From b8f190f4e811bf9493f77674998e59122969e414 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 13:36:19 +0200
Subject: [PATCH 01/25] chore: Rename container & add hostname
---
compose.yaml | 59 ++++++++++++++++++++++++++++++++++++----------------
1 file changed, 41 insertions(+), 18 deletions(-)
diff --git a/compose.yaml b/compose.yaml
index 1fb7af8f..1f640d12 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -3,9 +3,10 @@
###############################################################################
services:
- csaf-couchdb:
+ cms-couchdb:
image: couchdb:3.3
- container_name: csaf-couchdb
+ hostname: couchdb.csaf.internal
+ container_name: cms-couchdb
restart: on-failure
env_file: .env
environment:
@@ -15,10 +16,15 @@ services:
- csaf-couchdb-data:/opt/couchdb/data
ports:
- "${CSAF_COUCHDB_PORT}:5984"
+ networks:
+ default:
+ aliases:
+ - "couchdb.csaf.internal"
- csaf-keycloak-db:
+ keycloak-db:
image: postgres:14
- container_name: csaf-keycloak-db
+ hostname: keycloak-db.csaf.internal
+ container_name: keycloak-db
volumes:
- csaf-keycloak-db-data:/var/lib/postgresql/data
env_file: .env
@@ -29,17 +35,22 @@ services:
restart: on-failure
ports:
- "${CSAF_KEYCLOAK_DATABASE_PORT}:5432"
+ networks:
+ default:
+ aliases:
+ - "keycloak-db.csaf.internal"
- csaf-keycloak:
+ keycloak:
image: quay.io/keycloak/keycloak:20.0
- container_name: csaf-keycloak
+ hostname: keycloak.csaf.internal
+ container_name: keycloak
env_file: .env
environment:
# https://www.keycloak.org/server/all-config
KC_HEALTH_ENABLED: "true"
KC_METRICS_ENABLED: "true"
KC_DB: postgres
- KC_DB_URL_HOST: csaf-keycloak-db
+ KC_DB_URL_HOST: keycloak-db.csaf.internal
KC_DB_URL_PORT: 5432
KC_DB_URL_DATABASE: ${CSAF_KEYCLOAK_DATABASE_NAME}
KC_DB_USERNAME: ${CSAF_KEYCLOAK_DATABASE_USER}
@@ -53,31 +64,35 @@ services:
ports:
- "${CSAF_KEYCLOAK_PORT}:8080"
command: ["start-dev"] # https://www.keycloak.org/server/configuration#_starting_keycloak_in_production_mode
-
+ networks:
+ default:
+ aliases:
+ - "keycloak.csaf.internal"
+
# Run this manually to import the default keycloak config since 'depends_on' is currently broken.
- csaf-keycloak-cli:
+ keycloak-cli:
image: adorsys/keycloak-config-cli:latest-20.0.1
- container_name: csaf-keycloak-cli
+ container_name: keycloak-cli
profiles: [ "run_manually" ]
env_file: .env
environment:
- KEYCLOAK_URL: "http://csaf-keycloak:8080/"
+ KEYCLOAK_URL: "http://keycloak.csaf.internal:8080/"
KEYCLOAK_USER: ${CSAF_KEYCLOAK_ADMIN_USER}
KEYCLOAK_PASSWORD: ${CSAF_KEYCLOAK_ADMIN_PASSWORD}
IMPORT_FILES_LOCATIONS: "/config/csaf-realm.json"
volumes:
- ./keycloak:/config:z
- restart: on-failure
- csaf-oauth2-proxy:
+ oauth2-proxy:
image: bitnami/oauth2-proxy:7.4.0
- container_name: csaf-oauth2-proxy
+ hostname: oauth2.csaf.internal
+ container_name: oauth2-proxy
command: [""]
env_file: .env
environment:
# listening address and proxy target
OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:4180"
- OAUTH2_PROXY_UPSTREAMS: "http://host.docker.internal:${CSAF_VALIDATOR_PORT}/api/v1/validate,http://host.docker.internal:${CSAF_VALIDATOR_PORT}/api/v1/tests,http://host.docker.internal:${CSAF_CMS_BACKEND_PORT}/api/v1/"
+ OAUTH2_PROXY_UPSTREAMS: "http://validator.csaf.internal:${CSAF_VALIDATOR_PORT}/api/v1/validate,http://validator.csaf.internal:${CSAF_VALIDATOR_PORT}/api/v1/tests,http://host.docker.internal:${CSAF_CMS_BACKEND_PORT}/api/v1/"
# Security related config
OAUTH2_PROXY_COOKIE_SECURE: "false"
@@ -91,7 +106,7 @@ services:
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "CSAF OIDC Provider"
