Add repository_url and access_token fields to Project model, serializers, views, and frontend. Implement daily task to update project dependencies using OWASP Dependency-Checker.

Author: kreinern

backend/analyzer/manager/project_manager.py

@@ -1,10 +1,14 @@
 import logging
+import os
+import subprocess
+import tempfile
 from secrets import token_urlsafe
 
 from django.db import DatabaseError
 
 from analyzer.manager.cve_manager import CVEObjectManager
 from analyzer.models import Project, Report, Dependency
+from analyzer.parser.parser_manager import ParserManager
 from analyzer.parser.types import ParseResult
 from utilities.helperclass import hash_key
 
@@ -138,3 +142,47 @@ def _update_dependencies(self, data: dict[str, ParseResult]):
       logger.warning(
         f"An error occurred while trying to create reports. Following exception occurred: {str(de)}."
         f"Project id: {self.project.project_id}.")
+
+  def run_dependency_checker(self):
+    """
+    Clones the repository, runs the OWASP Dependency-Checker, and updates the project with the results.
+    """
+    if not self.project.repository_url:
+        logger.error(f"No repository URL configured for project {self.project.project_id}.")
+        return
+
+    with tempfile.TemporaryDirectory() as temp_dir:
+        repo_path = os.path.join(temp_dir, "repo")
+
+        # Clone the repository
+        clone_cmd = ["git", "clone", self.project.repository_url, repo_path]
+        if self.project.access_token:
+            clone_cmd[1] = self.project.repository_url.replace("https://", f"https://{self.project.access_token}@")
+
+        try:
+            subprocess.run(clone_cmd, check=True)
+            logger.info(f"Repository cloned successfully for project {self.project.project_id}.")
+        except subprocess.CalledProcessError as e:
+            logger.error(f"Failed to clone repository: {e}")
+            return
+
+        # Run OWASP Dependency-Checker
+        output_file = os.path.join(temp_dir, "dependency-check-report.json")
+        try:
+            subprocess.run([
+                "dependency-check", "--project", self.project.project_name,
+                "--out", temp_dir, "--format", "JSON", "--scan", repo_path
+            ], check=True)
+            logger.info(f"Dependency-Checker executed successfully for project {self.project.project_id}.")
+        except subprocess.CalledProcessError as e:
+            logger.error(f"Failed to run Dependency-Checker: {e}")
+            return
+
+        # Parse the results
+        try:
+            parser = ParserManager(output_file)
+            parsed_data = parser.parse()
+            self.update_project(parsed_data)
+            logger.info(f"Project {self.project.project_id} updated successfully with new dependency data.")
+        except Exception as e:
+            logger.error(f"Failed to parse Dependency-Checker results: {e}")

backend/analyzer/models.py

@@ -1,6 +1,8 @@
 import logging
 
 from django.db import models
+from django.core.mail import send_mail
+from django.utils.timezone import now
 
 from utilities import constants
 
@@ -19,6 +21,8 @@ class Meta:
                                             choices=constants.Threshold.choices,
                                             default=constants.Threshold.MEDIUM.name)
     api_key_hash = models.CharField(null=True, max_length=100)
+    repository_url = models.URLField(max_length=2048, blank=True, null=True)
+    access_token = models.CharField(max_length=255, blank=True, null=True)
 
     @property
     def dependency_count(self):
@@ -93,6 +97,35 @@ def vulnerabilities_count(self, status_types: list[str]) -> dict:
             counted_vul.update({severity: counted})
         return counted_vul
 
