stackabletech
diff --git a/‎.github/workflows/build_push_dev.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/build_push_dev.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/build_push_release.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/build_push_release.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/application/access_control/api/serializers.py
Lines changed: 5 additions & 0 deletions b/‎backend/application/access_control/api/serializers.py
Lines changed: 5 additions & 0 deletions
diff --git a/‎backend/application/access_control/api/views.py
Lines changed: 3 additions & 2 deletions b/‎backend/application/access_control/api/views.py
Lines changed: 3 additions & 2 deletions
diff --git a/‎backend/application/core/api/serializers_observation.py
Lines changed: 6 additions & 2 deletions b/‎backend/application/core/api/serializers_observation.py
Lines changed: 6 additions & 2 deletions
diff --git a/‎backend/application/core/api/serializers_product.py
Lines changed: 25 additions & 18 deletions b/‎backend/application/core/api/serializers_product.py
Lines changed: 25 additions & 18 deletions
diff --git a/‎backend/application/core/migrations/0063_observation_origin_source_file_link.py
Lines changed: 18 additions & 0 deletions b/‎backend/application/core/migrations/0063_observation_origin_source_file_link.py
Lines changed: 18 additions & 0 deletions
diff --git a/‎backend/application/core/models.py
Lines changed: 2 additions & 0 deletions b/‎backend/application/core/models.py
Lines changed: 2 additions & 0 deletions
diff --git a/‎backend/application/core/services/observation.py
Lines changed: 4 additions & 0 deletions b/‎backend/application/core/services/observation.py
Lines changed: 4 additions & 0 deletions
diff --git a/‎backend/application/import_observations/parsers/gitleaks/__init__.py b/‎backend/application/import_observations/parsers/gitleaks/__init__.py
diff --git a/‎backend/application/import_observations/parsers/gitleaks/parser.py
Lines changed: 89 additions & 0 deletions b/‎backend/application/import_observations/parsers/gitleaks/parser.py
Lines changed: 89 additions & 0 deletions
diff --git a/‎backend/application/licenses/api/serializers.py
Lines changed: 20 additions & 0 deletions b/‎backend/application/licenses/api/serializers.py
Lines changed: 20 additions & 0 deletions
@@ -37,7 +37,7 @@ jobs:
       -
         name: Build and push backend
         id: build-and-push-backend
-        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -78,7 +78,7 @@ jobs:
       -
         name: Build and push frontend
         id: build-and-push-frontend
-        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
 
@@ -36,7 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -74,7 +74,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push frontend
-        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
 
@@ -37,7 +37,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
 
@@ -232,6 +232,11 @@ def validate(self, attrs: dict) -> dict:
             raise ValidationError("Authorization group and user cannot be changed")
 
         if self.instance is None:
+            if data_authorization_group is None:
+                raise ValidationError("Authorization group is required")
+            if data_user is None:
+                raise ValidationError("User is required")
+
             authorization_group_member = get_authorization_group_member(data_authorization_group, data_user)
             if authorization_group_member:
                 raise ValidationError(
 
@@ -211,8 +211,9 @@ def password_rules(self, request: Request) -> Response:
         class PasswordRules:
             password_rules: str
 
-        password_rules_text = password_validators_help_texts(self._get_password_validators())
-        password_rules = PasswordRules("- " + "\n- ".join(password_rules_text))
+        password_rules_list = password_validators_help_texts(self._get_password_validators())
+        password_rules_list = list(map(lambda s: s.replace("Your password", "The password"), password_rules_list))
+        password_rules = PasswordRules("- " + "\n- ".join(password_rules_list))
         response_serializer = UserPasswortRulesSerializer(password_rules)
         return Response(response_serializer.data, status=status.HTTP_200_OK)
 
 
@@ -100,7 +100,7 @@ class ObservationSerializer(ModelSerializer):
 
     class Meta:
         model = Observation
-        exclude = ["numerical_severity", "issue_tracker_jira_initial_status"]
+        exclude = ["numerical_severity", "issue_tracker_jira_initial_status", "origin_source_file_link"]
 
     def to_representation(self, instance: Observation) -> dict:
         response = super().to_representation(instance)
@@ -174,6 +174,7 @@ class Meta:
             "numerical_severity",
             "issue_tracker_jira_initial_status",
             "origin_component_dependencies",
+            "origin_source_file_link",
         ]
 
     def get_branch_name(self, observation: Observation) -> str:
@@ -208,6 +209,9 @@ def get_cve_found_in(self, observation: Observation) -> list[dict[str, str]]:
 def _get_origin_source_file_url(observation: Observation) -> Optional[str]:
     origin_source_file_url = None
 