# You need to set your keycloak "Frontend URL", in our case "http://localhost:9000/auth/"
# If you don't want to use autodiscovery, you have to set all urls by hand (login-url, oidc-jwks-url, redeem-url, ...)
- OAUTH2_PROXY_OIDC_ISSUER_URL: "http://csaf-keycloak:8080/realms/${CSAF_REALM}"
+ OAUTH2_PROXY_OIDC_ISSUER_URL: "http://keycloak.csaf.internal:8080/realms/${CSAF_REALM}"
OAUTH2_PROXY_INSECURE_OIDC_SKIP_ISSUER_VERIFICATION: "true"
OAUTH2_PROXY_WHITELIST_DOMAINS: "localhost:4180,localhost:8080"
@@ -113,15 +128,23 @@ services:
extra_hosts:
- "host.docker.internal:host-gateway"
restart: on-failure
-
+ networks:
+ default:
+ aliases:
+ - "oauth2.csaf.internal"
+
csaf-validation-server:
build:
context: https://github.com/secvisogram/csaf-validator-service.git#main
container_name: csaf-validation-server
+ hostname: validator.csaf.internal
env_file: .env
ports:
- "$CSAF_VALIDATOR_PORT:8082"
-
+ networks:
+ default:
+ aliases:
+ - "validator.csaf.internal"
volumes:
csaf-couchdb-data:
From 1c7e02eb746622d8d5b4258f35185efd4f6718f0 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 13:40:05 +0200
Subject: [PATCH 02/25] feat: add secvisogram container
---
compose.yaml | 16 ++++++++++++++--
docker/secvisogram/Dockerfile | 19 +++++++++++++++++++
.../appspecific/de.bsi.secvisogram.json | 7 +++++++
3 files changed, 40 insertions(+), 2 deletions(-)
create mode 100644 docker/secvisogram/Dockerfile
create mode 100644 docker/secvisogram/appspecific/de.bsi.secvisogram.json
diff --git a/compose.yaml b/compose.yaml
index 1f640d12..d196faf8 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -133,10 +133,10 @@ services:
aliases:
- "oauth2.csaf.internal"
- csaf-validation-server:
+ validation-server:
build:
context: https://github.com/secvisogram/csaf-validator-service.git#main
- container_name: csaf-validation-server
+ container_name: validation-server
hostname: validator.csaf.internal
env_file: .env
ports:
@@ -146,6 +146,18 @@ services:
aliases:
- "validator.csaf.internal"
+ secvisogram:
+ build:
+ context: ./docker/secvisogram
+ dockerfile: Dockerfile
+ hostname: secvisogram.csaf.internal
+ volumes:
+ - "${PWD}/docker/secvisogram/appspecific:/usr/share/nginx/html/.well-known/appspecific"
+ networks:
+ proxy-internal:
+ aliases:
+ - "secvisogram.csaf.internal"
+
volumes:
csaf-couchdb-data:
driver: local
diff --git a/docker/secvisogram/Dockerfile b/docker/secvisogram/Dockerfile
new file mode 100644
index 00000000..4986e530
--- /dev/null
+++ b/docker/secvisogram/Dockerfile
@@ -0,0 +1,19 @@
+# Build Stage 1
+# This build created a staging docker image
+#
+FROM node:20-alpine AS build
+WORKDIR /usr/src
+RUN apk add git; \
+ git clone https://github.com/secvisogram/secvisogram.git; \
+ cd secvisogram; \
+ npm ci; \
+ npm run build