+    def check_for_new_cves(self):
+        """
+        Check for new CVEs above the blocking level and notify maintainers.
+        """
+        blocking_levels = constants.BaseSeverity.names[:constants.BaseSeverity.names.index(self.deployment_threshold) + 1]
+        new_cves = Report.objects.filter(
+            dependency__project=self,
+            dependency__in_use=True,
+            cve_object__base_severity__in=blocking_levels,
+            update_date__gte=now().date()
+        )
+
+        if new_cves.exists():
+            # Notify maintainers
+            maintainers = self.get_maintainers_emails()
+            send_mail(
+                subject=f"New CVEs detected for project {self.project_name}",
+                message=f"New CVEs have been detected that exceed the blocking level for project {self.project_name}. Please review them.",
+                from_email="[email protected]",
+                recipient_list=maintainers,
+            )
+
+    def get_maintainers_emails(self):
+        """
+        Retrieve the email addresses of the maintainers for this project.
+        """
+        # Assuming a Many-to-Many relationship with User model
+        return [user.email for user in self.user_set.all()]
+
 
 class CVEObject(models.Model):
     class Meta:

backend/analyzer/tasks.py

@@ -0,0 +1,26 @@
+from celery import shared_task
+from celery.schedules import crontab
+from .models import Project
+from analyzer.manager.project_manager import ProjectManager
+from analyzer.celery import app
+
+@shared_task
+def check_projects_for_new_cves():
+    """
+    Celery task to check all projects for new CVEs and notify maintainers if necessary.
+    If a project has a repository URL and access token, it will clone the repository,
+    run the dependency-checker, and update the project data.
+    """
+    for project in Project.objects.all():
+        if project.repository_url and project.access_token:
+            project_manager = ProjectManager(project)
+            project_manager.run_dependency_checker()
+        project.check_for_new_cves()
+
+# Schedule the task to run daily
+app.conf.beat_schedule = {
+    'check-projects-daily': {
+        'task': 'analyzer.tasks.check_projects_for_new_cves',
+        'schedule': crontab(hour=0, minute=0),  # Runs daily at midnight
+    },
+}

backend/requirements.txt

@@ -12,3 +12,5 @@ coverage==7.6.4
 gunicorn==23.0.0
 cyclonedx-python-lib==8.2.1
 whitenoise==6.7.0
+celery[redis]==5.3.0
+django-celery-beat==2.8.0

backend/securecheckplus/settings.py

@@ -159,6 +159,10 @@ def get_env_variable_or_shutdown_gracefully(var_name):
     "rest_framework",
 ]
 
+INSTALLED_APPS += [
+    "django_celery_beat",
+]
+
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",
@@ -300,3 +304,9 @@ def format(self, record):
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False
 SESSION_SAVE_EVERY_REQUEST = True
 SESSION_COOKIE_AGE = 60 * 60 * 24 * 30  # 30 days
+
+# Celery Configuration
+CELERY_BROKER_URL = os.environ.get("CELERY_BROKER_URL", "redis://localhost:6379/0")
+CELERY_ACCEPT_CONTENT = ["json"]
+CELERY_TASK_SERIALIZER = "json"
+CELERY_RESULT_BACKEND = os.environ.get("CELERY_RESULT_BACKEND", "redis://localhost:6379/0")

backend/webserver/serializer/project_serializer.py

@@ -7,9 +7,15 @@
 
 
 class ProjectBasicSerializer(serializers.ModelSerializer):
+    repositoryUrl = serializers.URLField(source="repository_url", allow_blank=True, required=False)
+    accessToken = serializers.CharField(source="access_token", allow_blank=True, required=False)
+
     class Meta:
         model = Project
-        fields = ["projectId", "projectName", "updated", "deploymentThreshold"]
+        fields = [
+            "projectId", "projectName", "updated", "deploymentThreshold",
+            "repositoryUrl", "accessToken"
+        ]
 
     projectId = serializers.CharField(source="project_id", read_only=True)
     projectName = serializers.CharField(source="project_name", allow_blank=True)
@@ -20,9 +26,12 @@ class Meta:
 class ProjectDetailSerializer(ProjectBasicSerializer):
     class Meta:
         model = Project
-        fields = ["projectId", "projectName", "updated", "deploymentThreshold",
-                  "resolvedReportCount", "solutionDistribution", "statusDistribution", "dependencyCount",
-                  "notEvaluated", "evaluated"]
+        fields = [
+            "projectId", "projectName", "updated", "deploymentThreshold",
+            "repositoryUrl", "accessToken",
+            "resolvedReportCount", "solutionDistribution", "statusDistribution", "dependencyCount",
+            "notEvaluated", "evaluated"
+        ]
 
     resolvedReportCount = serializers.ReadOnlyField(source="resolved_report_count")
     solutionDistribution = serializers.ReadOnlyField(source="solution_distribution")

backend/webserver/views/project_views.py

@@ -130,10 +130,9 @@ def put(self, request, project_id: str):
     try:
       project = Project.objects.get(project_id__iexact=project_id)
 
