Merge branch 'main' into 222-product-scans

tdruez · tdruez · commit eca657262d8e · 2025-03-11T18:54:25.000+04:00
diff --git a/Dockerfile b/Dockerfile
@@ -12,17 +12,23 @@ LABEL org.opencontainers.image.source="https://github.com/aboutcode-org/dejacode
 LABEL org.opencontainers.image.description="DejaCode"
 LABEL org.opencontainers.image.licenses="AGPL-3.0-only"
 
-ENV APP_NAME dejacode
-ENV APP_USER app
-ENV APP_DIR /opt/$APP_NAME
-ENV VENV_LOCATION /opt/$APP_NAME/.venv
+# Set default values for APP_UID and APP_GID at build-time
+ARG APP_UID=1000
+ARG APP_GID=1000
+
+ENV APP_NAME=dejacode
+ENV APP_USER=app
+ENV APP_UID=${APP_UID}
+ENV APP_GID=${APP_GID}
+ENV APP_DIR=/opt/$APP_NAME
+ENV VENV_LOCATION=/opt/$APP_NAME/.venv
 
 # Force Python unbuffered stdout and stderr (they are flushed to terminal immediately)
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
 # Do not write Python .pyc files
-ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONDONTWRITEBYTECODE=1
 # Add the app dir in the Python path for entry points availability
-ENV PYTHONPATH $PYTHONPATH:$APP_DIR
+ENV PYTHONPATH=$PYTHONPATH:$APP_DIR
 
 # OS requirements
 RUN apt-get update \
@@ -36,9 +42,9 @@ RUN apt-get update \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# Create the APP_USER group, user, and directory with proper permissions
-RUN addgroup --system $APP_USER \
- && adduser --system --group --home=$APP_DIR $APP_USER \
+# Create the APP_USER group, user, and directory with specific UID and GID
+RUN groupadd --gid $APP_GID --system $APP_USER \
+ && useradd --uid $APP_UID --gid $APP_GID --home-dir $APP_DIR --system --create-home $APP_USER \
  && chown $APP_USER:$APP_USER $APP_DIR \
  && mkdir -p /var/$APP_NAME \
  && chown $APP_USER:$APP_USER /var/$APP_NAME
@@ -53,7 +59,7 @@ RUN mkdir -p /var/$APP_NAME/static/ /var/$APP_NAME/media/
 # Create the virtualenv
 RUN python -m venv $VENV_LOCATION
 # Enable the virtualenv, similar effect as "source activate"
-ENV PATH $VENV_LOCATION/bin:$PATH
+ENV PATH=$VENV_LOCATION/bin:$PATH
 
 # Install the dependencies before the codebase COPY for proper Docker layer caching
 COPY --chown=$APP_USER:$APP_USER setup.cfg setup.py $APP_DIR/
diff --git a/dejacode/static/css/dejacode_bootstrap.css b/dejacode/static/css/dejacode_bootstrap.css
@@ -693,6 +693,19 @@ a[data-category-pk]:focus,
 body.signup-form {
   background-color: var(--bs-djc-blue-bg);
 }
+body.signup-form .nav-link {
+  color: white;
+}
+body.signup-form .nav-link.active {
+  color: white;
+  background-color: var(--bs-djc-blue-bg);
+}
+body.signup-form .nav-item.show .nav-link,
+body.signup-form .nav-link.active {
+  border-top-width: 1px;
+  border-top-color: initial;
+  border-bottom-color: var(--bs-djc-blue-bg);
+}
 body.signup-form label {
   display: none;
 }
diff --git a/dje/registration.py b/dje/registration.py
@@ -165,14 +165,14 @@ def helper(self):
                 ),
                 Div(
                     Field("updates_email_notification"),
-                    css_class="alert alert-primary px-2",
+                    css_class="alert alert-primary px-2 py-2",
                 ),
                 "hcaptcha",
                 tos,
                 Div(
                     StrictSubmit(
                         "submit",
-                        _("Create your account"),
+                        _("Create account"),
                         css_class="btn btn-warning",
                     ),
                     css_class="d-grid",
diff --git a/dje/templates/django_registration/registration_form.html b/dje/templates/django_registration/registration_form.html
@@ -9,38 +9,72 @@
 
