if _, ok := limiter[key]; !ok || time.Now().After(limiter[key]) {
+			now := time.Now()
+
+			if value, ok := limiter.Load(key); !ok || now.After(value.(time.Time)) {
 				slog.Info("syncing external entity provider orgs", "userID", key)
-				limiter[key] = time.Now().Add(15 * time.Minute)
+				limiter.Store(key, now.Add(15*time.Minute))
+				// Create a goroutine-safe context to avoid using the request context
+				safeCtx := core.GoroutineSafeContext(ctx)
 				go func() {
-					if _, err := externalEntityProviderService.SyncOrgs(ctx); err != nil {
+					if _, err := externalEntityProviderService.SyncOrgs(safeCtx); err != nil {
 						slog.Error("could not sync external entity provider orgs", "err", err, "userID", key)
 					}
 				}()
@@ -274,24 +279,32 @@ func externalEntityProviderOrgSyncMiddleware(externalEntityProviderService core.
 }
 
 func externalEntityProviderRefreshMiddleware(externalEntityProviderService core.ExternalEntityProviderService) core.MiddlewareFunc {
-	limiter := map[string]time.Time{}
+	limiter := &sync.Map{}
 
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		// get the current org
 		return func(ctx core.Context) error {
 			org := core.GetOrg(ctx)
 
 			if org.IsExternalEntity() {
-				// check if we are allowed to refresh the external entity provider projects
-				if time.Now().After(limiter[org.GetID().String()+"/"+core.GetSession(ctx).GetUserID()]) {
-					limiter[org.GetID().String()+"/"+core.GetSession(ctx).GetUserID()] = time.Now().Add(15 * time.Minute)
+				key := org.GetID().String() + "/" + core.GetSession(ctx).GetUserID()
+				now := time.Now()
+
+				// Check if we are allowed to refresh the external entity provider projects
+				if value, ok := limiter.Load(key); !ok || now.After(value.(time.Time)) {
+					limiter.Store(key, now.Add(15*time.Minute))
+
+					// Create a goroutine-safe context and capture the values we need
+					safeCtx := core.GoroutineSafeContext(ctx)
+					userID := core.GetSession(ctx).GetUserID()
+					orgID := org.GetID()
 
 					go func() {
-						err := externalEntityProviderService.RefreshExternalEntityProviderProjects(ctx, org, core.GetSession(ctx).GetUserID())
+						err := externalEntityProviderService.RefreshExternalEntityProviderProjects(safeCtx, org, userID)
 						if err != nil {
-							slog.Error("could not refresh external entity provider projects", "err", err, "orgID", org.GetID(), "userID", core.GetSession(ctx).GetUserID())
+							slog.Error("could not refresh external entity provider projects", "err", err, "orgID", orgID, "userID", userID)
 						} else {
-							slog.Info("refreshed external entity provider projects", "orgID", org.GetID(), "userID", core.GetSession(ctx).GetUserID())
+							slog.Info("refreshed external entity provider projects", "orgID", orgID, "userID", userID)
 						}
 					}()
 				}

cmd/devguard/main.go

@@ -72,8 +72,8 @@ func main() {
 	}
 
 	// Run database migrations using the existing database connection
-	autoMigrate := os.Getenv("AUTO_MIGRATE")
-	if autoMigrate == "" || autoMigrate == "true" {
+	disableAutoMigrate := os.Getenv("DISABLE_AUTOMIGRATE")
+	if disableAutoMigrate != "true" {
 		slog.Info("running database migrations...")
 		if err := database.RunMigrationsWithDB(db); err != nil {
 			slog.Error("failed to run database migrations", "error", err)
@@ -86,7 +86,7 @@ func main() {
 			panic(errors.New("Failed to run hash migrations"))
 		}
 	} else {
-		slog.Info("automatic migrations disabled via AUTO_MIGRATE=false")
+		slog.Info("automatic migrations disabled via DISABLE_AUTOMIGRATE=true")
 	}
 
 	daemon.Start(db)

go.mod

@@ -1,6 +1,6 @@
 module github.com/l3montree-dev/devguard
 
-go 1.24.0
+go 1.24.5
 
 require (
 	github.com/CycloneDX/cyclonedx-go v0.9.2

internal/core/common_interfaces.go

@@ -223,8 +223,8 @@ type InvitationRepository interface {
 
 type ExternalEntityProviderService interface {
 	RefreshExternalEntityProviderProjects(ctx Context, org models.Org, user string) error
-	TriggerOrgSync(c echo.Context) error
-	SyncOrgs(c echo.Context) ([]*models.Org, error)
+	TriggerOrgSync(c Context) error
+	SyncOrgs(c Context) ([]*models.Org, error)
 }
 
 type ProjectService interface {

internal/core/context_utils.go

@@ -17,11 +17,13 @@ package core
 import (
 	"context"
 	"fmt"
+	"net/http/httptest"
 	"regexp"
 	"strconv"
 	"strings"
 
 	"github.com/l3montree-dev/devguard/internal/database/models"
+	"github.com/l3montree-dev/devguard/internal/echohttp"
 	"github.com/l3montree-dev/devguard/internal/utils"
 
 	"github.com/ory/client-go"
@@ -592,3 +594,61 @@ func GetBadgeSVG(label string, values []BadgeValues) string {
 
 	return sb.String()
 }
+
+func GoroutineSafeContext(c Context) Context {
+	// create a new context - with only the values
+	ctx := echohttp.E.NewContext(nil, httptest.NewRecorder())
+
+	// copy all values from the original context that might be needed in goroutines
+	if thirdParty, ok := c.Get("thirdPartyIntegration").(IntegrationAggregate); ok {
+		ctx.Set("thirdPartyIntegration", thirdParty)
+	}
+
+	if session, ok := c.Get("session").(AuthSession); ok {
+		ctx.Set("session", session)
+	}
+
+	if org, ok := c.Get("organization").(models.Org); ok {
+		ctx.Set("organization", org)
+	}
+
+	if project, ok := c.Get("project").(models.Project); ok {
+		ctx.Set("project", project)
+	}
+
+	if asset, ok := c.Get("asset").(models.Asset); ok {
+		ctx.Set("asset", asset)
+	}
+
+	if assetVersion, ok := c.Get("assetVersion").(models.AssetVersion); ok {
+		ctx.Set("assetVersion", assetVersion)
+	}
+
+	if rbac, ok := c.Get("rbac").(AccessControl); ok {
+		ctx.Set("rbac", rbac)
+	}
+
+	if authClient, ok := c.Get("authAdminClient").(AdminClient); ok {
+		ctx.Set("authAdminClient", authClient)
+	}
+
+	// Copy string values that might be needed
+	if orgSlug, ok := c.Get("orgSlug").(string); ok {
+		ctx.Set("orgSlug", orgSlug)
+	}
+
+	if projectSlug, ok := c.Get("projectSlug").(string); ok {
+		ctx.Set("projectSlug", projectSlug)
+	}
+
+	if assetSlug, ok := c.Get("assetSlug").(string); ok {
+		ctx.Set("assetSlug", assetSlug)
+	}
+
+	// Copy public request flag
+	if c.Get("publicRequest") != nil {
+		ctx.Set("publicRequest", true)
+	}
+
+	return ctx
+}