Merge remote-tracking branch 'upstream/master'

Author: Thomas Noe

.travis.yml

@@ -14,7 +14,7 @@ env:
 
 matrix:
   allow_failures:
-    - env: TEST=bandit 
+    - env: TEST=bandit
     - env: TEST=sourceclear
     - env: TEST=pep8
 
@@ -32,17 +32,17 @@ script:
     case "$TEST" in
       smoke-test)
         travis_fold start "smoke-test"
-        bash ./scripts/travis-smoke-test.sh || exit 1
+        bash entrypoint_scripts/test/travis-smoke-test.sh || exit 1
         travis_fold end "smoke-test"
         ;;
       unit-test)
         travis_fold start "unit-test"
-        bash ./scripts/travis-unit-test.sh || exit 1
+        bash entrypoint_scripts/test/travis-unit-test.sh || exit 1
         travis_fold end "unit-test"
         ;;
       integration-test)
         travis_fold start "integration-test"
-        bash ./scripts/travis-integration-test.sh || exit 1
+        bash entrypoint_scripts/test/travis-integration-test.sh || exit 1
         travis_fold end "integration-test"
         ;;
       sourceclear)
@@ -52,7 +52,7 @@ script:
       bandit)
         # install bandit
         pip install bandit
-  
+
         ## Run Bandit python static code
         bandit -r * -x venv,tests,ansible
         ;;
@@ -72,10 +72,9 @@ script:
 
 after_success:
   #Push to docker repo
-  - docker tag $REPO $REPO:$TAG
-  - docker tag $REPO $REPO:travis-$TRAVIS_BUILD_NUMBER
   - |
-    if [ "$TRAVIS_BRANCH" == "master" ] && [ "$TEST" == "integration-test" ] && [ "$DOCKER_USER" != "" ] && [  "$DOCKER_PASS" != "" ]; then
+    if [ "$TRAVIS_TAG" != "" ] && [ "$DOCKER_USER" != "" ] && [  "$DOCKER_PASS" != "" ]; then
+      docker tag $REPO $REPO:$TRAVIS_TAG
       docker login -u "$DOCKER_USER" -p "$DOCKER_PASS";
       docker push $REPO ;
     fi

Dockerfile

@@ -1,28 +1,36 @@
 FROM ubuntu:16.04
 MAINTAINER Matt Tesauro <[email protected]>
 
-# Create a single Docker running DefectDojo and all dependencies
+# # # Create a single Docker image running DefectDojo and all dependencies
 
-ADD . /opt/django-DefectDojo
+# Update and install basic requirements;
+# Install mysql-server already at this place, since we want to avoid
+# interactivity when creating a Docker image;
+# Also: create the application user;
+RUN apt-get update \
+    && apt-get install -y sudo git expect wget \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y mysql-server \
+    && adduser --disabled-password --gecos "DefectDojo" dojo
 
-RUN apt update \
-    && DEBIAN_FRONTEND=noninteractive apt install -y mysql-server sudo git expect wget \
-    && usermod -d /var/lib/mysql/ mysql \
-    && service mysql start \
-    && cd /opt \
-    && export AUTO_DOCKER=yes \
-    && /opt/django-DefectDojo/setup.bash \
-    && cd /tmp \
-    && wget https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz \
-    && tar xvfJ wkhtmltox-0.12.4_linux-generic-amd64.tar.xz \
-    && sudo chown root:root wkhtmltox/bin/wkhtmltopdf \
-    && sudo cp wkhtmltox/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf \
-    && service mysql stop
+# Give the app user sudo permissions and switch executing user
+ADD ./docker/etc/dojo_sudo /etc/sudoers.d/
+USER dojo:dojo
 
+# Add the application files and start the setup
+ADD --chown=dojo:dojo . /opt/django-DefectDojo
 WORKDIR /opt/django-DefectDojo
+# Add the -y option to avoid interactive prompts
+RUN ./setup.bash -y
 