 {% block content %}
   <div class="row">
-    <div class="col-sm-6 text-white">
-      <h2 class="mb-3">Explore DejaCode now</h2>
-      <p>
-        A free DejaCode trial account allows you to use DejaCode in a shared public dataspace!
-      </p>
-      <p>When you sign in to the DejaCode public evaluation dataspace with your free trial account, you can:</p>
-      <ul>
-        <li>Explore, create, and modify components, packages, licenses and assign usage policies to them.</li>
-        <li>Create your own test products and generate attribution.</li>
-        <li>Exercise the DejaCode API and DejaCode integrations with open source tools, such as ScanCode.io.</li>
-        <li>Run reports and use workflow requests.</li>
-      </ul>
-      <p>To get started, sign up for a free DejaCode trial account via the form on this page.</p>
-
-      <h2 class="mt-4 mb-3">Securely use your own data</h2>
-      <p>
-        We can set up a private instance for evaluating DejaCode using your own data,
-        with access to all features including:
-      </p>
-      <ul>
-        <li>Import your own data privately and securely, including proprietary and third-party software components and licenses.</li>
-        <li>Design and apply your own usage policies.</li>
-        <li>Create your own workflow requests and reports.</li>
-        <li>Generate FOSS compliance artifacts, including Software Bill of Materials (SBOM) for your products and attribution notices.</li>
+    <div class="col-sm-5 text-white" style="font-size: 1.1rem !important;">
+      <ul class="nav nav-tabs nav-fill" role="tablist">
+        <li class="nav-item" role="presentation">
+          <a class="nav-link active" role="tab" aria-controls="explore-now-tab" aria-current="page" data-bs-toggle="tab" data-bs-target="#explore-now-tab" href="#">Explore now</a>
+        </li>
+        <li class="nav-item" role="presentation">
+          <a class="nav-link" role="tab" aria-controls="about-tab" data-bs-toggle="tab" data-bs-target="#about-tab" href="#">About DejaCode</a>
+        </li>
+        <li class="nav-item" role="presentation">
+          <a class="nav-link" role="tab" aria-controls="private-evaluation-tab" data-bs-toggle="tab" data-bs-target="#private-evaluation-tab" href="#">Private Evaluation</a>
+        </li>
       </ul>
-      <p>Each private evaluation is limited to 30 days with unlimited use of DejaCode and free support.</p>
-      <a class="btn btn-warning" href="https://nexb.com/evaluation/" target="_blank">
-        Request private evaluation
-      </a>
+      <div class="tab-content p-3">
+        <div class="tab-pane fade show active" id="explore-now-tab" role="tabpanel" aria-labelledby="explore-now-tab">
+          <h4 class="text-warning mb-3 mt-2">Get Started with DejaCode for Free</h4>
+          <p>
+            Sign up for a <strong>free DejaCode account</strong> and access a shared public dataspace where you can:
+          </p>
+          <ul class="list-unstyled ms-3">
+            <li class="mb-3">✅ <strong class="text-warning">Explore Packages, Components, and Licenses</strong></li>
+            <li class="mb-3">✅ <strong class="text-warning">Create & Track Products</strong> – Manage your software inventory effortlessly and Generate attribution.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Assign Usage Policies</strong> – Define and apply license policies on your inventory items.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Leverage Powerful Integrations</strong> – Leverage tools like <a class="text-warning text-decoration-underline" href="https://github.com/aboutcode-org/scancode.io" target="_blank">ScanCode.io</a> for seamless code scanning, and <a class="text-warning text-decoration-underline" href="https://github.com/aboutcode-org/vulnerablecode" target="_blank">VulnerableCode</a> for vulnerability management.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Run Reports & Automate Workflows</strong> – Gain insights with built-in reporting and workflow automation.</li>
+          </ul>
+          <p>
+            <strong>Ready to get started?</strong> Sign up now for a <strong>free DejaCode trial</strong> using the form on this page!
+          </p>
+        </div>
+        <div class="tab-pane fade" id="about-tab" role="tabpanel" aria-labelledby="about-tab">
+          <h4 class="text-warning mb-3 mt-2">Automate Enterprise-Wide Continuous Compliance with DejaCode</h4>
+          <p>
+            <strong>Your system of record for SBOMs, backed by open data.</strong>
+          </p>
+          <ul class="list-unstyled ms-3">
+            <li class="mb-3">✅ <strong class="text-warning">Scan & Track Open Source and Third-Party Components</strong> – Identify and manage all open source and third-party software used in your projects.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Enforce Compliance Policies</strong> – Apply usage policies at the license or package level and integrate with ScanCode to ensure compliance.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Capture & Maintain SBOMs</strong> – Generate, store, and manage Software Bill of Materials (SBOMs) while keeping historical data for audits.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Enterprise-Grade Compliance & DevOps Integration</strong> – Leverage advanced compliance features with seamless integration into DevOps and software workflows.</li>
+          </ul>
+        </div>
+        <div class="tab-pane fade" id="private-evaluation-tab" role="tabpanel" aria-labelledby="private-evaluation-tab">
+          <h4 class="text-warning mb-3 mt-2">Private DejaCode Evaluation Instance</h4>
+          <p>
+            We can set up a private instance for evaluating DejaCode using your own data, with access to all features, including:
+          </p>
+          <ul class="list-unstyled ms-3">
+            <li class="mb-3">✅ <strong class="text-warning">Import your own data privately and securely</strong>, including proprietary and third-party software components and licenses.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Design and apply your own usage policies</strong>.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Create your own workflow requests and reports</strong>.</li>
+            <li class="mb-3">✅ <strong class="text-warning">Generate FOSS compliance artifacts</strong>, including Software Bill of Materials (SBOM) for your products and attribution notices.</li>
+          </ul>
+          <p>
+            <strong>Each private evaluation is limited to 30 days</strong> with unlimited use of DejaCode and free support.
+          </p>
+          <div class="d-grid">
+            <a class="btn btn-warning" href="https://nexb.com/evaluation/" target="_blank">
+              Request private evaluation
+            </a>
+          </div>
+        </div>
+      </div>
     </div>
 