+    if observation.origin_source_file_link:
+        return observation.origin_source_file_link
+
     if observation.product.repository_prefix and observation.origin_source_file:
         if not validators.url(observation.product.repository_prefix):
             return None
@@ -567,7 +571,7 @@ class NestedObservationSerializer(ModelSerializer):
 
     class Meta:
         model = Observation
-        exclude = ["numerical_severity", "issue_tracker_jira_initial_status"]
+        exclude = ["numerical_severity", "issue_tracker_jira_initial_status", "origin_source_file_link"]
 
     def get_scanner_name(self, observation: Observation) -> str:
         return get_scanner_name(observation)
 
@@ -460,21 +460,26 @@ def validate(self, attrs: dict) -> dict:
         data_product: Optional[Product] = attrs.get("product")
         data_user = attrs.get("user")
 
-        if self.instance is not None and (
-            (data_product and data_product != self.instance.product) or (data_user and data_user != self.instance.user)
-        ):
-            raise ValidationError("Product and user cannot be changed")
+        current_user = get_current_user()
 
         if self.instance is None:
+            if data_product is None:
+                raise ValidationError("Product must be set")
+            if data_user is None:
+                raise ValidationError("User must be set")
+
             product_member = get_product_member(data_product, data_user)
             if product_member:
                 raise ValidationError(f"Product member {data_product} / {data_user} already exists")
 
-        current_user = get_current_user()
-        if self.instance is not None:
-            highest_user_role = get_highest_user_role(self.instance.product, current_user)
-        else:
             highest_user_role = get_highest_user_role(data_product, current_user)
+        else:
+            if (data_product and data_product != self.instance.product) or (
+                data_user and data_user != self.instance.user
+            ):
+                raise ValidationError("Product and user cannot be changed")
+
+            highest_user_role = get_highest_user_role(self.instance.product, current_user)
 
         if highest_user_role != Roles.Owner and not (current_user and current_user.is_superuser):
             if attrs.get("role") == Roles.Owner:
@@ -498,26 +503,28 @@ def validate(self, attrs: dict) -> dict:
         data_product: Optional[Product] = attrs.get("product")
         data_authorization_group = attrs.get("authorization_group")
 
-        if self.instance is not None and (
-            (data_product and data_product != self.instance.product)
-            or (data_authorization_group and data_authorization_group != self.instance.authorization_group)
-        ):
-            raise ValidationError("Product and authorization group cannot be changed")
+        current_user = get_current_user()
 
         if self.instance is None:
+            if data_product is None:
+                raise ValidationError("Product must be set")
+            if data_authorization_group is None:
+                raise ValidationError("Authorization group must be set")
+
             product_authorization_group_member = get_product_authorization_group_member(
                 data_product, data_authorization_group
             )
             if product_authorization_group_member:
                 raise ValidationError(
                     f"Product authorization group member {data_product} / {data_authorization_group} already exists"
                 )
-
-        current_user = get_current_user()
-        if self.instance is not None:
-            highest_user_role = get_highest_user_role(self.instance.product, current_user)
-        else:
             highest_user_role = get_highest_user_role(data_product, current_user)
+        else:
+            if (data_product and data_product != self.instance.product) or (
+                data_authorization_group and data_authorization_group != self.instance.authorization_group
+            ):
+                raise ValidationError("Product and authorization group cannot be changed")
+            highest_user_role = get_highest_user_role(self.instance.product, current_user)
 
         if highest_user_role != Roles.Owner and not (current_user and current_user.is_superuser):
             if attrs.get("role") == Roles.Owner:
 
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.1 on 2025-05-26 20:07
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0062_alter_branch_osv_linux_distribution_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="observation",
+            name="origin_source_file_link",
+            field=models.CharField(blank=True, max_length=2048),
+        ),
+    ]
@@ -461,6 +461,8 @@ class Observation(Model):
     origin_source_line_start = IntegerField(null=True, validators=[MinValueValidator(0), MaxValueValidator(999999)])
     origin_source_line_end = IntegerField(null=True, validators=[MinValueValidator(0), MaxValueValidator(999999)])
 
+    origin_source_file_link = CharField(max_length=2048, blank=True)
+
     origin_cloud_provider = CharField(max_length=255, blank=True)
     origin_cloud_account_subscription_project = CharField(max_length=255, blank=True)
     origin_cloud_resource = CharField(max_length=255, blank=True)
 
@@ -42,6 +42,8 @@ def _get_string_to_hash(observation: Observation) -> str:  # pylint: disable=too
         hash_string += str(observation.origin_source_line_start)
     if observation.origin_source_line_end:
         hash_string += str(observation.origin_source_line_end)
+    if observation.origin_source_file_link:
+        hash_string += observation.origin_source_file_link
 
     if observation.origin_cloud_provider:
         hash_string += observation.origin_cloud_provider
@@ -178,6 +180,8 @@ def normalize_observation_fields(observation: Observation) -> None:
         observation.origin_service_name = ""
     if observation.origin_source_file is None:
         observation.origin_source_file = ""
+    if observation.origin_source_file_link is None:
+        observation.origin_source_file_link = ""
     if observation.scanner is None:
         observation.scanner = ""
     if observation.api_configuration_name is None:
 