-      project_serializer = ProjectBasicSerializer(project, data=request.data,
-                                                  partial=True)
+      project_serializer = ProjectBasicSerializer(project, data=request.data, partial=True)
       if project_serializer.is_valid():
-        project_serializer.save()
+          project_serializer.save()
 
       return Response(data=f"Update of Project: {project_id} successful.")
     except KeyError as ke:
@@ -152,7 +151,7 @@ def post(self, request, project_id):
         raise AlreadyExists(project_id)
       if len(project_id) >= 1 and re.search(r"^[\w-]+$", project_id):
         project = Project.objects.create(project_id=project_id)
-        project_serializer = ProjectBasicSerializer(project, request.data)
+        project_serializer = ProjectBasicSerializer(project, data=request.data)
         if project_serializer.is_valid():
           project_serializer.save()
       else:

frontend/src/components/ProjectSettingsContent.tsx

@@ -29,6 +29,8 @@ const ProjectSettingsContent: React.FunctionComponent<DialogProps> = ({setOpen}:
     const [projectName, setProjectName] = useState<string>("")
     const [threshold, setThreshold] = useState<string>("")
     const [apiKey, setApiKey] = useState("");
+    const [repositoryUrl, setRepositoryUrl] = useState<string>("");
+    const [accessToken, setAccessToken] = useState<string>("");
     const {data: fetchedApiKey, refetch} = useQuery("apiKey", () => getApiKey(projectId), {enabled: false})
     const user = useUserContext();
     const notification = useNotification();
@@ -37,6 +39,8 @@ const ProjectSettingsContent: React.FunctionComponent<DialogProps> = ({setOpen}:
         if (isSuccess) {
             setProjectName(data?.data.projectName);
             setThreshold(data?.data.deploymentThreshold);
+            setRepositoryUrl(data?.data.repositoryUrl || "");
+            setAccessToken(data?.data.accessToken || "");
         }
 
         if (isError) {
@@ -76,7 +80,9 @@ const ProjectSettingsContent: React.FunctionComponent<DialogProps> = ({setOpen}:
     const handleSave = useMutation(() => updateProject(projectId, {
         projectId: projectId,
         projectName: projectName,
-        deploymentThreshold: threshold
+        deploymentThreshold: threshold,
+        repositoryUrl: repositoryUrl,
+        accessToken: accessToken
     }), {
         onSuccess: () => {
             queryClient.invalidateQueries(["projectDetails", projectId]);
@@ -112,6 +118,19 @@ const ProjectSettingsContent: React.FunctionComponent<DialogProps> = ({setOpen}:
                     helperText={projectName.length > 20 ? localization.dialog.projectNameHelperToLong : ""}
                     onChange={(e: ChangeEvent<HTMLTextAreaElement | HTMLInputElement>) => setProjectName(e.target.value)}
                 />
+                <TextField
+                    label={localization.dialog.repositoryUrl}
+                    value={repositoryUrl}
+                    variant="filled"
+                    onChange={(e: ChangeEvent<HTMLTextAreaElement | HTMLInputElement>) => setRepositoryUrl(e.target.value)}
+                />
+                <TextField
+                    label={localization.dialog.accessToken}
+                    value={accessToken}
+                    variant="filled"
+                    type="password"
+                    onChange={(e: ChangeEvent<HTMLTextAreaElement | HTMLInputElement>) => setAccessToken(e.target.value)}
+                />
                 <Stack mt={"2rem"}>
                     <Typography variant={"body1"}>{localization.ProjectPage.deploymentThresholdTitle}</Typography>
                     <DropdownMenu readOnly={false}