-ENTRYPOINT chown -R mysql:mysql /var/lib/mysql /var/run/mysqld \
-    && service mysql start \
-    && su - dojo -c "cd /opt/django-DefectDojo && celery -A dojo worker -l info --concurrency 3 >> /opt/django-DefectDojo/worker.log 2>&1 &" \
-    && su - dojo -c "cd /opt/django-DefectDojo && celery beat -A dojo -l info  >> /opt/django-DefectDojo/beat.log 2>&1 &" \
-    && su - dojo -c "cd /opt/django-DefectDojo && python manage.py runserver 0.0.0.0:8000 >> /opt/django-DefectDojo/dojo.log 2>&1"
+# Install wkhtmltopdf
+RUN wget -O /tmp/wkhtmltox.tar.xz https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz \
+    && tar xvfJ /tmp/wkhtmltox.tar.xz -C /tmp \
+    && sudo chown root:root /tmp/wkhtmltox/bin/wkhtmltopdf \
+    && sudo cp /tmp/wkhtmltox/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf
+
+# Start the DB server and rund the app
+ENTRYPOINT sudo chown -R mysql:mysql /var/lib/mysql /var/run/mysqld \
+    && sudo service mysql start \
+    && (celery -A dojo worker -l info --concurrency 3 >> /opt/django-DefectDojo/worker.log 2>&1 &) \
+    && (celery beat -A dojo -l info  >> /opt/django-DefectDojo/beat.log 2>&1 &) \
+    && (python manage.py runserver 0.0.0.0:8000 >> /opt/django-DefectDojo/dojo.log 2>&1)

docker/docker-startup.bash

@@ -1,16 +1,27 @@
 #!/bin/sh
+# This script can be used as an entrypoint to get the Docker image started as
+# follows:
+#
+#   ``docker run -it -p 8000:8000 appsecpipeline/django-defectdojo bash -c "export LOAD_SAMPLE_DATA=True && bash /opt/django-DefectDojo/docker/docker-startup.bash"``
+#
+# Run it at the application root
+#
+
+source entrypoint_scripts/common/dojo-shared-resources.sh
+
+# This function invocation ensures we're running the script at the right place
+verify_cwd
+
 #Set the SQL variables
 SQLUSER=$MYSQL_USER
 SQLPWD=$MYSQL_PASSWORD
 SQLHOST=$DOJO_MYSQL_HOST
 DBNAME=$MYSQL_DATABASE
 
-source /django-DefectDojo/scripts/dojo-shared-functions.bash
-
 ########### Setup and Run Entry #############
 if [ "$1" == "setup" ]; then
     setupdojo
-    chown -R dojo:dojo /django-DefectDojo
+    chown -R dojo:dojo $DOJO_ROOT_DIR
 else
   echo "=============================================================================="
   echo "Starting DefectDojo"
@@ -20,8 +31,7 @@ else
     PORT=8000
   fi
 
-  cd /django-DefectDojo/
-  source venv/bin/activate
+  source $DOJO_VENV_NAME/bin/activate
 
   #Check to see if Dojo has been setup by checking the settings.py file
   if [ ! -f dojo/settings/settings.py ];
@@ -37,28 +47,28 @@ else
     cp dojo/settings/settings.dist.py dojo/settings/settings.py
 
     # Save MySQL details in settings file
-    sed -i  "s/MYSQLUSER/$SQLUSER/g" dojo/settings/settings.py
-    sed -i  "s/MYSQLPWD/$SQLPWD/g" dojo/settings/settings.py
-    sed -i  "s/MYSQLDB/$DBNAME/g" dojo/settings/settings.py
-    sed -i  "s/MYSQLHOST/$DOJO_MYSQL_HOST/g" dojo/settings/settings.py
-    sed -i  "s/MYSQLPORT/$DOJO_MYSQL_PORT/g" dojo/settings/settings.py
-    sed -i  "s#DOJODIR#$PWD/dojo#g" dojo/settings/settings.py
-    sed -i  "s/DOJOSECRET/$SECRET/g" dojo/settings/settings.py
-    sed -i  "s#DOJOURLPREFIX#$DOJO_URL_PREFIX#g" dojo/settings/settings.py
-    sed -i  "s#BOWERDIR#$PWD/components#g" dojo/settings/settings.py
-    sed -i  "s#DOJO_MEDIA_ROOT#$PWD/media/#g" dojo/settings/settings.py
-    sed -i  "s#DOJO_STATIC_ROOT#$PWD/static/#g" dojo/settings/settings.py
+    sed -i "s/MYSQLUSER/$SQLUSER/g" dojo/settings/settings.py
+    sed -i "s/MYSQLPWD/$SQLPWD/g" dojo/settings/settings.py
+    sed -i "s/MYSQLDB/$DBNAME/g" dojo/settings/settings.py
+    sed -i "s/MYSQLHOST/$DOJO_MYSQL_HOST/g" dojo/settings/settings.py
+    sed -i "s/MYSQLPORT/$DOJO_MYSQL_PORT/g" dojo/settings/settings.py
+    sed -i "s#DOJODIR#$PWD/dojo#g" dojo/settings/settings.py
+    sed -i "s/DOJOSECRET/$SECRET/g" dojo/settings/settings.py
+    sed -i "s#DOJOURLPREFIX#$DOJO_URL_PREFIX#g" dojo/settings/settings.py
+    sed -i "s#BOWERDIR#$PWD/components#g" dojo/settings/settings.py
+    sed -i "s#DOJO_MEDIA_ROOT#$PWD/media/#g" dojo/settings/settings.py
+    sed -i "s#DOJO_STATIC_ROOT#$PWD/static/#g" dojo/settings/settings.py
 
