Merge branch 'dev' of https://github.com/MaibornWolff/SecObserve into stackable

Author: dervoeti

.github/workflows/scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           sarif_file: results.sarif

backend/application/core/api/filters.py

@@ -9,6 +9,7 @@
     ChoiceFilter,
     FilterSet,
     ModelChoiceFilter,
+    MultipleChoiceFilter,
     NumberFilter,
     OrderingFilter,
 )
@@ -27,7 +28,7 @@
     Product_Member,
     Service,
 )
-from application.core.types import Status
+from application.core.types import Severity, Status
 from application.licenses.models import License_Component
 
 
@@ -217,6 +218,10 @@ class Meta:
 
 class ObservationFilter(FilterSet):
     title = CharFilter(field_name="title", lookup_expr="icontains")
+    current_severity = MultipleChoiceFilter(field_name="current_severity", choices=Severity.SEVERITY_CHOICES)
+    current_status = MultipleChoiceFilter(field_name="current_status", choices=Status.STATUS_CHOICES)
+    branch_name = CharFilter(field_name="branch__name", lookup_expr="icontains")
+    origin_service_name = CharFilter(field_name="origin_service__name", lookup_expr="icontains")
     origin_component_name_version = CharFilter(field_name="origin_component_name_version", lookup_expr="icontains")
     origin_docker_image_name_tag_short = CharFilter(
         field_name="origin_docker_image_name_tag_short", lookup_expr="icontains"
@@ -248,6 +253,7 @@ class ObservationFilter(FilterSet):
             ("title", "title"),
             (("numerical_severity", "id"), "current_severity"),
             ("current_status", "current_status"),
+            ("current_priority", "current_priority"),
             ("origin_component_name_version", "origin_component_name_version"),
             (
                 "origin_docker_image_name_tag_short",
@@ -345,6 +351,7 @@ class ObservationLogFilter(FilterSet):
     )
     branch_name = CharFilter(field_name="observation__branch__name", lookup_expr="icontains")
     branch = ModelChoiceFilter(field_name="observation__branch", queryset=Branch.objects.all())
+    origin_service_name = CharFilter(field_name="observation__origin_service__name", lookup_expr="icontains")
     origin_service = ModelChoiceFilter(field_name="observation__origin_service", queryset=Service.objects.all())
     origin_component_name_version = CharFilter(
         field_name="observation__origin_component_name_version", lookup_expr="icontains"
@@ -399,6 +406,7 @@ class ObservationLogFilter(FilterSet):
             ),
             ("severity", "severity"),
             ("status", "status"),
+            ("priority", "priority"),
             ("comment", "comment"),
             ("created", "created"),
             ("assessment_status", "assessment_status"),
@@ -514,6 +522,8 @@ class ComponentFilter(FilterSet):
         field_name="product__product_group",
         queryset=Product.objects.filter(is_product_group=True),
     )
+    branch_name = CharFilter(field_name="branch__name", lookup_expr="icontains")
+    origin_service_name = CharFilter(field_name="origin_service__name", lookup_expr="icontains")
 
     ordering = ExtendedOrderingFilter(
         # tuple-mapping retains order

backend/application/core/api/serializers_product.py

@@ -103,12 +103,12 @@ def validate(self, attrs: dict) -> dict:
 
 
 class ProductGroupSerializer(ProductCoreSerializer):
-    open_critical_observation_count = IntegerField(read_only=True)
-    open_high_observation_count = IntegerField(read_only=True)
-    open_medium_observation_count = IntegerField(read_only=True)
-    open_low_observation_count = IntegerField(read_only=True)
-    open_none_observation_count = IntegerField(read_only=True)
-    open_unknown_observation_count = IntegerField(read_only=True)
+    active_critical_observation_count = IntegerField(read_only=True)
+    active_high_observation_count = IntegerField(read_only=True)
+    active_medium_observation_count = IntegerField(read_only=True)
+    active_low_observation_count = IntegerField(read_only=True)
+    active_none_observation_count = IntegerField(read_only=True)
+    active_unknown_observation_count = IntegerField(read_only=True)
     forbidden_licenses_count = IntegerField(read_only=True)
     review_required_licenses_count = IntegerField(read_only=True)
     unknown_licenses_count = IntegerField(read_only=True)
@@ -135,12 +135,12 @@ class Meta:
             "description",
             "products_count",
             "permissions",
-            "open_critical_observation_count",
-            "open_high_observation_count",
-            "open_medium_observation_count",
-            "open_low_observation_count",
-            "open_none_observation_count",
-            "open_unknown_observation_count",
+            "active_critical_observation_count",
+            "active_high_observation_count",
+            "active_medium_observation_count",
+            "active_low_observation_count",
+            "active_none_observation_count",
+            "active_unknown_observation_count",
             "repository_branch_housekeeping_active",
             "repository_branch_housekeeping_keep_inactive_days",
             "repository_branch_housekeeping_exempt_branches",
@@ -189,12 +189,12 @@ class Meta:
 
