Merge branch 'dev' of https://github.com/MaibornWolff/SecObserve into stackable

Author: dervoeti

.github/workflows/check_backend.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python 3.12
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: 3.12
 

.github/workflows/publish_docs.yml

@@ -15,7 +15,7 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: 3.x
       - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

.github/workflows/scan_sca_current.yml

@@ -15,7 +15,7 @@ jobs:
         name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: 'v1.29.1'
+          ref: 'v1.29.2'
       -
         name: Run SCA vulnerability scanners
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@2f7b500fde2de2bdea7eef3b6df5503c2476916f # main

.github/workflows/scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
         with:
           sarif_file: results.sarif

backend/application/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "1.29.1"
+__version__ = "1.29.2"
 
 import pymysql
 

backend/application/core/api/filters.py

@@ -13,6 +13,7 @@
     OrderingFilter,
 )
 
+from application.commons.api.extended_ordering_filter import ExtendedOrderingFilter
 from application.commons.types import Age_Choices
 from application.core.models import (
     Branch,
@@ -236,15 +237,15 @@ class ObservationFilter(FilterSet):
     branch_name = CharFilter(field_name="branch__name", lookup_expr="icontains")
     cve_known_exploited = BooleanFilter(field_name="cve_known_exploited", method="get_cve_known_exploited")
 
-    ordering = OrderingFilter(
+    ordering = ExtendedOrderingFilter(
         # tuple-mapping retains order
         fields=(
             ("id", "id"),
             ("product__name", "product_data.name"),
             ("product__product_group__name", "product_data.product_group_name"),
             ("branch__name", "branch_name"),
             ("title", "title"),
-            ("numerical_severity", "current_severity"),
+            (("numerical_severity", "id"), "current_severity"),
             ("current_status", "current_status"),
             ("origin_component_name_version", "origin_component_name_version"),
             (

backend/application/core/migrations/0062_alter_branch_osv_linux_distribution_and_more.py

@@ -0,0 +1,57 @@
+# Generated by Django 5.1.7 on 2025-03-26 16:07
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0061_observation_cve_found_in_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="branch",
+            name="osv_linux_distribution",
+            field=models.CharField(
+                blank=True,
+                choices=[
+                    ("AlmaLinux", "AlmaLinux"),
+                    ("Alpine", "Alpine"),
+                    ("Chainguard", "Chainguard"),
+                    ("Debian", "Debian"),
+                    ("Mageia", "Mageia"),
+                    ("openSUSE", "openSUSE"),
+                    ("Photon OS", "Photon OS"),
+                    ("Red Hat", "Red Hat"),
+                    ("Rocky Linux", "Rocky Linux"),
+                    ("SUSE", "SUSE"),
+                    ("Ubuntu", "Ubuntu"),
+                    ("Wolfi", "Wolfi"),
+                ],
+                max_length=12,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="product",
+            name="osv_linux_distribution",
+            field=models.CharField(
+                blank=True,
+                choices=[
+                    ("AlmaLinux", "AlmaLinux"),
+                    ("Alpine", "Alpine"),
+                    ("Chainguard", "Chainguard"),
+                    ("Debian", "Debian"),
+                    ("Mageia", "Mageia"),
+                    ("openSUSE", "openSUSE"),
+                    ("Photon OS", "Photon OS"),
+                    ("Red Hat", "Red Hat"),
+                    ("Rocky Linux", "Rocky Linux"),
+                    ("SUSE", "SUSE"),
+                    ("Ubuntu", "Ubuntu"),
+                    ("Wolfi", "Wolfi"),
+                ],
+                max_length=12,
+            ),
+        ),
+    ]

backend/application/core/types.py

@@ -158,6 +158,7 @@ class PURL_Type:
 class OSVLinuxDistribution:
     DISTRIBUTION_ALMALINUX = "AlmaLinux"
     DISTRIBUTION_ALPINE = "Alpine"
+    DISTRIBUTION_CHAINGUARD = "Chainguard"
     DISTRIBUTION_DEBIAN = "Debian"
     DISTRIBUTION_MAGEIA = "Mageia"
     DISTRIBUTION_OPENSUSE = "openSUSE"
@@ -166,10 +167,12 @@ class OSVLinuxDistribution:
     DISTRIBUTION_ROCKY_LINUX = "Rocky Linux"
     DISTRIBUTION_SUSE = "SUSE"
     DISTRIBUTION_UBUNTU = "Ubuntu"
+    DISTRIBUTION_WOLFI = "Wolfi"
 