     <div class="col-sm-5 offset-sm-1">
+      <h1 class="text-white mt-0 mb-2">Create your DejaCode account</h1>
       <div class="card">
         <div class="card-body">
           {% crispy form %}
@@ -53,4 +87,12 @@ <h2 class="mt-4 mb-3">Securely use your own data</h2>
   </div>
 {% endblock %}
 
-{% block footer %}{% endblock %}
+{% block footer %}
+  <footer class="mt-auto">
+    <div class="container">
+      <p class="text-center text-white mb-2">
+        Copyright (c) nexB Inc., AboutCode and others.
+      </p>
+    </div>
+  </footer>
+{% endblock %}
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -23,6 +23,31 @@ services:
       - redis_data:/data
     restart: always
 
+  # This service is responsible for ensuring the correct ownership of files
+  # in the shared volumes used by the application (static and media).
+  # It ensures that all files inside the `/var/dejacode/` directory are owned
+  # by the user and group with the UID and GID defined in the environment variables
+  # APP_UID and APP_GID, which default to 1000 if not set.
+  #
+  # The service runs only once (due to "restart: no") and performs a `chown` operation
+  # to change the ownership of the static and media directories, ensuring proper
+  # file access rights for the running application containers.
+  #
+  # Volumes mounted:
+  # - static: Ensures the ownership of static files in the /var/dejacode/static directory
+  # - media: Ensures the ownership of media files in the /var/dejacode/media directory
+  #
+  # Notes: This service can be removed once DejaCode 5.3.0 will be released.
+  chown:
+    image: alpine:latest
+    restart: "no"
+    command: chown -R ${APP_UID:-1000}:${APP_GID:-1000} /var/dejacode/
+    env_file:
+      - docker.env
+    volumes:
+      - static:/var/dejacode/static
+      - media:/var/dejacode/media
+
   web:
     build: .
     command: sh -c "
@@ -46,6 +71,8 @@ services:
         condition: service_started
       clamav:
         condition: service_started
+      chown:
+        condition: service_completed_successfully
 
   worker:
     build: .
@@ -63,6 +90,7 @@ services:
       - redis
       - db
       - web
+      - chown
 
   scheduler:
     build: .
@@ -78,6 +106,7 @@ services:
       - redis
       - db
       - web
+      - chown
 
   nginx:
     image: nginx:alpine
diff --git a/docs/index.rst b/docs/index.rst
@@ -41,6 +41,7 @@ Welcome to the very start of your DejaCode journey!
     reference-vulnerability-management
     reference-1
     reference-2
+    reference-3-cravex
 
