From 51f8dd02f187cb9d9b2d26eb2e14b5d2ad893a19 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 07:13:29 +0000 Subject: [PATCH 01/39] New --- .github/ci-pipeline.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/ci-pipeline.yml diff --git a/.github/ci-pipeline.yml b/.github/ci-pipeline.yml new file mode 100644 index 00000000..4792b801 --- /dev/null +++ b/.github/ci-pipeline.yml @@ -0,0 +1,23 @@ + + name: Python package + +on: [push] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Set up Python + # This is the version of the action for setting up Python, not the Python version. + uses: actions/setup-python@v5 + with: + # Semantic version range syntax or exact version of a Python version + python-version: '3.x' + # Optional - x64 or x86 architecture, defaults to x64 + architecture: 'x64' + # You can test your matrix by printing the current Python version + - name: Display Python version + run: python -c "import sys; print(sys.version)" From f5610d0fcc9f2d13bb098ad0704b586ce74bde70 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 07:16:29 +0000 Subject: [PATCH 02/39] Add CI pipeline --- .github/ci-pipeline.yml | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/.github/ci-pipeline.yml b/.github/ci-pipeline.yml index 4792b801..774dd3eb 100644 --- a/.github/ci-pipeline.yml +++ b/.github/ci-pipeline.yml @@ -1,23 +1,27 @@ - - name: Python package +name: Python test and build on: [push] jobs: - build: - + test: runs-on: ubuntu-latest - steps: - uses: actions/checkout@v4 - name: Set up Python - # This is the version of the action for setting up Python, not the Python version. - uses: actions/setup-python@v5 + uses: actions/setup-python@v4 with: - # Semantic version range syntax or exact version of a Python version python-version: '3.x' - # Optional - x64 or x86 architecture, defaults to x64 - architecture: 'x64' - # You can test your matrix by printing the current Python version - - name: Display Python version - run: python -c "import sys; print(sys.version)" + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + - name: Test with pytest + run: | + pip install pytest pytest-cov + pytest api_tests.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html + - name: Archive code coverage results + uses: actions/upload-artifact@v4 + id: artifact-upload-step + with: + name: test-results + path: junit/test-results.xml From 0b5ce0638ceed5ea373f01bc17e5b4fadac1182d Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 07:27:54 +0000 Subject: [PATCH 03/39] Add CI pipeline --- .github/{ => workflows}/ci-pipeline.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => workflows}/ci-pipeline.yml (100%) diff --git a/.github/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml similarity index 100% rename from .github/ci-pipeline.yml rename to .github/workflows/ci-pipeline.yml From 9daba6b2caabbb47a0adcfc92966b4c339d0e063 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 08:05:47 +0000 Subject: [PATCH 04/39] ci --- .github/workflows/ci-pipeline.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 774dd3eb..6aae52e3 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -3,6 +3,7 @@ name: Python test and build on: [push] jobs: + test: runs-on: ubuntu-latest steps: @@ -25,3 +26,23 @@ jobs: with: name: test-results path: junit/test-results.xml + build: +needs: test +permissions: + id-token: write +runs-on: ubuntu-latest +steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest From 52823e0d05b2e18fe0778a580a2791dbcccdb2ab Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 08:15:25 +0000 Subject: [PATCH 05/39] ci --- .github/workflows/ci-pipeline.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 6aae52e3..d6a8f931 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -1,10 +1,7 @@ name: Python test and build - on: [push] - jobs: - - test: +test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -26,12 +23,12 @@ jobs: with: name: test-results path: junit/test-results.xml - build: -needs: test -permissions: +build: + needs: test + permissions: id-token: write -runs-on: ubuntu-latest -steps: + runs-on: ubuntu-latest + steps: - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx @@ -45,4 +42,5 @@ steps: uses: docker/build-push-action@v5 with: push: true - tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest + tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest + From f9e44f5de988eda602f940d145c4fe642022489e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 09:20:17 +0000 Subject: [PATCH 06/39] Ci pipeline --- .github/workflows/ci-pipeline.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index d6a8f931..d3b5b8bb 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -1,7 +1,9 @@ name: Python test and build + on: [push] + jobs: -test: + test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -23,12 +25,12 @@ test: with: name: test-results path: junit/test-results.xml -build: - needs: test - permissions: + build: +needs: test +permissions: id-token: write - runs-on: ubuntu-latest - steps: +runs-on: ubuntu-latest +steps: - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx @@ -42,5 +44,4 @@ build: uses: docker/build-push-action@v5 with: push: true - tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest - + tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest \ No newline at end of file From a2effc6a44041ae16616fc2d1dddc28474fd957d Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 09:23:53 +0000 Subject: [PATCH 07/39] Ci Pipeline --- .github/workflows/ci-pipeline.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index d3b5b8bb..92ee4cbb 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -25,23 +25,23 @@ jobs: with: name: test-results path: junit/test-results.xml - build: -needs: test -permissions: + build: + needs: test + permissions: id-token: write -runs-on: ubuntu-latest -steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: + runs-on: ubuntu-latest + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v5 - with: + - name: Build and push + uses: docker/build-push-action@v5 + with: push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest \ No newline at end of file From 3be6f1bea68855999a147a04bfd25d5d4ed9cd2e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 09:26:53 +0000 Subject: [PATCH 08/39] CI Pipeline --- .github/workflows/ci-pipeline.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 92ee4cbb..867b4825 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -32,16 +32,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v5 with: push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest \ No newline at end of file From 87489352b1d652d57117e92e55d3ed1c0950e44c Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 09:29:31 +0000 Subject: [PATCH 09/39] Ci pipeline --- .github/workflows/ci-pipeline.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 867b4825..19e3d1b9 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -28,7 +28,7 @@ jobs: build: needs: test permissions: - id-token: write + id-token: write runs-on: ubuntu-latest steps: - name: Set up QEMU @@ -37,11 +37,11 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push uses: docker/build-push-action@v5 - with: - push: true - tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest \ No newline at end of file + with: + push: true + tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest \ No newline at end of file From 3cde0fed38cf9f591d2193a6d337e8bdebafecb9 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 10:25:23 +0000 Subject: [PATCH 10/39] CD - Pipeline --- .github/workflows/cd-pipeline.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/cd-pipeline.yml diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml new file mode 100644 index 00000000..1925fa26 --- /dev/null +++ b/.github/workflows/cd-pipeline.yml @@ -0,0 +1,21 @@ +name: Deploy + +on: workflow_dispatch + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy Container App + uses: azure/container-apps-deploy-action@v1 + with: + imageToDeploy: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest + containerAppName: devops-app + containerAppEnvironment: devops-app-env + resourceGroup: devsecops-lab + location: australiaeast + targetPort: 5000 \ No newline at end of file From f9a83148000890af572017664868bfc8e3f92ba9 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Tue, 29 Oct 2024 10:37:47 +0000 Subject: [PATCH 11/39] CI pipeline p2 --- .github/workflows/cd-pipeline.yml | 28 +++++++++++++++++++++++++++- .github/workflows/ci-pipeline.yml | 27 ++++++++++++++++++++++++++- 2 files changed, 53 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml index 1925fa26..3f763c3e 100644 --- a/.github/workflows/cd-pipeline.yml +++ b/.github/workflows/cd-pipeline.yml @@ -18,4 +18,30 @@ jobs: containerAppEnvironment: devops-app-env resourceGroup: devsecops-lab location: australiaeast - targetPort: 5000 \ No newline at end of file + targetPort: 5000 + submit_results: + needs: [deploy] + if: true + runs-on: ubuntu-latest + steps: + - uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Azure CLI script + id: token-gen + uses: azure/CLI@v1 + with: + azcliversion: 2.63.0 + inlineScript: | + ACCESS_TOKEN=$(az account get-access-token | jq -r .accessToken) + echo "azureAccessToken=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT" + - name: Upload reports + env: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + AZURE_ACCESS_TOKEN: ${{ steps.token-gen.outputs.azureAccessToken }} + run: | + export