     if [ "$RUN_TIERED" = True ]; then
       echo "Setting dojo settings for tiered docker-compose."
-      sed -i  "s/TEMPLATE_DEBUG = DEBUG/TEMPLATE_DEBUG = False/g" dojo/settings/settings.py
-      sed -i  "s/DEBUG = True/DEBUG = False/g" dojo/settings/settings.py
-      sed -i  "s/ALLOWED_HOSTS = \[]/ALLOWED_HOSTS = ['localhost', '127.0.0.1']/g" dojo/settings/settings.py
+      sed -i "s/TEMPLATE_DEBUG = DEBUG/TEMPLATE_DEBUG = False/g" dojo/settings/settings.py
+      sed -i "s/DEBUG = True/DEBUG = False/g" dojo/settings/settings.py
+      sed -i "s/ALLOWED_HOSTS = \[]/ALLOWED_HOSTS = ['localhost', '127.0.0.1']/g" dojo/settings/settings.py
     else
       echo "Setting dojo settings for SQLLITEDB."
       SQLLITEDB="'NAME': os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), 'db.sqlite3')"
-      sed -i  "s/django.db.backends.mysql/django.db.backends.sqlite3/g" dojo/settings/settings.py
-      sed -i  "s/'NAME': '$DBNAME'/$SQLLITEDB/g" dojo/settings/settings.py
+      sed -i "s/django.db.backends.mysql/django.db.backends.sqlite3/g" dojo/settings/settings.py
+      sed -i "s/'NAME': '$DBNAME'/$SQLLITEDB/g" dojo/settings/settings.py
     fi
   fi
 
@@ -69,7 +79,7 @@ else
     echo "=============================================================================="
     echo
     #Make sure MySQL is up and running, run the mysql script to check the port and report back
-    bash /django-DefectDojo/docker/wait-for-it.sh $DOJO_MYSQL_HOST:$DOJO_MYSQL_PORT
+    bash $DOCKER_DIR/wait-for-it.sh $DOJO_MYSQL_HOST:$DOJO_MYSQL_PORT
 
     if [ $? -eq 0 ]; then
       echo "Database server is up and running."
@@ -86,7 +96,7 @@ else
       echo "=============================================================================="
       echo
       #Start gunicorn
-      cd /django-DefectDojo/
+      cd $DOJO_ROOT_DIR
       gunicorn --env DJANGO_SETTINGS_MODULE=dojo.settings dojo.wsgi:application --bind 0.0.0.0:$PORT --workers 3 & celery -A dojo worker -l info --concurrency 3
     else
       echo "MySQL server is down or dojo can't access mysql"
@@ -98,7 +108,7 @@ else
     if [ ! -f setupcomplete ];
     then
       createadmin
-      bash /django-DefectDojo/docker/dojo-data.bash load
+      bash $DOCKER_DIR/dojo-data.bash load
       touch setupcomplete
     fi
 
@@ -111,8 +121,8 @@ else
     echo "Starting Python  Server"
     echo "=============================================================================="
     echo
-    cd /django-DefectDojo/
-    source venv/bin/activate
+
+    source $DOJO_VENV_NAME/bin/activate
     pip freeze
     python manage.py runserver 0.0.0.0:$PORT & celery -A dojo worker -l info --concurrency 3
     echo

docker/dojo-base-build-push.bash

@@ -5,10 +5,10 @@ if [ $# > 1 ]
 then
     if [[ "$1" = "load" ]]
     then
-      python /django-DefectDojo/manage.py loaddata /django-DefectDojo/docker/sample_data/initial_dojo_data.json
+      python manage.py loaddata docker/sample_data/initial_dojo_data.json
       echo "Data imported from: sample_data/initial_dojo_data.json"
     elif [[ "$1" = "export" ]]; then
-      python /django-DefectDojo/manage.py dumpdata --exclude auth.user > /django-DefectDojo/docker/sample_data/initial_dojo_data.json
+      python manage.py dumpdata --exclude auth.user > docker/sample_data/initial_dojo_data.json
       echo "Data exported to: sample_data/initial_dojo_data.json"
     fi
 else

docker/dojo-base.docker

@@ -0,0 +1,2 @@
+# User privilege specification
+dojo    ALL=(ALL:ALL)   NOPASSWD: ALL