 
 class ProductListSerializer(ProductCoreSerializer):
-    open_critical_observation_count = IntegerField(read_only=True)
-    open_high_observation_count = IntegerField(read_only=True)
-    open_medium_observation_count = IntegerField(read_only=True)
-    open_low_observation_count = IntegerField(read_only=True)
-    open_none_observation_count = IntegerField(read_only=True)
-    open_unknown_observation_count = IntegerField(read_only=True)
+    active_critical_observation_count = IntegerField(read_only=True)
+    active_high_observation_count = IntegerField(read_only=True)
+    active_medium_observation_count = IntegerField(read_only=True)
+    active_low_observation_count = IntegerField(read_only=True)
+    active_none_observation_count = IntegerField(read_only=True)
+    active_unknown_observation_count = IntegerField(read_only=True)
     forbidden_licenses_count = IntegerField(read_only=True)
     review_required_licenses_count = IntegerField(read_only=True)
     unknown_licenses_count = IntegerField(read_only=True)
@@ -533,12 +533,12 @@ class ProductApiTokenSerializer(Serializer):
 
 class BranchSerializer(ModelSerializer):
     name_with_product = SerializerMethodField()
-    open_critical_observation_count = IntegerField(read_only=True)
-    open_high_observation_count = IntegerField(read_only=True)
-    open_medium_observation_count = IntegerField(read_only=True)
-    open_low_observation_count = IntegerField(read_only=True)
-    open_none_observation_count = IntegerField(read_only=True)
-    open_unknown_observation_count = IntegerField(read_only=True)
+    active_critical_observation_count = IntegerField(read_only=True)
+    active_high_observation_count = IntegerField(read_only=True)
+    active_medium_observation_count = IntegerField(read_only=True)
+    active_low_observation_count = IntegerField(read_only=True)
+    active_none_observation_count = IntegerField(read_only=True)
+    active_unknown_observation_count = IntegerField(read_only=True)
     forbidden_licenses_count = IntegerField(read_only=True)
     review_required_licenses_count = IntegerField(read_only=True)
     unknown_licenses_count = IntegerField(read_only=True)
@@ -578,12 +578,12 @@ def get_name_with_product(self, obj: Branch) -> str:
 
 class ServiceSerializer(ModelSerializer):
     name_with_product = SerializerMethodField()
-    open_critical_observation_count = IntegerField(read_only=True)
-    open_high_observation_count = IntegerField(read_only=True)
-    open_medium_observation_count = IntegerField(read_only=True)
-    open_low_observation_count = IntegerField(read_only=True)
-    open_none_observation_count = IntegerField(read_only=True)
-    open_unknown_observation_count = IntegerField(read_only=True)
+    active_critical_observation_count = IntegerField(read_only=True)
+    active_high_observation_count = IntegerField(read_only=True)
+    active_medium_observation_count = IntegerField(read_only=True)
+    active_low_observation_count = IntegerField(read_only=True)
+    active_none_observation_count = IntegerField(read_only=True)
+    active_unknown_observation_count = IntegerField(read_only=True)
     forbidden_licenses_count = IntegerField(read_only=True)
     review_required_licenses_count = IntegerField(read_only=True)
     unknown_licenses_count = IntegerField(read_only=True)

backend/application/core/api/views.py

@@ -225,11 +225,12 @@ def get_serializer_class(self) -> type[BaseSerializer[Any]]:
     def export_observations_excel(self, request: Request, pk: int) -> HttpResponse:
         product = self.__get_product(pk)
 
-        status = self.request.query_params.get("status")
-        if status and (status, status) not in Status.STATUS_CHOICES:
-            raise ValidationError(f"Status {status} is not a valid choice")
+        statuses = self.request.query_params.getlist("status")
+        for status in statuses:
+            if status and (status, status) not in Status.STATUS_CHOICES:
+                raise ValidationError(f"Status {status} is not a valid choice")
 
-        workbook = export_observations_excel(product, status)
+        workbook = export_observations_excel(product, statuses)
 
         with NamedTemporaryFile() as tmp:
             workbook.save(tmp.name)  # nosemgrep: python.lang.correctness.tempfile.flush.tempfile-without-flush
@@ -256,14 +257,15 @@ def export_observations_excel(self, request: Request, pk: int) -> HttpResponse:
     def export_observations_csv(self, request: Request, pk: int) -> HttpResponse:
         product = self.__get_product(pk)
 
-        status = self.request.query_params.get("status")
-        if status and (status, status) not in Status.STATUS_CHOICES:
-            raise ValidationError(f"Status {status} is not a valid choice")
+        statuses = self.request.query_params.getlist("status")
+        for status in statuses:
+            if status and (status, status) not in Status.STATUS_CHOICES:
+                raise ValidationError(f"Status {status} is not a valid choice")
 
         response = HttpResponse(content_type="text/csv")
         response["Content-Disposition"] = "attachment; filename=observations.csv"
 