FQDN=$(az containerapp show -n devops-app -g devsecops-lab --query properties.configuration.ingress.fqdn -o tsv) + echo "FQDN: $FQDN" + WEEK1_APP=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "https://$FQDN" https://devsecops-ver.azurewebsites.net/api/week1-app) + echo "Week1 app upload: $WEEK1_APP" \ No newline at end of file diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 19e3d1b9..979f1672 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -44,4 +44,29 @@ jobs: uses: docker/build-push-action@v5 with: push: true - tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest \ No newline at end of file + tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest + submit_results: + needs: [build] + if: true + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Azure CLI script + id: token-gen + uses: azure/CLI@v1 + with: + azcliversion: 2.63.0 + inlineScript: | + ACCESS_TOKEN=$(az account get-access-token | jq -r .accessToken) + echo "azureAccessToken=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT" + - name: Upload reports + env: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + AZURE_ACCESS_TOKEN: ${{ steps.token-gen.outputs.azureAccessToken }} + run: | + WEEK1_CONTAINER=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "$DOCKERHUB_USERNAME/devops-labs" https://devsecops-ver.azurewebsites.net/api/week1-container) + echo "Week1 container upload: $WEEK1_CONTAINER" \ No newline at end of file From 2d71699833c5794a3b6fb63c7920e1b2bffdf3c0 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sat, 2 Nov 2024 08:42:22 +0000 Subject: [PATCH 12/39] Week 2 --- .github/workflows/cd-pipeline.yml | 4 ++-- __pycache__/app.cpython-312.pyc | Bin 0 -> 562 bytes __pycache__/config.cpython-312.pyc | Bin 0 -> 1169 bytes .../__pycache__/__init__.cpython-312.pyc | Bin 0 -> 149 bytes api_views/__pycache__/books.cpython-312.pyc | Bin 0 -> 4438 bytes .../__pycache__/json_schemas.cpython-312.pyc | Bin 0 -> 653 bytes api_views/__pycache__/main.cpython-312.pyc | Bin 0 -> 1268 bytes api_views/__pycache__/users.cpython-312.pyc | Bin 0 -> 10271 bytes api_views/users.py | 2 +- app.py | 3 ++- database/database.db | Bin 24576 -> 24576 bytes enumerate.py | 22 ++++++++++++++++++ models/__pycache__/__init__.cpython-312.pyc | Bin 0 -> 146 bytes .../__pycache__/books_model.cpython-312.pyc | Bin 0 -> 2153 bytes models/__pycache__/user_model.cpython-312.pyc | Bin 0 -> 7280 bytes 15 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 __pycache__/app.cpython-312.pyc create mode 100644 __pycache__/config.cpython-312.pyc create mode 100644 api_views/__pycache__/__init__.cpython-312.pyc create mode 100644 api_views/__pycache__/books.cpython-312.pyc create mode 100644 api_views/__pycache__/json_schemas.cpython-312.pyc create mode 100644 api_views/__pycache__/main.cpython-312.pyc create mode 100644 api_views/__pycache__/users.cpython-312.pyc create mode 100644 enumerate.py create mode 100644 models/__pycache__/__init__.cpython-312.pyc create mode 100644 models/__pycache__/books_model.cpython-312.pyc create mode 100644 models/__pycache__/user_model.cpython-312.pyc diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml index 3f763c3e..9b727ad1 100644 --- a/.github/workflows/cd-pipeline.yml +++ b/.github/workflows/cd-pipeline.yml @@ -43,5 +43,5 @@ jobs: run: | export FQDN=$(az containerapp show -n devops-app -g devsecops-lab --query properties.configuration.ingress.fqdn -o tsv) echo "FQDN: $FQDN" - WEEK1_APP=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "https://$FQDN" https://devsecops-ver.azurewebsites.net/api/week1-app) - echo "Week1 app upload: $WEEK1_APP" \ No newline at end of file + WEEK2_SUBMIT=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "https://$FQDN" https://devsecops-ver.azurewebsites.net/api/week2-submit) + echo "Week2 submit: $WEEK2_SUBMIT" \ No newline at end of file diff --git a/__pycache__/app.cpython-312.pyc b/__pycache__/app.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..c7e01ba377d861071586b8b8e95ddfc5b8507e88 GIT binary patch literal 562 zcmaJ+&ubG=5T5sAH@nFei(*B+8Z}^>>O~?&P^k7dxShjg%y6x`1Wp@)uPx0jT z)ZV=IsKkQ@{|hf-K;)?>Pr0S^)|2lUi-O=cyqRwXzHjDzSXiinM)0lPyGH?jnC1-j zZ*uZplUE=>kO*SZA;fSR(GGQi0y6#Rj&mmaQw0-ztX&PpWL`Vge-)On|54aj5tZGW z0NIk(lAXo5)8AP*!WGrGwK1Dd2@L6wHoU268$>ySew6q@nm$%lLoo}sBAl9=)VV_L zVp4=L7BUJ4I9)SS$M@qPOniT@vbyps!tw&ZW`ildE%QS0RAz;;1a9?v4OiJ+nLH1B znK?jFnJX41g|d5CU@}nLELB!u{Ec-I#OV8qW&Pw0oM;K0)|=Zh#%5Ov%+sKY&Gv)M z_2qROJjL#lG;iwTSJL6BvldIykMMqWNvq5Ua-q|V5kkJh)vw^rI4Atr1E*HD$~yR|)UfC`m9<=w{AD3>tK0onpO`PSCHFJP_<=!WD`3qkhJ$kwE WV&gD867Q~k=67cd_?7IUUi1^-w1|2D literal 0 HcmV?d00001 diff --git a/__pycache__/config.cpython-312.pyc b/__pycache__/config.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..247491eb6d2b5ec3d60c650787f8d3df365be0c6 GIT binary patch literal 1169 zcmb_a&rcIk5PsXA+jfBpByIQ=j7DuDZ45$Gs7Yx{TPZZQ^}t@%W#5Bt-R>^C1#M6D zqHqFFz=8VgiWBH#@eP7+++A=0nQ? zo}e3ThgJmgZX;@c^F8g6;Ujy#_c{t~t!`zUq+Q5`>%7MP3pa$SY;1x-9TT^ehkvlzSmt zWEWT!1zL_DE@&RTXEGd*&dxKDP&PCb%0!u0>BO`))RxJnL*W@_HWf)sC&Hm@A~l!M zYziwvsen~Q!|7<2nTgKpBCtH}4WqIJ#1wN1VquxO5<2QH6$D?mW|CCR!AYWs-eH}Z zdr@Fj%vcs!V>iW&_tor%^ij6+?!@nd3;o2G4+1%Rh-b<`Q_3jIa!e4ih!OggP5rQKk66!{5BH=aRwY`!2KQEKL?!+mv`;y zMsPj2?X8YYpSWTbve9>MulvZe?>QRSANZWBkH>4{@#>4$$3C{!$5w&o^ijM*ex%-0 zbexD1F`ZKVYq5>gdTM)W vH?|YoP3|Q3ymjA1%{NgEW{wB4RbD)yq>7^f$U1P>fO~W38yHsl@iKn^uuKRD literal 0 HcmV?d00001 diff --git a/api_views/__pycache__/__init__.cpython-312.pyc b/api_views/__pycache__/__init__.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..6335db878fd45c1f800fb7a51ca5f921d8606ae3 GIT binary patch literal 149 zcmX@j%ge<81VL>I=^*+sh(HIQS%4zb87dhx8U0o=6fpsLpFwJVndoQa=cei>=cl9= z7bGU9>U%ndxahj1mIbFK`xg}JCl+MJmu04w7wgBzXXa&=#K-FuRQ}?y$<0qG%}KQ@ WVg(w)2*kx8#z$sGM#ds$APWEmR3cFT literal 0 HcmV?d00001 diff --git a/api_views/__pycache__/books.cpython-312.pyc b/api_views/__pycache__/books.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..7c73eb41025ae7d387932429814138a2819565eb GIT binary patch literal 4438 zcmd^CU2GHC6`nuGj_qVZCXj4QV6YdEX^1z_66&R}Km;X4p@pPNtgftyXF|pq|Mbo{ zkgU_9s;a^hth6d1A+bnEfJmiC?E_N#(5DKiFEbrW&Q626QrQRISm2@JsrOv_+6hXx zY}G#XNIv(>x%Zwq_uS+2o%wTHTadwY_E+)+v5jH=4iA*Ly72NBSh&upjLI5J3P#Rg zb6kpJLFNrUC!_=-3x@AEHLcHR$@x?MTp$(5wWeBg!Bmi}XfZ;$a4Jk>ztNU!Pqh;{ zV2HVnR0oz@f61gasX@#;)ez>A8pgb9j*YiH1BXWAtS4H987-flRSaEKtOCL+PMyS@ z-4ho)f7UGI^{F{8a8@&mg}kYGex&`hq?wi{z#LvEjGG#46OI)MGceAUjC_WzpBM%> zJ&%7cJ2AtjXUohymQ)V-IVR4J&dVRmQPWbak{M0P(J4hYqWy9-re)nc(1MW+k+DnRi0_msKZ}w1wnLtYtF5DEY8JPBe^# z>x|Vnt;$-UCzKVa)EpnyMV)b-ID?pSr_kh62h-T7TRl60l_FP~lsb=yKW zg2S#m6}*?6>Ql_uo+?Z87cZbhPqM(YG8V*xP!?>wL1o4YP}Re_C6=*7slhrMvsmQtlCm$XBpIOLEs2k_+MC~awFQRU*(sChxI!;$Ebn-WS7-NEoZk- zsX1ofY06Y8vrDbi*KCApn`0xIoVAr|-`X};W;TpckiKy#MC1Oo@8-+=#_?0b)RM}r zkDt{?z5RDS{EPWEYPrm1w^3WoajBi&)q-HjRG*DfsX1nMHf1W61!^7Vn@qJE?%qvj znL)~=W49b}CN*K_=h;`%1XR=aro11)&n9 zE!{G-2b?E>9__&Ap6`O{B_B1Arl@nWc1brabBEVrY8hOza8ZLrUVH5^ohjrkEpK^# z*q_!_&u^A88C>n_W~LQWp47Cwtf;D{4#YWZh@gY#ub1v;kFmY@76g^W3qYBKBYHvL zW@cK;DPEusYMLivGo*y3Yg5RNcaf@(pb~igY3#IyOpnKg5Wu+S!yt#|yw)k*u&|4h zbDnQXN2XP)%bczvsP5Qr>@*Ir$KzLcEtx_tr(39%SWrv3q8V?2noSThjR98i1cbo~ z#bAX1vGn|T?IOg^Ylj)Y*fWz^En}HbN@YT%#Cu^l1zt=}f)3+ZDEj8d_{K=BuSzjT zin-Fx%cq}nyl<9W4Rlrm5hoD2ae66H2_#>&FyY9pq1#7p9;rqKoXEiapSzJGZs>!{ z!z=!dYr~GeXI1R3^z`2!b9?qJAGeQSFuu~-b7Rj|_aCRM7F1x#i?Qx|#t~ukHJ(YLI3oEhR z_lE8az2e#K{>76|!|hi`u8dqAy)t@Zs1lB?)}E{3J}2B)32*be)Yma?sPg)hR^p`;C zwF&>_U-zEqXa3ax&PhMNuJdUi>Rp^?YZ29IAnHb4LKgD#4Qkd0TGKG*adq^9gd^0f zENd{2SA``Xt)m$8C{li-T^2M*gwSoPoyu>E*cPNJp)y1LU-DBa+f8SiBdxv*T$w{> zFgo-!=ct6Wy;N?FSlhtRrgkHAQ3JR51>S1L0g4o%jWD9jQ-9Ug^$}fTp;6h@2KuU@ zH&(yfc*|S%JGgsjAn@15O8DkCQx-P7o3=*B@PBnT@%B*!?HPg$LeShG$U6ir9fJNO z&JrZ60~&&>^n8Vjc?^Tl2F!~D2J;0=o+^~`>JI%=T%OT(*bYrgTq1}=U<)Nc`yQ|+ z9>KqiU>5F~>H*^3SW1K^7LYKxMfcpupJfC1i^(50`% z6F|+$xf+P<+Bi|M7 z1@8p!A9m&BqvQ6-Pb%FX*&QD}?cQFIziof#ge#wXEZHCGmF}$Fk$t-M<;z{<#Rsa= zAxApoN{1JR*Ex58><^hg?)iOztQxIKV~#ZDN=Y8m^vUNq%JHV0R!q1rSYTG9Vf6PApXr%HT*gl-)W&b@$omi+j!{r~@-$Np(qCQ{?|m;1>djL@%Uvl{JX za`j0iUlB!AqnK$oBAJl{QSwcrtra>&K`K_i1#=@;AMzZkWHSUJ;n6$g} zkm;sxNj*I}fjF0~e42sOMb6nc@rg7h0{A!@fi$v6h_jSa*@jWXhCbm$buG<|ry1~^ zfsh7=4->|L`j|Iw<9ZYRXC1Zmu{4j;^nIAKeAtwNm_yE+PvTt_UivNRaY&fRfrm}` zP{hZoq_l@=!p1j_+(|~G9Kv}=D_t+5G@O@M7{8+{#YNZq!Eri*AWkWWEQ%p`@%-(< zqXRg71M#a&1X0GqQwC=uI1%Z1NfVE=>9z56l+wu%o^e-!G&RK!6)K`>+U2Hq*}q-9 zE4{so)#~gNgVKIbcUrFg+eG%0x@YX*5_#1Yvij@tx=mcYGLUnpI4o}sYOB*%TD$TZ zt?)gUD)wh+zt(-=(eYf~nZVfKn-D1CV9{$7KQ^#|hi$C|cts4Fd DIr6>G literal 0 HcmV?d00001 diff --git a/api_views/__pycache__/main.cpython-312.pyc b/api_views/__pycache__/main.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..d9f0a8696e197d4bb368503a0c329e58fddc5baf GIT binary patch literal 1268 zcmZWoO=}cM7_RE+?#voyjX2S)2e%l!jOfg=;K8s6fq({?M06F&WvJ<@nN+O)psFTu z5@&aWpg%!Ri`NkSAHrT%3@A+mK`-81<0&WK>U1Y=whm7}Rqtoj`}E(H$}t4%<|EQO zT|(%C-4x5o$?mT}o*;%8mMFxF7+da0=Y^B8k}QSpq6^&JK#Lyp0R4eqANynz)NxwA z$#oJ(nghq@0o;|ojDkFU_VECrKHB{Y;0ZF>p@n68dSq?od;Gnh&2VIW=jRuuj7 ziim`1vrfAYJFRRhn@(C$`IEK{zi-lVvDJ2HgzWv&T#7^93}Oa;G~ms-ncrtG&hnL8 zJXlC{lP03QBKWFqhEzn2WRQ**y+bWkg)H{T^ksk%+Hw8I*B@TrXj#&F*xFdwam#Pq zQ?J}p+wRoc>h!3!bNuwv$}|1XrK{V=uZ^y~9X~l**o9yeSSZ%PnD4>~ND4D&85hRG zuPLO5wsPwl7+J|84Cr9gFd&zC&;26<8k?sTi2Lu1?#zTY=7?G1^5SWgj(D zmzn^U>qwmho_e5d5vZSl|7dMj07mGu<4kh=zIX3UPrd4?ZN2)scmH3{nH=Ev>wj4C zCmyxF`e-D^}VcadLjh1O5LzRZ)ZF$!OyebnN?)g!6wRrv(EO) pzky$0@+;~r*sWId6u{>a#`qmN^AY|04pqOnKCbRgc(|HHegl17JfHvo literal 0 HcmV?d00001 diff --git a/api_views/__pycache__/users.cpython-312.pyc b/api_views/__pycache__/users.