 .. toctree::
    :maxdepth: 1
diff --git a/docs/reference-3-cravex.rst b/docs/reference-3-cravex.rst
@@ -0,0 +1,89 @@
+.. _reference_3_cravex:
+
+========================================
+Reference 3 - CRAVEX support in DejaCode
+========================================
+
+This essay describes DejaCode features that support CRA compliance activities.
+
+The EU's Cyber Resilience Act (CRA) aims to enhance the cybersecurity of products
+with digital elements, ensuring that hardware and software sold in the EU are
+designed with strong security measures, and manufacturers remain responsible for
+cybersecurity throughout the product lifecycle.
+
+A VEX (Vulnerability Exploitability eXchange) document is a standardized format, part
+of the Cybersecurity and Infrastructure Security Agency (CISA) initiative, that provides
+a machine-readable way to share information about the exploitability of vulnerabilities
+in software products, helping organizations prioritize cybersecurity efforts.
+
+Key Objectives of the CRA
+-------------------------
+
+* **Enhanced Cybersecurity**: The CRA aims to improve the cybersecurity of products
+  with digital elements, including both hardware and software.
+* **Manufacturer Responsibility**:  The CRA places responsibility on manufacturers to
+  ensure the cybersecurity of their products throughout the entire lifecycle, from design
+  to end-of-life.
+* **EU-Wide Standardization**: The CRA aims to establish common cybersecurity rules and
+  standards across the EU, facilitating compliance for manufacturers and developers.
+* **Consumer Protection**: The CRA aims to protect consumers and businesses from the
+  risks posed by inadequate cybersecurity measures in digital products.
+* **Transparency**: The CRA aims to improve transparency about the cybersecurity
+  properties of products, enabling users to make informed choices.
+
+Key Provisions of the CRA
+-------------------------
+
+* **Cybersecurity Requirements**: Manufacturers must ensure that products with digital
+  elements meet essential cybersecurity requirements, including risk assessments,
+  security-by-design practices, and vulnerability management.
+* **Vulnerability Reporting**: Manufacturers are required to report any actively
+  exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA)
+  within 24 hours.
+* **Security Updates**: Manufacturers must provide timely and effective security updates
+  to address vulnerabilities.
+* **Documentation and Certification**: Manufacturers must provide adequate documentation
+  and certification to demonstrate compliance with the CRA's requirements.
+* **Enforcement**: The CRA includes provisions for enforcement, including penalties
+  for non-compliance.
+
+Key Cybersecurity Features of DejaCode
+--------------------------------------
+
+* **Create SBOMs for your products**: Use DejaCode to generate SBOMs (Software Bills of
+  Materials) in CycloneDX or SPDX format directly from your Product definitions. This
+  ensures that you identify exactly what is in your product in a machine-readable format
+  since DejaCode uses the Package URL (PURL) industry standard to identify each software
+  item (and its origin) in your product.
+* **Import SBOMs into your products**: Use DejaCode to import SBOMs in CycloneDX or
+  SPDX format that you receive from your suppliers or from code that you have scanned
+  using tools such as ScanCode.io. DejaCode interprets the SBOM details to create packages,
+  enrich the package metadata, and assign them to your product.
+* **Get timely automatic updates from VulnerableCode**: Using the PURL as a reliable and
+  accurate identifier, DejaCode routinely updates your data to identify known
+  vulnerabilities, including a calculated Risk factor, and notifies you of new updates.
+* **Respond to vulnerabilities in your products**: Leverage the Vulnerability Risk factor
+  to prioritize your cybersecurity reviews of the software in your products, as supported
+  by the extensive details that DejaCode has gathered. Enter your status and comments
+  regarding the reachability and exploitability of specific software vulnerabilities in
+  the context of your product usage, as well as any actions that you are taking to address
+  them. Generate VEX documents in a variety of industry-standard formats to communicate
+  those conclusions to your organization, to your customers, and to ENISA.
+* **Track your vulnerability remediations in your products**: As you upgrade or patch
+  the software in your products, track those updates in DejaCode to support accurate,
+  up-to-date SBOM revisions that you can provide to interested parties.
+
+Additional Resources
+--------------------
+
+Official texts and commentary for the Cyber Resilience Act:
+
+* Text: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847
+
+* Commentary: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
+
+Community discussions:
+
+* https://github.com/orcwg/cra-hub/blob/main/faq.md
+
+* https://orcwg.org/