-        export_observations_csv(response, product, status)
+        export_observations_csv(response, product, statuses)
 
         return response
 
@@ -545,6 +547,7 @@ def get_queryset(self) -> QuerySet[Observation]:
             .select_related("product__product_group")
             .select_related("branch")
             .select_related("parser")
+            .select_related("origin_service")
         )
 
     def filter_queryset(self, queryset: QuerySet) -> QuerySet:

backend/application/core/migrations/0077_drop_component_view.py

@@ -0,0 +1,20 @@
+from django.db import migrations
+
+# The component view has to be created after all other migrations. Otherwise some alterations of
+# observation lead to errors, due to https://www.sqlite.org/lang_altertable.html#caution.
+# It will be created before the first query runs.
+
+DROP_SQL = "DROP VIEW IF EXISTS core_component;"
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("core", "0076_alter_product_notification_ms_teams_webhook_and_more"),
+    ]
+
+    operations = [
+        migrations.RunSQL(
+            sql=DROP_SQL,
+            reverse_sql=DROP_SQL,
+        ),
+    ]

backend/application/core/migrations/0078_observation_assessment_priority_and_more.py

@@ -0,0 +1,145 @@
+# Generated by Django 5.2.11 on 2026-02-11 18:54
+
+import django.core.validators
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0077_drop_component_view"),
+        ("import_observations", "0016_api_configuration_migrate_names"),
+        ("rules", "0018_rule_rego_module_rule_type"),
+        ("vex", "0010_cyclonedx_cyclonedx_branch_cyclonedx_vulnerability"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="observation",
+            name="assessment_priority",
+            field=models.IntegerField(
+                null=True,
+                validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(99)],
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation",
+            name="current_priority",
+            field=models.IntegerField(
+                null=True,
+                validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(99)],
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation",
+            name="general_rule_rego",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.PROTECT,
+                related_name="general_rules_rego",
+                to="rules.rule",
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation",
+            name="product_rule_rego",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.PROTECT,
+                related_name="product_rules_rego",
+                to="rules.rule",
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation",
+            name="rule_priority",
+            field=models.IntegerField(
+                null=True,
+                validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(99)],
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation",
+            name="rule_rego_priority",
+            field=models.IntegerField(
+                null=True,
+                validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(99)],
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation",
+            name="rule_rego_severity",
+            field=models.CharField(
+                blank=True,
+                choices=[
+                    ("Unknown", "Unknown"),
+                    ("None", "None"),
+                    ("Low", "Low"),
+                    ("Medium", "Medium"),
+                    ("High", "High"),
+                    ("Critical", "Critical"),
+                ],
+                max_length=12,
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation",
+            name="rule_rego_status",
+            field=models.CharField(
+                blank=True,
+                choices=[
+                    ("Open", "Open"),
+                    ("Resolved", "Resolved"),
+                    ("Duplicate", "Duplicate"),
+                    ("False positive", "False positive"),
+                    ("In review", "In review"),
+                    ("Not affected", "Not affected"),
+                    ("Not security", "Not security"),
+                    ("Risk accepted", "Risk accepted"),
+                ],
+                max_length=16,
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation",
+            name="rule_rego_vex_justification",
+            field=models.CharField(
+                blank=True,
+                choices=[
+                    ("component_not_present", "component_not_present"),
+                    ("vulnerable_code_not_present", "vulnerable_code_not_present"),
+                    (
+                        "vulnerable_code_cannot_be_controlled_by_adversary",
+                        "vulnerable_code_cannot_be_controlled_by_adversary",
+                    ),
+                    ("vulnerable_code_not_in_execute_path", "vulnerable_code_not_in_execute_path"),
+                    ("inline_mitigations_already_exist", "inline_mitigations_already_exist"),
+                    ("code_not_present", "code_not_present"),
+                    ("code_not_reachable", "code_not_reachable"),
+                    ("requires_configuration", "requires_configuration"),
+                    ("requires_dependency", "requires_dependency"),
+                    ("requires_environment", "requires_environment"),
+                    ("protected_by_compiler", "protected_by_compiler"),
+                    ("protected_at_runtime", "protected_at_runtime"),
+                    ("protected_at_perimeter", "protected_at_perimeter"),
+                    ("protected_by_mitigating_control", "protected_by_mitigating_control"),
+                ],
+                max_length=64,
+            ),
+        ),
+        migrations.AddField(
+            model_name="observation_log",
+            name="priority",
+            field=models.IntegerField(
+                null=True,
+                validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(99)],
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="observation",
+            index=models.Index(fields=["current_priority"], name="core_observ_current_ba21e4_idx"),
+        ),
+    ]