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..41a92807c41f621feb037ad10dcf9fb09a8839d6 GIT binary patch literal 10271 zcmeHNTWlLwdY&PNB1KXfN|Z%Pl&sM$Hf4*FZ<|>0O}6Z;6etg1D`MKE(Ud-L{)Wfc9bNVL*AJpe|~l^_yb*A@#oW z{|`Ac6hp^uifvzd0RHF9xnKY9JOAN7RaH4Da7X`?o9J$%sDHx`-B}8O$A1Zd>l9D% zbetN^`}8PHzAd8`@GWs`f*EBJwox06>DG9~Us*_qiQ5y7QAeV3v@+owbtYV+E)s8x zyAxHTRU}*yuTHR|EQIYpr$#-z17rPW#cniv5Drg-_ac^^Nk{p(&rM5n< z?R+>IZ(Gl`B?L(dPY4*5vb4>9LP7P`gft;x?cCE1Jr^buLQiCphfakfLeKvGk%8_3 z;o`6mIW#5pgr}n87o)-@sb?CxCWWSEv^qf)C&lqX#p4%*_!Pu=pgK4FB<$c7YSGob zV9mHTE$|svpThJ#hFB_sLU%R@kP!_);5sE6qvdHCjF`WX%Jb=zDgH37KsCK zgUN|>B zA=X2#qOoYUd~_p3!*diFiaKIS*h2_Ge&OP%G|+4{JpPL~?Fiq@)Vz>g*9uTmX?5;nX{gc_blUe)fCDwP-dUN2z zgC886U#m84QvI73BFez=EPFz6oOr|pSVM`68PjVfq^X$8{L(|baRhH$^o593>8Yk~v`nXI=^rX78P6MW zF+6J}E=|d(M2P#eu+eBruG8bhHM})VU8KbJH0b&Uh!(9pGiym&c-ySS+$NApV=DL+ z1>a75%WcP}g&CNolfLJdxLv7l!&zF!qefiJuZK)O7BItlC~eFVjN*q&H|u3gU!Oa` zCnxXX-8U_>R=Gt_ms|BvtW6J@e%h+93SY%n-)8kuz+p0L2_#PxZq!+FHx7Rr>IMGuy#nq z&WP{%+SG}EA4m@zN@AbXgmvgmbTrKlWx!~4JaO<5eHMm!CwWzLrIoE-V>wxMS zx-xLj#V%WXm0|jUyFTY`$+%l?xwE0&S@)iASnmz{t!){9&!V^Gmi?}G?P3#mZSVc2 z*15e)zQC=qg)RWgFWt(q@yt)pF1Cf{FJ;?B)!+ z`4L6Kc$d6^Y*X)o_w&GK0kvuS9Z5Mjp7oyn%6;|^%T~HL;sLN2RX*y=Wl3CH4pj5=&kmfVv^bo|Bfel^x z&02Vdx1}w7#Z4=yc>_#j0~lhcMoL_fnz!=~6RbeZb9z?sFpOu*j~vg-Fdkn~Z&2Y9 z$2;|&^Cc|<&>tyV!u9MD;_4sYKgj|umhYqcSuM^`GZa7@qmSml32o-;81n(phJaGy zjP|RFSEn4b0YNBJD_?EYuws_6hG88H*&;9$u@fSKY|6I+%;J+169P~0#VW4HOsKOp zCxX~G0kIOmO7$ErpeYxX2v3fHwg=@6d|Bk=3j#L*IGE&gJ{(H<5ZsXda{Q!_FG3J5 z)nX(-Nu$>N$wGy#VhHNdhu2-{;Z4X%Qd#QI*Ikr8+ zw$G2{y0>S#x8I4W-TM``U1bMz?BNW1SY?l1WdPXb4&>@OGIbrdM%B9Bg@Mlxes=I~ zUH@W3bFQH$)6lcPd|vfgmD;f5>frsx_Qk;F#no%SwKLB_nr~d}JwQfx&c8O}UpwCj z7nD29Z>oM>b=MED*plToD_hR1+=LR1FH_WIdeHKOqWrI0;G^bs%e_?%dZrN8}?-mkLYENtK13Y)R;0cll7$( zPiomp9iflW%XX^1@jHM=z;G9radA0UZ^qRNKxaEc!;K1naenx3PJeP*^>4kiN!foo z%Z`2J82iJrg@#$qXHdHPRsZha?op2NSys5~5S~iCusXlo{mNdB`bTyf$ltmBC_6Fc z3$FP!+WN(IZeP3g_sukff8X8&a)oh*feHW$smGT=T!;IHSYHV;1`A&5Oc>%Vco%{D zhlRHiuvzuPW)JfgF-*-c?G)Sxpxi0y&sP`Nux&`Axrf-MMm??CpCtS*&rE|>%_hMu zSk9Bk8eS+l2w=2wkz;WIC@CC2+};viy>wc}66Jt46XcYj0uDjqS{7R zt!!Fs=*Ts6Wg5EXH>t4o=uE@LcL$dpRK5SI^Pas1Hg=Bf%&?ueVk)~qacsEHuKsSh zhQ@+{UkpB#98lZO>o!q;%WPda$CyCo_%C3#Uzl{z&m|pnS<+$93K^QsyK*4{iDuR8!sV$bu$_n3 z;3SH#!zLnTjnwfs)}HR|-Wu*s^>>e+S$n!WGqP77DIA zU8v#hjqA7020QYG5M+o!OWqKImJtZ!NzfR)xj+182&Os<13PRCERQS1w8DYG0Pgfs zDAn}_HUJ$xv+nd*X#C7h^K;jku}kYthd@Hxn`S$L4Q1(^cX|q~72~90-AF;GnFsno z@J6%e;YrFfyArlXh@K0(ZxIDB#0X(AazR9^SbngG9wOXiC~+$aJlrPh3)=G$$nZ1< z?G%LPX|_aIhFXy6X*MuT2$v=76PPQ|```)WZ7ei zzLH^IQQ5w$3~;=qy87$;ukBy-M3+2XgGioG>$+7> z=&{YRs`u*NZ!0Lzs>SADuDLtY+&w>`HveRfdEdF@slD#J=FE9oGoIG0r~UrwHTOH# zethtwgNv=5A2)u~2lmcWzTVjdh?RszKXwhlfn8mb= zhn~2Yf%19`uo!&PDsgEFtok~ODPwri5r5X2wt^w#IsE~4;no|F@ePN#n8APa80ZU{ z&q|!$7EL8*%A$(Fx4@>qVs?MTxbZdP#m4==G-iCIK%NBFe>?@mJ?EXme8#ITnGdrD zlOwVEcuQw5=o!+g`oWelDMnM|#ZNo}&5K7-7)JO!x)KvfJ0uj|0EgfWa38(_=5d-B zPaMYxCh;L17#+IZLL4C_4~FAl2T6cQWdIN}SX+c_ctH}6qabDo6UlHyHSpps<31Sfw#3_s=b_fKfQtJa-z$5(~L_7RGYIocQHF-Ehf8#^hL`bDOPLl4G`H$bzC;lH5ht`H_gdaFOb_b-IlCI z5Dd0&z(hV3`l;~BTB4d5C}%KbF#=yi z{2c_O{{R65`H!K0p2vI_@#XLreM_wO{egn<^rTuB%CbGcVi#LNpb7|Ubv&1~?o+wf zzVs?5qFG-|@x*iuaae6Sq6{Bb!cx{ND{h&nh+w050%u?|2+bP1B;#Xi@_ck6uk~@R zw0h$oS0Q}NEnI{oc;StQr8o2cYa&>J2C@A6Y)t~J+Hom_x5;r5&YStH@XwbbYc_Hw z5vdIMUkZ6yCC2IeZoq2`0gC)0A=r{WlPk_s$2O>UIxg%GV~~KFP8tOPFNie#HC6dF zRr59F{CBEliR$NFgU&p@j)Hg%&1UK!-5%Uu58a$bXUlBhB^37X>+>@! SBP;^ijlu_7!N;tOY(4-aK~{hO delta 267 zcmZoTz}Rqrae}m3LG5_{I~cw@^=7DtKy&B<}bixYBKqtzlf-*39~vAD}%BnV^V&8 zc1UJPPO7CjNJhlcoJoa|l|j**6E0&4lHfPx0@}{Ze~E$r6aOXtM?fQw@ayq2DI=^*+sh(HIQS%4zb87dhx8U0o=6fpsLpFwJV8R}=`=cei>=cl9= z7bGU9>U%ndxahj1mIbFK`xg}J=K>{iiuL2;GxIV_;^XxSDt~d<00m2PQtgUZfhI5l RaWRPTk(rT^v4|PS0sw_vAqxNi literal 0 HcmV?d00001 diff --git a/models/__pycache__/books_model.cpython-312.pyc b/models/__pycache__/books_model.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..17e358930ea4baf13fb05f1ca39d698d29270c35 GIT binary patch literal 2153 zcmbtVO-vg{6rR~1|KXqDgiu0CU4+!GN})=S2n2|dq9izqD?xgQrD|)u6SHLPb!OL% z)*_V;s3KJ=Kx$>9w1S+11ya&e>8ZK*LJMl$l_EuIFS(_mJv67jS^wZv@d*9SjQS93%HAX>MWi4FYbcH57&D#IxHKQ<9i7*Nv=|pL z;?M=82=ho037+-W1MSZn@C`QNZp$UPpE6a#Hm6L3^i!fGOjXYqGinxW-+7%9HI=zU ztR&l5AFi6R_c3N^5fsM?igOB%^Bf|=tOKaNxjMt@0m&$w!fo>VDZT2nvwrC1h|E%i z4amUJI7QraH6nTcM=TZES5&+ps!b)%+ZB##x;)kt}bjTLY>H2kBoCaxJkvO|0OVxCOTJm*b*?~mP z)YVLqk~GPfPYZDLJnV7hGU|;Su|1ibrX{8|B4HW;U*3~52sQdt#TGsU4ayvxP9(3( zSv{MB>JuX=)V|IpMg+Stdwn2^Xb#UI8MNw{|R`|r35O$nX`3HyHV@ZX42 zND^ZC))7Yh+xx_f=H0y!#>Hr!lg7%N!-Flbl`^Jn5XE50MCehF3>GC>+61d=I+R6V z2f%9WUK_Z7=H8j@?voD(w+4O~`hIBZokx?~p^Mv|iOl@a=b_U>db+76x z`a|s#yB!HJ*XFBIMOM5{<(Ph+sB$wBftC`Dv890wI;w*J00cA-Y=jiW`B9u?sN!n>K2*;i5=}GqOGt|5-2-ri_n+UviXFj(Fj||l;Lb9 zBanhN0l(~A>3rB><)t;otRaCYpg(%wdk`&0AH>SBo!*gOLZfTrUkXL=O*vZteJQpT(8dSBOa z>5T23fF4c}YIE?CxTZ|1W>QW4%f96_F=h9|!ADs|>FZ2HK-hl6gddw^nwT@XLVIAT zjGTfx*W97X5v-)fI*55xInr6UT=9k%!iycZJC;rqhnI)f2e!;z?|9){rS;fSxY)7W zQ5q_pSRGm!TAR8%_ORzs+ivTHLbTG>wKQ40x_q@{mFTLqVyz#(`{|ar+cs8+Jqfli zOfRap)e^VrTk+kCuIG1phIfLe3m1NCX)n3fZ|=4X7RH~PKDUQ>@r~y`EKcC(E-YTc z&s@kA{*%Mv*dAZksvuaYW0J>q!E1L-O;y|zKy}Xl E3*G0*tN;K2 literal 0 HcmV?d00001 diff --git a/models/__pycache__/user_model.cpython-312.pyc b/models/__pycache__/user_model.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..3cc6a977031a925c38f5f1216a4b98c71a348925 GIT binary patch literal 7280 zcmd5hTW}lKb$4HQ5yVm?XaIc3kVu&VtxzUSDT->!7D>>OBQdc^KZMkULF^I)ga>_h zA&M;Na59<>)v-rnn+)Z#9W!60Mw+oS;~A-6)yVx&Cm#huI$$@{WIA;}^v8&5CslrW z&MvS3DWrAMPN!GG*?Z1?pL<^S@aMI)4g%%OU-)Bhh=lwLBBde}D_egBl_eq(iAj=> z@nu2`;B1mjaUqUD8kgi#LP$tiLY9;@WYuYW(w4G^>?udcq2ofbCglt{^|~cln{tI* zdfl27Q+1&_hOp#SBH1ny$u0|ty`_zmzt=gV9;%;a0*;4>32PFnQnTx|XeONwuo{nuCPb3)^D>O&`!kty@U_!OT7q9pC#v!VHCkSk z5K9r+YG;uZGQs1AScwU7ERp$y&cwa$aOYyQJESBvdcC05-^ONxVp|7l(!#r8=NKBkcm{fwuaJHZR}}6}S&@ zcLm-AxKC=l$e6P=1Lc{D9xZ@-D)826Z=gxz-%w<#30Z*3Cm>k7WR{sFVW=5pmIJIP zT!hTBfE9%TFdnd?_7O5ot}(*_UbEri=}1b}1UVInCpFt-L{X+-E1+UhDxMAq8n4L7 zaoPk+&=v&E2wDLsxG_JLCodkH$fV?h(TpT3laZ)=@Z|B)!EX)9=SSq|_a>EtDQHM4 z2XVEqUhkTm)@OE2w&I_J1qF3O$-2RO&Q&y5tnQ_K{(z?~&iOu#x!@e0uMNReqpvnn!pB1r** zz{wXTH7*`eHBQNnX^xTLz?tA^_`AWgns8#I=g?vFOOa$OL*wd1Do~@@B+zFy4%%kP zs?l_2O0y#ds-Z@x4OY>(#FVO8xR|VJ_TYu6Jc-^i!0SS% zS#`aNOPX~uGM&ssB#n_3yjIjrLl}1%bB4iOO@!6VIXOM^jIMM~(RIzf0)ywtChN2} ze(ia-;Mt$|>@Ro@<~;{jJ>6fNDD)2Hdx!2HUwi9M*LvT{d*0c2s?)k>_iwDc$F=b4 zV+V12mX0nSU9asWEF)*V`J+Vj}TyIq@vuXX(vM%4Kp z5ysxQ-r)Z5#P2pas6Nq6!jJmB{mtZFv%UWX?p{07|2%hZAA|Mh1%TVEffdf6Ys(i; zX$u`vP2H#_|Ffhl{|UU99i^J&CTe$d0#srud_5OqC0-KZjPCV|MtzP+zw&>-mly-_ zLXiV=3}~j!2fNj^!?ZWmv=1}}g2l6B+OC%SRnbW3=a@6JihZA*c7S%lcZyN#OFYtb zkDXEU;_0rLwv*}e5MoMx zT~(@g3OFc=7(Il$vq)eTiaJZbjpQQ;zJqOzL1Qg*@gSucs_iPSF^bx#lju?CuAj%$ zQi^___5o1vzRLP+toO7&KSe))WB(oi=rdnqZ+sv&Y&5lg*7;HAa_9^1?Uq|Dh3>(8 z_h6y>M85mP{g&14H*?atT$1LZ$|fN{WL{_CGs3=&pZA%w_!(nk>|;Wju)ew zG`ZH4x?){#Xu5i6@mS8e=eHYTeL>ux7x$x@_x)4DOFE%FFSaA$I~xs0ezzfdpSA&= zaF8GM*Y!7$dkqZ(9`4@$dW0`K0e)G-4AgU9IvK3j3jnv-1LPn6wt4|T=u|Z}s2&$c z%qJk90d|-^2V)J;0kukZ&nJ{jdd99BRjmFAwl@L*H{bm1XMG>_-R!-6^w!b5>sZcq z%y90e6NYYP@bWGof7te5(>x5?QGjYX@p2O!h1ZXAjjtBd(bLeC?mU|V4-}T9YFb<((Tl()P3n66aSFNMPr3%Di8l%>6|TX9J{<5<7KAb%3lI?sWQGW zEljz4qG&bClyXEfNG?OP6ocP89zy0SXF@gIQD#ZWGB2_p_;?sK2lg+@GJ0)_P&A0( zU(u**0z~?B8eDNQNxusO2=?$|D{sFRJaZV@!{~~YnR=Z`+i1seL;%1%`TD>MpTBnP zwa6c>P^5Bp8CHtcNYWq*bUxjvm3bl;}^rh2vO(SQo=Mxj5zcLKf%KIP_^vM-)BeK$i?Q|_v% zROwxrFeBU2-0Uwd5X$plz_uL!6wVEqI73P4@u+UBL%W(OGH&JfhPoMHz;uHcJ(7gthVoIhw_n zE{#vBnr&QGqZ8olb>-7VNwbf~ldADL7RKXLQ3HZLt>(Zzg?0TjdU6y)c zF`&)ayqi|ix(85;fj;Jluk|y>M~;H`K;C=c=0whWVAcC_!5hqbgR9R%-RMSp^6bks-lX&BM zLnyrgW6UfcHg}>rN*k({D@#B^a%Y(}-({dx|Mlo95?qo{1`-$n%dqaO9!ju=W*>t* z;AmV;$}?_wp@9(i$1~J#QsMpPKqRbUAI)X-3B$Weg}hC`ZWww_Q7Oe;8L1foM<^7J zi|;-~fj1X;0ZGCKSt=D*1D0w&6cRu3lrCgOS~3H96ji}1gYXTCA&IqAj>Q!eYF!)+ zkFkyRHjGgI3;@`@2G6qh=83z(-0N?yHN3T8+i-h6u`joM>{@kqEZ8@icCS2t$DZ#z zo;x#7;hF+h0*G4V=}USN0Asv7K39b zDK#jM*`r#T2a>TC$@&NMx54~&$x)sk6s%@g6VSwWgVlztVE2p*Q-s~GAnXDK7&4lB zjOHGrxyNkQbA&T4J&kA*N8ti6rlJ(UHKMbns1JHBP#V)OpcFxEqm9E5dV3(9)<$DF-?bu42LyG7;}@^B-Wi_@E?(6 zv86T~Rxy!lpoT%P3}lkoR9ds11QQa2Ofd@y7|VzX{w=n{DrnaJOa`8rX`Llh_l+1U z&?Evsg8c|El-8Vz3V#ZTret*@BT@8Addz7AQX`1Ii9kkxOr+-#%psUXum=IA7Y#lm zv(cg{r$ECml680U{ONUj{X+d^-zDFb9?Z+E^xom`53bo?pYI2Mvp_FTUz)z^yITL5 z?