     OSV_LINUX_DISTRIBUTION_CHOICES = [
         (DISTRIBUTION_ALMALINUX, DISTRIBUTION_ALMALINUX),
         (DISTRIBUTION_ALPINE, DISTRIBUTION_ALPINE),
+        (DISTRIBUTION_CHAINGUARD, DISTRIBUTION_CHAINGUARD),
         (DISTRIBUTION_DEBIAN, DISTRIBUTION_DEBIAN),
         (DISTRIBUTION_MAGEIA, DISTRIBUTION_MAGEIA),
         (DISTRIBUTION_OPENSUSE, DISTRIBUTION_OPENSUSE),
@@ -178,4 +181,5 @@ class OSVLinuxDistribution:
         (DISTRIBUTION_ROCKY_LINUX, DISTRIBUTION_ROCKY_LINUX),
         (DISTRIBUTION_SUSE, DISTRIBUTION_SUSE),
         (DISTRIBUTION_UBUNTU, DISTRIBUTION_UBUNTU),
+        (DISTRIBUTION_WOLFI, DISTRIBUTION_WOLFI),
     ]

backend/application/import_observations/parsers/cyclone_dx/parser.py

@@ -192,7 +192,7 @@ def _get_component(self, component_data: dict[str, Any]) -> Optional[Component]:
         if not component_data.get("bom-ref"):
             return None
 
-        cyclonedx_licenses = []
+        cyclonedx_licenses: list[str] = []
         licenses = component_data.get("licenses", [])
         if licenses and licenses[0].get("expression"):
             cyclonedx_licenses.append(licenses[0].get("expression"))
@@ -206,6 +206,14 @@ def _get_component(self, component_data: dict[str, Any]) -> Optional[Component]:
                 if component_license and component_license not in cyclonedx_licenses:
                     cyclonedx_licenses.append(component_license)
 
+        if len(cyclonedx_licenses) > 1:
+            cyclonedx_licenses = [license.replace(",", "") for license in cyclonedx_licenses]
+            unsaved_license = "[" + ", ".join(cyclonedx_licenses) + "]"
+        elif cyclonedx_licenses:
+            unsaved_license = cyclonedx_licenses[0]
+        else:
+            unsaved_license = ""
+
         return Component(
             bom_ref=component_data.get("bom-ref", ""),
             name=component_data.get("name", ""),
@@ -214,7 +222,7 @@ def _get_component(self, component_data: dict[str, Any]) -> Optional[Component]:
             purl=component_data.get("purl", ""),
             cpe=component_data.get("cpe", ""),
             json=component_data,
-            unsaved_license=", ".join(cyclonedx_licenses),
+            unsaved_license=unsaved_license,
         )
 
     def _create_observations(  # pylint: disable=too-many-locals

backend/application/import_observations/parsers/osv/parser.py

@@ -7,6 +7,7 @@
 from packageurl import PackageURL
 
 from application.core.models import Branch, Observation, Product
+from application.core.types import OSVLinuxDistribution
 from application.import_observations.parsers.base_parser import BaseParser
 from application.import_observations.services.osv_cache import get_osv_vulnerability
 from application.import_observations.types import ExtendedSemVer, Parser_Type
@@ -242,6 +243,8 @@ def _get_affected(
         if not package_osv_ecosystem and product.osv_linux_distribution:
             package_osv_ecosystem = product.osv_linux_distribution
 