@@ -0,0 +1,89 @@
+from json import dumps
+from typing import Any, Optional
+
+from application.core.models import Branch, Observation, Product
+from application.core.types import Severity
+from application.import_observations.parsers.base_parser import (
+    BaseFileParser,
+    BaseParser,
+)
+from application.import_observations.types import Parser_Filetype, Parser_Type
+
+
+class GitleaksParser(BaseParser, BaseFileParser):
+    @classmethod
+    def get_name(cls) -> str:
+        return "Gitleaks"
+
+    @classmethod
+    def get_filetype(cls) -> str:
+        return Parser_Filetype.FILETYPE_JSON
+
+    @classmethod
+    def get_type(cls) -> str:
+        return Parser_Type.TYPE_SECRETS
+
+    def check_format(self, data: Any) -> bool:
+        if (
+            isinstance(data, list)  # pylint: disable=too-many-boolean-expressions
+            and len(data) >= 1
+            and isinstance(data[0], dict)
+            and data[0].get("RuleID")
+            and data[0].get("Match")
+            and data[0].get("Secret")
+        ):
+            return True
+        return False
+
+    def get_observations(self, data: list, product: Product, branch: Optional[Branch]) -> tuple[list[Observation], str]:
+        observations = []
+
+        for entry in data:
+            rule_id = entry.get("RuleID")
+            description = entry.get("Description")
+            start_line = entry.get("StartLine")
+            end_line = entry.get("EndLine")
+            match = entry.get("Match")
+            secret = entry.get("Secret")
+            file = entry.get("File")
+            link = entry.get("Link")
+            commit = entry.get("Commit")
+            date = entry.get("Date")
+            message = entry.get("Message")
+
+            if match:
+                if secret:
+                    match = match.replace(secret, "REDACTED")
+                description += f"\n\n**Match:** `{match}`"
+
+            if commit:
+                description += f"\n\n**Commit hash:** {commit}"
+                if date:
+                    description += f"\n\n**Commit date:** {date}"
+                if message:
+                    if message.find("\n") >= 0:
+                        message = message.split("\n")[0] + " ..."
+                    description += f"\n\n**Commit message:** {message}"
+
+            observation = Observation(
+                title=rule_id,
+                parser_severity=Severity.SEVERITY_MEDIUM,
+                description=description,
+                origin_source_file=file,
+                origin_source_line_start=self.get_int_or_none(start_line),
+                origin_source_line_end=self.get_int_or_none(end_line),
+                origin_source_file_link=link,
+            )
+
+            evidence = []
+            evidence.append("Entry")
+            evidence_string = dumps(entry)
+            if secret:
+                evidence_string = evidence_string.replace(secret, "REDACTED")
+            evidence.append(evidence_string)
+
+            observation.unsaved_evidences.append(evidence)
+
+            observations.append(observation)
+
+        return observations, self.get_name()
@@ -274,6 +274,11 @@ def validate(self, attrs: dict) -> dict:
             raise ValidationError("License group and authorization group cannot be changed")
 
         if self.instance is None:
+            if data_license_group is None:
+                raise ValidationError("License group is required")
+            if data_authorization_group is None:
+                raise ValidationError("Authorization group is required")
+
             license_group_authorization_group_member = get_license_group_authorization_group_member(
                 data_license_group, data_authorization_group
             )
@@ -309,6 +314,11 @@ def validate(self, attrs: dict) -> dict:
             raise ValidationError("License group and user cannot be changed")
 
         if self.instance is None:
+            if data_license_group is None:
+                raise ValidationError("License group is required")
+            if data_user is None:
+                raise ValidationError("User is required")
+
             license_group_member = get_license_group_member(data_license_group, data_user)
             if license_group_member:
                 raise ValidationError(f"License group member {data_license_group} / {data_user} already exists")
@@ -516,6 +526,11 @@ def validate(self, attrs: dict) -> dict:
             raise ValidationError("License policy and user cannot be changed")
 
         if self.instance is None:
+            if data_license_policy is None:
+                raise ValidationError("License policy is required")
+            if data_user is None:
+                raise ValidationError("User is required")
+
             license_group_member = get_license_policy_member(data_license_policy, data_user)
             if license_group_member:
                 raise ValidationError(f"License policy member {data_license_policy} / {data_user} already exists")
@@ -546,6 +561,11 @@ def validate(self, attrs: dict) -> dict:
             raise ValidationError("License policy and authorization group cannot be changed")
 
         if self.instance is None:
+            if data_license_policy is None:
+                raise ValidationError("License policy is required")
+            if data_authorization_group is None:
+                raise ValidationError("Authorization group is required")
+
             license_policy_authorization_group_member = get_license_policy_authorization_group_member(
                 data_license_policy, data_authorization_group
             )