<3#xiy!a4$pd@E;QWc|t^3x*Bhcn-T*tQ@+tZ_WA2eDI&0-mA~7w13`lt>f-^=haf^c*B&3AKM=gx-@*@i)WEgOy*vtsWip@|nX@iVO94z&83O;ip-)0Mpe#8nw zOOXb(O_x3+C%B6=sDby!RX8DN%xF{%Mk9Lz4YUXOttSFp%6rL3GCCorrn@pUWn8wN z3(yS_29kR8VNrMny>M{YPF3;ty*lhWN1_^tBnP^C36UK37ZcHOw{ z?IQ5R_L3pd$LNR96K%ZG3jh*o4D%}@{)#vrkd9xI&OGV-HEDi8+8&UW2jtnu{JRVj SWEOfZAGvho--wRr=lxHKw&~RX literal 0 HcmV?d00001 From 70d31dc988c3711468ddf138b0199927b72b343e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 04:11:18 +0000 Subject: [PATCH 13/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 979f1672..d7a472b2 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -25,6 +25,20 @@ jobs: with: name: test-results path: junit/test-results.xml + sonarqube: + needs: test + if: true + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + # Disabling shallow clones is recommended for improving the relevancy of reporting + fetch-depth: 0 + - name: SonarQube Scan + uses: sonarsource/sonarqube-scan-action@master + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_URL }} build: needs: test permissions: From 3f22192ee6e58b6bc4f6846f6f54b18b8c1f03b5 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 04:13:44 +0000 Subject: [PATCH 14/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index d7a472b2..13288b14 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -40,7 +40,7 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_URL }} build: - needs: test + needs: sonarqube permissions: id-token: write runs-on: ubuntu-latest From 661af139dec5ce1044e83bb58678c1047b84d3d1 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 04:23:12 +0000 Subject: [PATCH 15/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 13288b14..b0e13e88 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -39,6 +39,18 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_URL }} + - name: Download SonarQube report + run: | + sleep 30 + URL="${{ secrets.SONAR_URL }}/api/qualitygates/project_status?p=1&projectKey=devsecops-app&branch=main" + echo "Report URL $URL" + curl -u ${{ secrets.SONAR_TOKEN }}: "$URL" -o sonarqube-report.json + - name: Upload SonarQube report + id: artifact-sonarqube + uses: actions/upload-artifact@v4 + with: + name: sonarqube-report + path: sonarqube-report.json build: needs: sonarqube permissions: From 6167ad942502b68bd81c1f3c10efcd3bfe62a44b Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 04:39:10 +0000 Subject: [PATCH 16/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 45 ++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index b0e13e88..e9e6a6c3 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -27,7 +27,7 @@ jobs: path: junit/test-results.xml sonarqube: needs: test - if: true + if: false runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -51,6 +51,49 @@ jobs: with: name: sonarqube-report path: sonarqube-report.json + dast: + needs: [test, sonarqube] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - + name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - + name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:dast-test + - uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Deploy DAST Container App + uses: azure/container-apps-deploy-action@v1 + with: + imageToDeploy: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:dast-test + containerAppName: devops-test-app + containerAppEnvironment: devops-app-env + resourceGroup: devsecops-lab + location: australiaeast + targetPort: 5000 + - name: Get deployed DAST app url + run: | + export FQDN=$(az containerapp show -n devops-test-app -g devsecops-lab --query properties.configuration.ingress.fqdn -o tsv) + echo "TEST_APP_URL=https://$FQDN" >> $GITHUB_ENV + echo "TEST_APP_URL=https://$FQDN" + curl https://$FQDN/ui + sed -i "s,http://localhost:5000,https://$FQDN,g" $GITHUB_WORKSPACE/openapi_specs/openapi3.ym build: needs: sonarqube permissions: From f873191c0bebe3daeec578a2339a58c6f00a001c Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 04:41:49 +0000 Subject: [PATCH 17/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index e9e6a6c3..1713a87b 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -52,7 +52,7 @@ jobs: name: sonarqube-report path: sonarqube-report.json dast: - needs: [test, sonarqube] + needs: test runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From ade04d323a473f3f6227d14be4083c4cb7f42c5e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 04:51:51 +0000 Subject: [PATCH 18/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 1713a87b..c9d467e2 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -93,7 +93,7 @@ jobs: echo "TEST_APP_URL=https://$FQDN" >> $GITHUB_ENV echo "TEST_APP_URL=https://$FQDN" curl https://$FQDN/ui - sed -i "s,http://localhost:5000,https://$FQDN,g" $GITHUB_WORKSPACE/openapi_specs/openapi3.ym + sed -i "s,http://localhost:5000,https://$FQDN,g" $GITHUB_WORKSPACE/openapi_specs/openapi3.yml build: needs: sonarqube permissions: From 5b620ebd0d31fd2a69750b56dbf9e490039b4371 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 06:39:28 +0000 Subject: [PATCH 19/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index c9d467e2..5c38daac 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -94,6 +94,24 @@ jobs: echo "TEST_APP_URL=https://$FQDN" curl https://$FQDN/ui sed -i "s,http://localhost:5000,https://$FQDN,g" $GITHUB_WORKSPACE/openapi_specs/openapi3.yml + - name: ZAP Scan + uses: zaproxy/action-api-scan@v0.6.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + format: openapi + target: /zap/wrk/openapi_specs/openapi3.yml + rules_file_name: .zap/rules.tsv + cmd_options: '-a -c /zap/wrk/.zap/rules.tsv' + fail_action: false + allow_issue_writing: false + + - name: Upload ZAP report + id: artifact-zap + uses: actions/upload-artifact@v4 + with: + name: zap-report + path: report_json.json build: needs: sonarqube permissions: From 511bd6612cad0fd1fea17db3ca757a2d4e74c6f4 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 06:56:34 +0000 Subject: [PATCH 20/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 5c38daac..feb0cf95 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -27,7 +27,7 @@ jobs: path: junit/test-results.xml sonarqube: needs: test - if: false + if: true runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -137,7 +137,6 @@ jobs: if: true runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} @@ -146,14 +145,26 @@ jobs: id: token-gen uses: azure/CLI@v1 with: - azcliversion: 2.63.0 + azcliversion: latest inlineScript: | ACCESS_TOKEN=$(az account get-access-token | jq -r .accessToken) echo "azureAccessToken=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT" + - uses: actions/download-artifact@v4 + with: + name: sonarqube-report + path: ${{github.workspace}} + - uses: actions/download-artifact@v4 + with: + name: zap-report + path: ${{github.workspace}} - name: Upload reports env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} AZURE_ACCESS_TOKEN: ${{ steps.token-gen.outputs.azureAccessToken }} run: | WEEK1_CONTAINER=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "$DOCKERHUB_USERNAME/devops-labs" https://devsecops-ver.azurewebsites.net/api/week1-container) - echo "Week1 container upload: $WEEK1_CONTAINER" \ No newline at end of file + echo "Week1 container upload: $WEEK1_CONTAINER" + SONAR_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/sonarqube-report.json https://devsecops-ver.azurewebsites.net/api/week3-sonar-report) + echo "Sonar upload: $SONAR_RESPONSE" + ZAP_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/report_json.json https://devsecops-ver.azurewebsites.net/api/week3-zap-report) + echo "Zap upload: $ZAP_RESPONSE" \ No newline at end of file From d2dd5365eac2d29cd5b0e46b7f23cb96fa8e0400 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 07:00:49 +0000 Subject: [PATCH 21/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index feb0cf95..c5e77450 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -113,7 +113,7 @@ jobs: name: zap-report path: report_json.json build: - needs: sonarqube + needs: [sonarqube,dast] permissions: id-token: write runs-on: ubuntu-latest From 9aebbb4348745958667a22062eff90ef26bd6b82 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 07:41:08 +0000 Subject: [PATCH 22/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index c5e77450..0df4266a 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -25,9 +25,27 @@ jobs: with: name: test-results path: junit/test-results.xml + image-scan: + needs: [test] + if: true + runs-on: ubuntu-latest + steps: + - name: Scan image + uses: anchore/scan-action@v3 + id: image-scan + with: + image: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest + fail-build: false + output-format: json + - name: Upload Image report + id: upload-image-report + uses: actions/upload-artifact@v4 + with: + name: image-report + path: ${{ steps.image-scan.outputs.json }} sonarqube: needs: test - if: true + if: false runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -53,6 +71,7 @@ jobs: path: sonarqube-report.json dast: needs: test + if: false runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From cec207223fb2563eff03aa439799756ddffbc8c5 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 07:45:42 +0000 Subject: [PATCH 23/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 70 +++++++++++++++---------------- 1 file changed, 33 insertions(+), 37 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 0df4266a..92a88630 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -45,7 +45,7 @@ jobs: path: ${{ steps.image-scan.outputs.json }} sonarqube: needs: test - if: false + if: true runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -71,7 +71,7 @@ jobs: path: sonarqube-report.json dast: needs: test - if: false + if: true runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -151,39 +151,35 @@ jobs: with: push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest - submit_results: - needs: [build] - if: true - runs-on: ubuntu-latest - steps: - - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + submit_reports: + needs: [test, sonarqube, dast, build] + if: true + runs-on: ubuntu-latest + steps: + - uses: actions/download-artifact@v4 + with: + name: sonarqube-report + path: ${{github.workspace}} + - uses: actions/download-artifact@v4 + with: + name: zap-report + path: ${{github.workspace}} + - uses: actions/download-artifact@v4 + with: + name: image-report + path: ${{github.workspace}} + - name: Upload reports + env: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + AZURE_ACCESS_TOKEN: ${{ steps.token-gen.outputs.azureAccessToken }} + run: | + WEEK1_CONTAINER=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "$DOCKERHUB_USERNAME/devops-labs" https://devsecops-ver.azurewebsites.net/api/week1-container) + echo "Week1 container upload: $WEEK1_CONTAINER" - - name: Azure CLI script - id: token-gen - uses: azure/CLI@v1 - with: - azcliversion: latest - inlineScript: | - ACCESS_TOKEN=$(az account get-access-token | jq -r .accessToken) - echo "azureAccessToken=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT" - - uses: actions/download-artifact@v4 - with: - name: sonarqube-report - path: ${{github.workspace}} - - uses: actions/download-artifact@v4 - with: - name: zap-report - path: ${{github.workspace}} - - name: Upload reports - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - AZURE_ACCESS_TOKEN: ${{ steps.token-gen.outputs.azureAccessToken }} - run: | - WEEK1_CONTAINER=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "$DOCKERHUB_USERNAME/devops-labs" https://devsecops-ver.azurewebsites.net/api/week1-container) - echo "Week1 container upload: $WEEK1_CONTAINER" - SONAR_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/sonarqube-report.json https://devsecops-ver.azurewebsites.net/api/week3-sonar-report) - echo "Sonar upload: $SONAR_RESPONSE" - ZAP_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/report_json.json https://devsecops-ver.azurewebsites.net/api/week3-zap-report) - echo "Zap upload: $ZAP_RESPONSE" \ No newline at end of file + SONAR_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/sonarqube-report.json https://devsecops-ver.azurewebsites.net/api/week3-sonar-report) + echo "Sonar upload: $SONAR_RESPONSE" + ZAP_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/report_json.json https://devsecops-ver.azurewebsites.net/api/week3-zap-report) + echo "Zap upload: $ZAP_RESPONSE" + + IMAGE_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/results.json https://devsecops-ver.azurewebsites.net/api/week4-image-report) + echo "Image report upload: $IMAGE_RESPONSE" \ No newline at end of file From 6f414026765b12f54c2716711cea234e2e75337b Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 07:59:11 +0000 Subject: [PATCH 24/39] CI-pipeline --- .github/workflows/ci-pipeline.yml | 52 +++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 92a88630..2b04f37c 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -133,6 +133,7 @@ jobs: path: report_json.json build: needs: [sonarqube,dast] + if: false permissions: id-token: write runs-on: ubuntu-latest @@ -152,7 +153,7 @@ jobs: push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest submit_reports: - needs: [test, sonarqube, dast, build] + needs: [test, sonarqube, dast] if: true runs-on: ubuntu-latest steps: @@ -182,4 +183,51 @@ jobs: echo "Zap upload: $ZAP_RESPONSE" IMAGE_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/results.json https://devsecops-ver.azurewebsites.net/api/week4-image-report) - echo "Image report upload: $IMAGE_RESPONSE" \ No newline at end of file + echo "Image report upload: $IMAGE_RESPONSE" + security_gate: + needs: [sonarqube, dast, image-scan] + if: true + runs-on: ubuntu-latest + steps: + - name: Download sonarqube-report + uses: actions/download-artifact@v4 + with: + name: sonarqube-report + path: ${{github.workspace}} + - name: Download zap-report + uses: actions/download-artifact@v4 + with: + name: zap-report + path: ${{github.workspace}} + - name: Download image-report + uses: actions/download-artifact@v4 + with: + name: image-report + path: ${{github.workspace}} + - name: Read reports + run: | + IMAGE_RESULT_HIGH=$(cat results.json | jq '.matches[] | select(.vulnerability.severity=="High") | .vulnerability.id' | wc -l) + if [ $IMAGE_RESULT_HIGH -gt 0 ]; then + echo "Image scan has high severity vulnerabilities" + exit 1 + else + echo "Image scan passed" + fi + + SONAR_RESULT=$(cat sonarqube-report.json | jq -r '.projectStatus.status') + if [ $SONAR_RESULT != "OK" ]; then + echo "Sonar scan has issues" + exit 1 + else + echo "Sonar scan passed" + fi + + ZAP_RESULT_HIGH=$(cat report_json.json | jq -r '.site[].alerts[] | select(.riskdesc | startswith("High")) | .name' | wc -l) + if [ $ZAP_RESULT_HIGH -gt 0 ]; then + echo "Zap scan has high severity vulnerabilities" + exit 1 + else + echo "Zap scan passed" + fi + + echo "All security gates passed" \ No newline at end of file From 7aa1db0281643c3dc54b028935fb2336647a8f6e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 08:01:58 +0000 Subject: [PATCH 25/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 2b04f37c..a38eb146 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -132,7 +132,7 @@ jobs: name: zap-report path: report_json.json build: - needs: [sonarqube,dast] + needs: [security_gate] if: false permissions: id-token: write @@ -153,7 +153,7 @@ jobs: push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest submit_reports: - needs: [test, sonarqube, dast] + needs: [sonarqube, dast, image-scan] if: true runs-on: ubuntu-latest steps: From be58556507cea78568180aefd286f3e95efc2777 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 08:17:55 +0000 Subject: [PATCH 26/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index a38eb146..c703b3bc 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -132,8 +132,8 @@ jobs: name: zap-report path: report_json.json build: - needs: [security_gate] - if: false + needs: [] + if: true permissions: id-token: write runs-on: ubuntu-latest @@ -150,6 +150,8 @@ jobs: - name: Build and push uses: docker/build-push-action@v5 with: + sbom: true + provenance: true push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest submit_reports: From a62e7db26b3c5b8d23372ee1b903226bfb92f12c Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 08:53:09 +0000 Subject: [PATCH 27/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index c703b3bc..e8e56499 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -34,7 +34,7 @@ jobs: uses: anchore/scan-action@v3 id: image-scan with: - image: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest + image: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs fail-build: false output-format: json - name: Upload Image report @@ -132,7 +132,7 @@ jobs: name: zap-report path: report_json.json build: - needs: [] + needs: [test,dast,sonarqube,image-scan] if: true permissions: id-token: write From 3ccdc3dc8bfd3eeef8da58b2b8bbda5227576e85 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 09:28:44 +0000 Subject: [PATCH 28/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 89 ++++++++++++------------------- 1 file changed, 35 insertions(+), 54 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index e8e56499..d530a83d 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -132,60 +132,41 @@ jobs: name: zap-report path: report_json.json build: - needs: [test,dast,sonarqube,image-scan] - if: true - permissions: - id-token: write - runs-on: ubuntu-latest - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v5 - with: - sbom: true - provenance: true - push: true - tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest - submit_reports: - needs: [sonarqube, dast, image-scan] - if: true - runs-on: ubuntu-latest - steps: - - uses: actions/download-artifact@v4 - with: - name: sonarqube-report - path: ${{github.workspace}} - - uses: actions/download-artifact@v4 - with: - name: zap-report - path: ${{github.workspace}} - - uses: actions/download-artifact@v4 - with: - name: image-report - path: ${{github.workspace}} - - name: Upload reports - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - AZURE_ACCESS_TOKEN: ${{ steps.token-gen.outputs.azureAccessToken }} - run: | - WEEK1_CONTAINER=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "$DOCKERHUB_USERNAME/devops-labs" https://devsecops-ver.azurewebsites.net/api/week1-container) - echo "Week1 container upload: $WEEK1_CONTAINER" - - SONAR_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/sonarqube-report.json https://devsecops-ver.azurewebsites.net/api/week3-sonar-report) - echo "Sonar upload: $SONAR_RESPONSE" - ZAP_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/report_json.json https://devsecops-ver.azurewebsites.net/api/week3-zap-report) - echo "Zap upload: $ZAP_RESPONSE" - - IMAGE_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/results.json https://devsecops-ver.azurewebsites.net/api/week4-image-report) - echo "Image report upload: $IMAGE_RESPONSE" + # needs: [security_gate] + if: true + permissions: + id-token: write + runs-on: ubuntu-latest + steps: + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - + name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - + name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + sbom: true + provenance: true + tags: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.4.0 + + - name: Sign the images with GitHub OIDC Token + env: + IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs + run: | + cosign sign --yes ${IMAGE} security_gate: needs: [sonarqube, dast, image-scan] if: true From 1b167be2eb28b09d60ff8a2f1cbd4a406b34f695 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 10:14:56 +0000 Subject: [PATCH 29/39] cd-pipeline --- .github/workflows/cd-pipeline.yml | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml index 9b727ad1..312e1252 100644 --- a/.github/workflows/cd-pipeline.yml +++ b/.github/workflows/cd-pipeline.yml @@ -6,19 +6,16 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Install Cosign + uses: sigstore/cosign-installer@v3.4.0 - - name: Deploy Container App - uses: azure/container-apps-deploy-action@v1 - with: - imageToDeploy: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest - containerAppName: devops-app - containerAppEnvironment: devops-app-env - resourceGroup: devsecops-lab - location: australiaeast - targetPort: 5000 + - name: Verify image signature + env: + IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs + GITHUB_ISSUER: https://token.actions.githubusercontent.com + CERT_IDENTITY_REGEXP: https://github.com/.