+        package_osv_ecosystem = self._get_linux_package_osv_ecosystem(parsed_purl, package_osv_ecosystem)
+
         for affected_item in osv_vulnerability.get("affected", []):
             package = affected_item.get("package", {})
             affected_ecosystem = package.get("ecosystem")
@@ -251,6 +254,67 @@ def _get_affected(
 
         return affected
 
+    def _get_linux_package_osv_ecosystem(
+        self, parsed_purl: PackageURL, package_osv_ecosystem: Optional[str]
+    ) -> Optional[str]:
+        if not package_osv_ecosystem:
+            package_osv_ecosystem = self._get_linux_package_osv_ecosystem_apk(parsed_purl)
+        if not package_osv_ecosystem:
+            package_osv_ecosystem = self._get_linux_package_osv_ecosystem_deb(parsed_purl)
+        return package_osv_ecosystem
+
+    def _get_linux_package_osv_ecosystem_apk(self, parsed_purl: PackageURL) -> Optional[str]:
+        package_osv_ecosystem = None
+
+        if parsed_purl.qualifiers and isinstance(parsed_purl.qualifiers, dict):
+            package_type = parsed_purl.type
+            if package_type == "apk" and parsed_purl.namespace == "alpine":
+                distro = parsed_purl.qualifiers.get("distro")
+                if distro:
+                    if distro.startswith("alpine-"):
+                        distro = distro[7:]
+                    distro_parts = distro.split(".")
+                    if len(distro_parts) >= 2 and distro_parts[0].isdigit() and distro_parts[1].isdigit():
+                        distro_version = f"{distro_parts[0]}.{distro_parts[1]}"
+                        package_osv_ecosystem = f"{OSVLinuxDistribution.DISTRIBUTION_ALPINE}:v{distro_version}"
+            elif package_type == "apk" and parsed_purl.namespace == "chainguard":
+                package_osv_ecosystem = OSVLinuxDistribution.DISTRIBUTION_CHAINGUARD
+            elif package_type == "apk" and parsed_purl.namespace == "wolfi":
+                package_osv_ecosystem = OSVLinuxDistribution.DISTRIBUTION_WOLFI
+
+        return package_osv_ecosystem
+
+    def _get_linux_package_osv_ecosystem_deb(self, parsed_purl: PackageURL) -> Optional[str]:
+        package_osv_ecosystem = None
+
+        if parsed_purl.qualifiers and isinstance(parsed_purl.qualifiers, dict):
+            package_type = parsed_purl.type
+            if package_type == "deb" and parsed_purl.namespace == "debian":
+                distro = parsed_purl.qualifiers.get("distro")
+                if distro:
+                    if distro.startswith("debian-"):
+                        distro = distro[7:]
+                    distro_parts = distro.split(".")
+                    if len(distro_parts) >= 1 and distro_parts[0].isdigit():
+                        package_osv_ecosystem = f"{OSVLinuxDistribution.DISTRIBUTION_DEBIAN}:{distro_parts[0]}"
+            elif package_type == "deb" and parsed_purl.namespace == "ubuntu":
+                distro = parsed_purl.qualifiers.get("distro")
+                if distro:
+                    if distro.startswith("ubuntu-"):
+                        distro = distro[7:]
+                    distro_parts = distro.split(".")
+                    if len(distro_parts) >= 2:
+                        if distro_parts[0].isdigit() and int(distro_parts[0]) % 2 == 0 and distro_parts[1] == "04":
+                            package_osv_ecosystem = (
+                                f"{OSVLinuxDistribution.DISTRIBUTION_UBUNTU}:{distro_parts[0]}.{distro_parts[1]}:LTS"
+                            )
+                        else:
+                            package_osv_ecosystem = (
+                                f"{OSVLinuxDistribution.DISTRIBUTION_UBUNTU}:{distro_parts[0]}.{distro_parts[1]}"
+                            )
+
+        return package_osv_ecosystem
+
     def _get_package_name(self, parsed_purl: PackageURL) -> str:
         package_name = parsed_purl.name
         package_namespace = parsed_purl.namespace