*/margaritasentuna/IATD-DevSecOps/.github/workflows/ci-pipeline.yml.* + run: | + cosign verify $IMAGE --certificate-identity-regexp $CERT_IDENTITY_REGEXP --certificate-oidc-issuer $GITHUB_ISSUER submit_results: needs: [deploy] if: true From 91437ebca6d1847afd5c5b04a60e4082ee711377 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 10:23:26 +0000 Subject: [PATCH 30/39] cd-pipeline --- .github/workflows/cd-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml index 312e1252..2d2a9eae 100644 --- a/.github/workflows/cd-pipeline.yml +++ b/.github/workflows/cd-pipeline.yml @@ -11,7 +11,7 @@ jobs: - name: Verify image signature env: - IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs + IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest GITHUB_ISSUER: https://token.actions.githubusercontent.com CERT_IDENTITY_REGEXP: https://github.com/.*/margaritasentuna/IATD-DevSecOps/.github/workflows/ci-pipeline.yml.* run: | From 3042bac08a94afaa60e2336fa12c78658073720e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 10:28:14 +0000 Subject: [PATCH 31/39] cd-pipeline --- .github/workflows/cd-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml index 2d2a9eae..afd3c5d8 100644 --- a/.github/workflows/cd-pipeline.yml +++ b/.github/workflows/cd-pipeline.yml @@ -13,7 +13,7 @@ jobs: env: IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest GITHUB_ISSUER: https://token.actions.githubusercontent.com - CERT_IDENTITY_REGEXP: https://github.com/.*/margaritasentuna/IATD-DevSecOps/.github/workflows/ci-pipeline.yml.* + CERT_IDENTITY_REGEXP: https://github.com/.*/margaritasentuna/IATD-DevSecOps/.github/workflows/cd-pipeline.yml.* run: | cosign verify $IMAGE --certificate-identity-regexp $CERT_IDENTITY_REGEXP --certificate-oidc-issuer $GITHUB_ISSUER submit_results: From e8ad67d5d75263a97b6c071933e8aa62744613bf Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 10:31:16 +0000 Subject: [PATCH 32/39] cd-pipeline --- .github/workflows/ci-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index d530a83d..bcf8aed7 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -164,7 +164,7 @@ jobs: - name: Sign the images with GitHub OIDC Token env: - IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs + IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest run: | cosign sign --yes ${IMAGE} security_gate: From 1d3301fcb3b84dff1166545e7f8d8c539f57597e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 10:33:51 +0000 Subject: [PATCH 33/39] ci-pipeline --- .github/workflows/cd-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml index afd3c5d8..00f8b2ea 100644 --- a/.github/workflows/cd-pipeline.yml +++ b/.github/workflows/cd-pipeline.yml @@ -13,7 +13,7 @@ jobs: env: IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest GITHUB_ISSUER: https://token.actions.githubusercontent.com - CERT_IDENTITY_REGEXP: https://github.com/.*/margaritasentuna/IATD-DevSecOps/.github/workflows/cd-pipeline.yml.* + CERT_IDENTITY_REGEXP: https://github.com/.https://github.com/margaritasentuna/IATD-DevSecOps/.github/workflows/ci-pipeline.yml.* run: | cosign verify $IMAGE --certificate-identity-regexp $CERT_IDENTITY_REGEXP --certificate-oidc-issuer $GITHUB_ISSUER submit_results: From 5f6d892cfb488f9690587816fb45b5b303284e8e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 10:36:27 +0000 Subject: [PATCH 34/39] ci-pipeline --- .github/workflows/cd-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml index 00f8b2ea..256428cd 100644 --- a/.github/workflows/cd-pipeline.yml +++ b/.github/workflows/cd-pipeline.yml @@ -13,7 +13,7 @@ jobs: env: IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest GITHUB_ISSUER: https://token.actions.githubusercontent.com - CERT_IDENTITY_REGEXP: https://github.com/.https://github.com/margaritasentuna/IATD-DevSecOps/.github/workflows/ci-pipeline.yml.* + CERT_IDENTITY_REGEXP: https://github.com/.https://github.com/margaritasentuna/IATD-DevSecOps/.github/workflows/ci-pipeline.yml run: | cosign verify $IMAGE --certificate-identity-regexp $CERT_IDENTITY_REGEXP --certificate-oidc-issuer $GITHUB_ISSUER submit_results: From 85022c088c78716641715ca6a2da9d03af8d4ed4 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 10:36:56 +0000 Subject: [PATCH 35/39] ci-pipeline --- .github/workflows/cd-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd-pipeline.yml b/.github/workflows/cd-pipeline.yml index 256428cd..23be84de 100644 --- a/.github/workflows/cd-pipeline.yml +++ b/.github/workflows/cd-pipeline.yml @@ -13,7 +13,7 @@ jobs: env: IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest GITHUB_ISSUER: https://token.actions.githubusercontent.com - CERT_IDENTITY_REGEXP: https://github.com/.https://github.com/margaritasentuna/IATD-DevSecOps/.github/workflows/ci-pipeline.yml + CERT_IDENTITY_REGEXP: https://github.com/margaritasentuna/IATD-DevSecOps/.github/workflows/ci-pipeline.yml run: | cosign verify $IMAGE --certificate-identity-regexp $CERT_IDENTITY_REGEXP --certificate-oidc-issuer $GITHUB_ISSUER submit_results: From ab652ea1da5484c8b6292f3d471d6f62469dc2a0 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 10:42:06 +0000 Subject: [PATCH 36/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 38 ++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index bcf8aed7..abb38f4c 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -213,4 +213,40 @@ jobs: echo "Zap scan passed" fi - echo "All security gates passed" \ No newline at end of file + echo "All security gates passed" + submit_reports: + needs: [sonarqube, dast, image-scan] + if: true + runs-on: ubuntu-latest + steps: + - uses: actions/download-artifact@v4 + with: + name: sonarqube-report + path: ${{github.workspace}} + - uses: actions/download-artifact@v4 + with: + name: zap-report + path: ${{github.workspace}} + - uses: actions/download-artifact@v4 + with: + name: image-report + path: ${{github.workspace}} + - name: Upload reports + env: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + AZURE_ACCESS_TOKEN: ${{ steps.token-gen.outputs.azureAccessToken }} + IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs + run: | + WEEK1_CONTAINER=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "$DOCKERHUB_USERNAME/devops-labs" https://devsecops-ver.azurewebsites.net/api/week1-container) + echo "Week1 container upload: $WEEK1_CONTAINER" + + SONAR_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/sonarqube-report.json https://devsecops-ver.azurewebsites.net/api/week3-sonar-report) + echo "Sonar upload: $SONAR_RESPONSE" + ZAP_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/report_json.json https://devsecops-ver.azurewebsites.net/api/week3-zap-report) + echo "Zap upload: $ZAP_RESPONSE" + + IMAGE_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/results.json https://devsecops-ver.azurewebsites.net/api/week4-image-report) + echo "Image report upload: $IMAGE_RESPONSE" + + WEEK5_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "$IMAGE" https://devsecops-ver.azurewebsites.net/api/week5-report) + echo "Week5 report upload: $WEEK5_RESPONSE" \ No newline at end of file From a1a44be7c53c78c0769a08c6fbf96e54b05df42e Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 03:49:03 -0800 Subject: [PATCH 37/39] Add files via upload --- ci-pipeline.json | 1613 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1613 insertions(+) create mode 100644 ci-pipeline.json diff --git a/ci-pipeline.json b/ci-pipeline.json new file mode 100644 index 00000000..b0f3ffc8 --- /dev/null +++ b/ci-pipeline.json @@ -0,0 +1,1613 @@ +{ + "version": "2.2.0", + "summary": { + "title": "CI/CD pipeline", + "owner": "Margarita", + "description": "CI/CD pipeline for DecSecOps labs", + "id": 0 + }, + "detail": { + "contributors": [], + "diagrams": [ + { + "id": 0, + "title": "New STRIDE diagram", + "diagramType": "STRIDE", + "placeholder": "New STRIDE diagram description", + "thumbnail": "./public/content/images/thumbnail.stride.jpg", + "version": "2.2.0", + "cells": [ + { + "position": { + "x": 490, + "y": -10 + }, + "size": { + "width": 480, + "height": 350 + }, + "shape": "trust-boundary-box", + "attrs": { + "headerText": { + "text": "Pipeline\nexecuter" + } + }, + "id": "471baaa7-98c3-48b3-8c52-f5501d751a6a", + "zIndex": -1, + "data": { + "type": "tm.BoundaryBox", + "name": "Pipeline\nexecuter", + "description": "", + "isTrustBoundary": true, + "hasOpenThreats": false + } + }, + { + "position": { + "x": 455.99999999999955, + "y": 359.0000000000017 + }, + "size": { + "width": 550, + "height": 180 + }, + "shape": "trust-boundary-box", + "attrs": { + "headerText": { + "text": "Internal instance" + } + }, + "id": "5191de26-4c16-4dce-83c5-3e90969e9ca4", + "zIndex": -1, + "data": { + "type": "tm.BoundaryBox", + "name": "Internal instance", + "description": "", + "isTrustBoundary": true, + "hasOpenThreats": false + } + }, + { + "position": { + "x": 336, + "y": 70 + }, + "size": { + "width": 140, + "height": 210 + }, + "shape": "trust-boundary-box", + "attrs": { + "headerText": { + "text": "SVC" + } + }, + "id": "2488df8a-4a61-4027-be12-223c6b4088f5", + "zIndex": -1, + "data": { + "type": "tm.BoundaryBox", + "name": "SVC", + "description": "", + "isTrustBoundary": true, + "hasOpenThreats": false + } + }, + { + "position": { + "x": 343.75, + "y": -150 + }, + "size": { + "width": 112.5, + "height": 60 + }, + "attrs": { + "text": { + "text": "Administrator" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "actor", + "id": "009a82ff-ef75-44f6-bd0a-798ab1875b34", + "zIndex": 1, + "data": { + "type": "tm.Actor", + "name": "Administrator", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "providesAuthentication": false, + "threats": [] + } + }, + { + "position": { + "x": 380, + "y": -10 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Manage" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "749aa17c-b569-42a2-8a1f-c671cd3112bd", + "zIndex": 2, + "data": { + "type": "tm.Process", + "name": "Manage", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [] + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "86e6331f-e1c9-42d8-8c26-ccc174fed7ea", + "source": { + "x": 365, + "y": -90 + }, + "target": { + "cell": "749aa17c-b569-42a2-8a1f-c671cd3112bd" + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "922a4d17-f925-4ede-834c-4ef91ac554dd", + "source": { + "x": 163, + "y": 130 + }, + "target": { + "cell": "9dbee868-0b6e-4311-b371-a7b7ba1ade90" + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "a497c943-cf0b-4e8a-8d9e-476d8a4b841c", + "source": { + "x": 550, + "y": 130 + }, + "target": { + "cell": "ad6ddc79-3b28-4d1f-9452-d1f2164df7ed" + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "04b9007a-915c-43f4-8cd8-d338caa3c4c6", + "source": { + "x": 550, + "y": 130 + }, + "target": { + "cell": "8f677b76-7f71-4340-aae6-afe0f2ee3db0" + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "ed18bc87-2706-4c71-a989-c027e227243c", + "source": { + "cell": "ad6ddc79-3b28-4d1f-9452-d1f2164df7ed" + }, + "target": { + "cell": "8e6a2823-71f4-4b01-ad52-29760fcb6f5c" + }, + "vertices": [ + { + "x": 680, + "y": 63 + } + ] + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "88f3ecb6-22c5-4990-8a70-dea9aa118073", + "source": { + "x": 650, + "y": 69 + }, + "target": { + "cell": "c4f1e3e3-78ca-4d11-b3f9-a3382b49e441" + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "1e7211ff-130f-441e-8a1a-02cb9cc38937", + "source": { + "x": 760, + "y": 70 + }, + "target": { + "cell": "8d392677-5a45-451e-a696-569ed38caeb1" + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "bc8982ab-6adb-4a07-98e3-f587b43b8a61", + "source": { + "x": 670, + "y": 200 + }, + "target": { + "cell": "68fe9fd1-b6a6-40a5-a3a0-c67831d8d448" + }, + "vertices": [ + { + "x": 730, + "y": 300 + } + ] + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "d0554eeb-d2fa-4a4e-bde7-606b6235e595", + "source": { + "x": 939, + "y": 160 + }, + "target": { + "cell": "acfc06aa-1ea1-4f07-97c5-14bde75bceee" + }, + "vertices": [ + { + "x": 1010, + "y": 160 + } + ] + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "04062f6f-67a2-4184-a3f4-4d261ab42d02", + "source": { + "x": 970, + "y": 270 + }, + "target": { + "cell": "acfc06aa-1ea1-4f07-97c5-14bde75bceee" + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "80e9538d-444e-4f0d-b2a8-e8f867e2bd1e", + "source": { + "cell": "68fe9fd1-b6a6-40a5-a3a0-c67831d8d448" + }, + "target": { + "cell": "0181fcee-4b21-4cff-ba97-bd942439b801" + } + }, + { + "shape": "trust-boundary-curve", + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Boundary", + "name": "", + "description": "", + "isTrustBoundary": true, + "hasOpenThreats": false + }, + "id": "6c975775-adbb-4426-8942-c22673b4e43e", + "source": { + "x": 1150, + "y": 40 + }, + "target": { + "x": 1200, + "y": 350 + }, + "vertices": [ + { + "x": 1030, + "y": 100 + }, + { + "x": 1000, + "y": 190 + }, + { + "x": 1040, + "y": 320 + }, + { + "x": 1080, + "y": 320 + } + ] + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "dbace5dd-f0b7-4a9d-a112-d1d53ab1c3fd", + "source": { + "cell": "1ab80526-c535-471e-86c6-29a23d0b7383" + }, + "target": { + "cell": "c4f1e3e3-78ca-4d11-b3f9-a3382b49e441" + } + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "ba637350-d995-4ed2-9dfa-c296e934fd23", + "source": { + "cell": "19f1e896-db39-4ccd-904b-84b82cdbd9af" + }, + "target": { + "cell": "ed0483e6-5d54-4ba5-9932-58423f8d5b08" + }, + "vertices": [ + { + "x": 380, + "y": 190 + } + ] + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "b0d9180e-329a-42e6-be32-0dde673869e3", + "source": { + "x": 282, + "y": 130 + }, + "target": { + "cell": "19f1e896-db39-4ccd-904b-84b82cdbd9af" + }, + "vertices": [] + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "877f3972-ea35-42dc-b81a-36d8d2303578", + "source": { + "cell": "19f1e896-db39-4ccd-904b-84b82cdbd9af" + }, + "target": { + "cell": "7398b252-d81b-4342-b4de-e1292b3b4ede" + }, + "vertices": [ + { + "x": 460, + "y": 130 + } + ] + }, + { + "shape": "trust-boundary-curve", + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Boundary", + "name": "", + "description": "", + "isTrustBoundary": true, + "hasOpenThreats": false + }, + "id": "b6556c44-80b5-4d16-a7d5-d19ec9777e0b", + "source": { + "x": -70, + "y": 40 + }, + "target": { + "x": -30, + "y": 360 + }, + "vertices": [ + { + "x": 320, + "y": 100 + }, + { + "x": 140, + "y": 260 + }, + { + "x": 110, + "y": 280 + } + ] + }, + { + "shape": "flow", + "attrs": { + "line": { + "stroke": "#333333", + "targetMarker": { + "name": "block" + }, + "sourceMarker": { + "name": "" + }, + "strokeDasharray": null + } + }, + "width": 200, + "height": 100, + "zIndex": 10, + "connector": "smooth", + "data": { + "type": "tm.Flow", + "name": "Data Flow", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isBidirectional": false, + "isEncrypted": false, + "isPublicNetwork": false, + "protocol": "", + "threats": [] + }, + "id": "2f4ff6dc-ce20-4b14-a3d3-18580cd2784a", + "source": { + "x": 590, + "y": 250 + }, + "target": { + "cell": "7398b252-d81b-4342-b4de-e1292b3b4ede" + } + }, + { + "position": { + "x": 50, + "y": 100 + }, + "size": { + "width": 112.5, + "height": 60 + }, + "attrs": { + "text": { + "text": "Developer" + }, + "body": { + "stroke": "red", + "strokeWidth": 2.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "actor", + "id": "0abcb0ab-16e1-4fff-a1f9-eaa733e6e6be", + "zIndex": 11, + "data": { + "type": "tm.Actor", + "name": "Developer", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": true, + "providesAuthentication": false, + "threats": [ + { + "id": "0eb51378-1c9c-49fc-a933-c7ad8f28e7b4", + "title": "Developer commits secret to Git", + "status": "Open", + "severity": "Medium", + "type": "Spoofing", + "description": "A Developer commits secrets to version control either accidentally or on purpose. An Angry employee with read access to the repository find the secrets and proceeds to use them to steal end-user data", + "mitigation": "Vault\n\nAdhere to the principal of \"Need to Know\" and ensure that production secrets are not shared with individuals who don't have a need to know\n\n", + "modelType": "STRIDE", + "new": false, + "number": 1, + "score": "" + } + ] + } + }, + { + "position": { + "x": 222, + "y": 100 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Git push" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "9dbee868-0b6e-4311-b371-a7b7ba1ade90", + "zIndex": 12, + "data": { + "type": "tm.Process", + "name": "Git push", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [] + } + }, + { + "position": { + "x": 370, + "y": 100 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Process\n Code\n Push" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "19f1e896-db39-4ccd-904b-84b82cdbd9af", + "zIndex": 13, + "data": { + "type": "tm.Process", + "name": "Process\n Code\n Push", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [] + } + }, + { + "position": { + "x": 500, + "y": 100 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Ci \npipeline" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "7398b252-d81b-4342-b4de-e1292b3b4ede", + "zIndex": 14, + "data": { + "type": "tm.Process", + "name": "Ci \npipeline", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [] + } + }, + { + "position": { + "x": 610, + "y": 160 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Build" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "8f677b76-7f71-4340-aae6-afe0f2ee3db0", + "zIndex": 15, + "data": { + "type": "tm.Process", + "name": "Build", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [] + } + }, + { + "position": { + "x": 590, + "y": 40 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Test" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "ad6ddc79-3b28-4d1f-9452-d1f2164df7ed", + "zIndex": 16, + "data": { + "type": "tm.Process", + "name": "Test", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [] + } + }, + { + "position": { + "x": 700, + "y": 40 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Image\n Scan" + }, + "body": { + "stroke": "red", + "strokeWidth": 2.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "8e6a2823-71f4-4b01-ad52-29760fcb6f5c", + "zIndex": 17, + "data": { + "type": "tm.Process", + "name": "Image\n Scan", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": true, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [ + { + "id": "d476f90d-6065-4c80-9823-c0d3f680c13d", + "title": "Supply Chain Risks", + "status": "Open", + "severity": "Medium", + "type": "Spoofing", + "description": "Compromised third-party images or repositories can introduce vulnerabilities.\n\n", + "mitigation": "Only pull images from trusted sources and verified repositories (e.g., Docker Hub, private registries).\nUse signing mechanisms (e.g., Docker Content Trust) to ensure image integrity and authenticity.\nRegularly monitor for vulnerabilities in third-party images and dependencies.", + "modelType": "STRIDE", + "new": false, + "number": 7, + "score": "" + } + ] + } + }, + { + "position": { + "x": 440, + "y": 390 + }, + "size": { + "width": 180, + "height": 90 + }, + "attrs": { + "text": { + "text": "SonarCube\n code\n analysis" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "c4f1e3e3-78ca-4d11-b3f9-a3382b49e441", + "zIndex": 18, + "data": { + "type": "tm.Process", + "name": "SonarCube\n code\n analysis", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [] + } + }, + { + "position": { + "x": 775, + "y": 270 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "DAST" + }, + "body": { + "stroke": "red", + "strokeWidth": 2.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "68fe9fd1-b6a6-40a5-a3a0-c67831d8d448", + "zIndex": 19, + "data": { + "type": "tm.Process", + "name": "DAST", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": true, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [ + { + "id": "252e144f-6cbd-4561-9adc-6409eceb74bf", + "title": "False Positives/Negatives", + "status": "Open", + "severity": "Medium", + "type": "Repudiation", + "description": " Inaccurate results can lead to misprioritization of vulnerabilities.", + "mitigation": "Use multiple DAST tools to cross-verify findings and reduce false positives.\nImplement a manual review process for high-risk areas to confirm vulnerabilities.\nRegularly tune and configure DAST tools for the specific application context.", + "modelType": "STRIDE", + "new": false, + "number": 4, + "score": "" + }, + { + "id": "c7e538f4-400b-43bd-a5e4-8bb0790c4ccd", + "title": "Insufficient Remediation Processes", + "status": "Open", + "severity": "Medium", + "type": "Repudiation", + "description": "Identified vulnerabilities may not be remediated in a timely manner.\n", + "mitigation": "Establish a clear workflow for handling identified vulnerabilities, including prioritization criteria.\nUse automated ticketing systems to track remediation progress.\nConduct regular meetings to review findings and follow up on remediation efforts.", + "modelType": "STRIDE", + "new": false, + "number": 5, + "score": "" + } + ] + } + }, + { + "position": { + "x": 890, + "y": 135 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Security \nGate" + }, + "body": { + "stroke": "red", + "strokeWidth": 2.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "8d392677-5a45-451e-a696-569ed38caeb1", + "zIndex": 20, + "data": { + "type": "tm.Process", + "name": "Security \nGate", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": true, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [ + { + "id": "20dc165b-07dc-4210-b449-8871cdaedaff", + "title": "New STRIDE threat", + "status": "Open", + "severity": "Medium", + "type": "Spoofing", + "description": "Provide a description for this threat", + "mitigation": "Provide remediation for this threat or a reason if status is N/A", + "modelType": "STRIDE", + "new": true, + "number": 0, + "score": "" + } + ] + } + }, + { + "position": { + "x": 1060, + "y": 170 + }, + "size": { + "width": 120, + "height": 60 + }, + "attrs": { + "text": { + "text": "DockerHub \nrepository \ncontainer" + }, + "topLine": { + "strokeWidth": 1.5, + "strokeDasharray": null + }, + "bottomLine": { + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "store", + "id": "acfc06aa-1ea1-4f07-97c5-14bde75bceee", + "zIndex": 21, + "data": { + "type": "tm.Store", + "name": "DockerHub \nrepository \ncontainer", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isALog": false, + "isEncrypted": false, + "isSigned": false, + "storesCredentials": false, + "storesInventory": false, + "threats": [] + } + }, + { + "position": { + "x": 910, + "y": 250 + }, + "size": { + "width": 60, + "height": 60 + }, + "attrs": { + "text": { + "text": "Deploy" + }, + "body": { + "stroke": "#333333", + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "0181fcee-4b21-4cff-ba97-bd942439b801", + "zIndex": 22, + "data": { + "type": "tm.Process", + "name": "Deploy", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [] + } + }, + { + "position": { + "x": 715, + "y": 420 + }, + "size": { + "width": 120, + "height": 60 + }, + "attrs": { + "text": { + "text": "Sonarcube Database" + }, + "topLine": { + "strokeWidth": 1.5, + "strokeDasharray": null + }, + "bottomLine": { + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "store", + "id": "1ab80526-c535-471e-86c6-29a23d0b7383", + "zIndex": 23, + "data": { + "type": "tm.Store", + "name": "Sonarcube Database", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isALog": false, + "isEncrypted": false, + "isSigned": false, + "storesCredentials": false, + "storesInventory": false, + "threats": [] + } + }, + { + "position": { + "x": 340, + "y": 200 + }, + "size": { + "width": 120, + "height": 60 + }, + "attrs": { + "text": { + "text": "GIT repository" + }, + "topLine": { + "strokeWidth": 1.5, + "strokeDasharray": null + }, + "bottomLine": { + "strokeWidth": 1.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "store", + "id": "ed0483e6-5d54-4ba5-9932-58423f8d5b08", + "zIndex": 24, + "data": { + "type": "tm.Store", + "name": "GIT repository", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": false, + "isALog": false, + "isEncrypted": false, + "isSigned": false, + "storesCredentials": false, + "storesInventory": false, + "threats": [] + } + }, + { + "position": { + "x": -89, + "y": 250 + }, + "size": { + "width": 112.5, + "height": 60 + }, + "attrs": { + "text": { + "text": "Developer\n Local \nenvironment" + } + }, + "visible": true, + "shape": "td-text-block", + "id": "66637595-4244-4ab1-bb8e-3e3f416b3d3c", + "zIndex": 25, + "data": { + "type": "tm.Text", + "name": "Developer\n Local \nenvironment", + "hasOpenThreats": false + } + }, + { + "position": { + "x": 1180, + "y": 250 + }, + "size": { + "width": 112.5, + "height": 60 + }, + "attrs": { + "text": { + "text": "Registry\nBoundary" + } + }, + "visible": true, + "shape": "td-text-block", + "id": "3000b74a-7bd2-40e4-8a49-1cabf6564823", + "zIndex": 26, + "data": { + "type": "tm.Text", + "name": "Registry\nBoundary", + "hasOpenThreats": false + } + }, + { + "position": { + "x": 510, + "y": 220 + }, + "size": { + "width": 110, + "height": 110 + }, + "attrs": { + "text": { + "text": "Fetch \nDependencies" + }, + "body": { + "stroke": "red", + "strokeWidth": 2.5, + "strokeDasharray": null + } + }, + "visible": true, + "shape": "process", + "id": "c03ba96e-c555-4c26-928a-9fb2dbc05b1d", + "zIndex": 27, + "data": { + "type": "tm.Process", + "name": "Fetch \nDependencies", + "description": "", + "outOfScope": false, + "reasonOutOfScope": "", + "hasOpenThreats": true, + "handlesCardPayment": false, + "handlesGoodsOrServices": false, + "isWebApplication": false, + "privilegeLevel": "", + "threats": [ + { + "id": "eebe005c-1b17-43b7-b120-183be6e361f2", + "title": "A Dependency fetch to the app is compromised", + "status": "Open", + "severity": "Medium", + "type": "Spoofing", + "description": "An popular opensource dependency used by the application gets compromised by an attacker. The attacker implants bitcoin mining software into the dependency so that consuming applications will mine bitcoin for the attacker", + "mitigation": "Ensure automated dependency analysis is being performed on application dependencies to detect dependencies known to have been compromised\nEnsure lock files are being used so that builds repeatedly use the same version of a dependency until it is explicitly upgraded\nEnable and use threat detection such as GuardDuty to detect anomolies in patterns of service operation", + "modelType": "STRIDE", + "new": false, + "number": 3, + "score": "" + } + ] + } + } + ], + "description": "CI pipeline for DevSecOps lab" + } + ], + "diagramTop": 1, + "reviewer": "", + "threatTop": 8 + } +} \ No newline at end of file From f7ff283d11de1976b3475bbcdb91afc8f841059c Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 22:56:01 +1100 Subject: [PATCH 38/39] Rename ci-pipeline.json to threat-model/ci-pipeline.json --- ci-pipeline.json => threat-model/ci-pipeline.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename ci-pipeline.json => threat-model/ci-pipeline.json (99%) diff --git a/ci-pipeline.json b/threat-model/ci-pipeline.json similarity index 99% rename from ci-pipeline.json rename to threat-model/ci-pipeline.json index b0f3ffc8..230df471 100644 --- a/ci-pipeline.json +++ b/threat-model/ci-pipeline.json @@ -1610,4 +1610,4 @@ "reviewer": "", "threatTop": 8 } -} \ No newline at end of file +} From ab224fa5b119d4418f319225b6fa316f23d6e379 Mon Sep 17 00:00:00 2001 From: margaritasentuna Date: Sun, 3 Nov 2024 12:08:02 +0000 Subject: [PATCH 39/39] ci-pipeline --- .github/workflows/ci-pipeline.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index abb38f4c..96525c10 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -249,4 +249,6 @@ jobs: echo "Image report upload: $IMAGE_RESPONSE" WEEK5_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "$IMAGE" https://devsecops-ver.azurewebsites.net/api/week5-report) - echo "Week5 report upload: $WEEK5_RESPONSE" \ No newline at end of file + echo "Week5 report upload: $WEEK5_RESPONSE" + MODEL_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/threat-model/ci-pipeline.json https://devsecops-ver.azurewebsites.net/api/week6-report) + echo "Model report upload: $MODEL_RESPONSE" \ No newline at end of file