+
+# Build Stage 2
+# This build takes the production build from staging build
+#
+
+FROM nginx:1.23-alpine
+COPY --from=build /usr/src/secvisogram/app/dist /usr/share/nginx/html
+EXPOSE 80
+VOLUME /usr/share/nginx/html/.well-known/appspecific/
\ No newline at end of file
diff --git a/docker/secvisogram/appspecific/de.bsi.secvisogram.json b/docker/secvisogram/appspecific/de.bsi.secvisogram.json
new file mode 100644
index 00000000..9cf4bddf
--- /dev/null
+++ b/docker/secvisogram/appspecific/de.bsi.secvisogram.json
@@ -0,0 +1,7 @@
+{
+ "loginAvailable": true,
+ "loginUrl": "/oauth2/sign_in?rd=http%3A%2F%2Flocalhost%3A9000",
+ "logoutUrl": "/oauth2/sign_out?rd=http%3A%2F%2Flocalhost%3A9000",
+ "userInfoUrl": "/oauth2/userinfo",
+ "validatorUrl": "/validate"
+}
\ No newline at end of file
From b5c75703b3bc87000a280fae574032000545ecf3 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 13:48:50 +0200
Subject: [PATCH 03/25] fix: dependencies of containers fixed
---
compose.yaml | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/compose.yaml b/compose.yaml
index d196faf8..e4b0f186 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -59,7 +59,7 @@ services:
KEYCLOAK_ADMIN: ${CSAF_KEYCLOAK_ADMIN_USER}
KEYCLOAK_ADMIN_PASSWORD: ${CSAF_KEYCLOAK_ADMIN_PASSWORD}
depends_on:
- - csaf-keycloak-db
+ - keycloak-db
restart: on-failure
ports:
- "${CSAF_KEYCLOAK_PORT}:8080"
@@ -82,6 +82,8 @@ services:
IMPORT_FILES_LOCATIONS: "/config/csaf-realm.json"
volumes:
- ./keycloak:/config:z
+ depends_on:
+ - keycloak
oauth2-proxy:
image: bitnami/oauth2-proxy:7.4.0
@@ -128,6 +130,8 @@ services:
extra_hosts:
- "host.docker.internal:host-gateway"
restart: on-failure
+ depends_on:
+ - keycloak
networks:
default:
aliases:
@@ -154,7 +158,7 @@ services:
volumes:
- "${PWD}/docker/secvisogram/appspecific:/usr/share/nginx/html/.well-known/appspecific"
networks:
- proxy-internal:
+ default:
aliases:
- "secvisogram.csaf.internal"
From f0883eed37958840801b46355249eaf0079abd10 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 14:05:58 +0200
Subject: [PATCH 04/25] feat: add reverse proxy
---
compose.yaml | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/compose.yaml b/compose.yaml
index e4b0f186..7cf9a680 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -6,7 +6,7 @@ services:
cms-couchdb:
image: couchdb:3.3
hostname: couchdb.csaf.internal
- container_name: cms-couchdb
+ #container_name: cms-couchdb
restart: on-failure
env_file: .env
environment:
@@ -24,7 +24,7 @@ services:
keycloak-db:
image: postgres:14
hostname: keycloak-db.csaf.internal
- container_name: keycloak-db
+ #container_name: keycloak-db
volumes:
- csaf-keycloak-db-data:/var/lib/postgresql/data
env_file: .env
@@ -43,7 +43,7 @@ services:
keycloak:
image: quay.io/keycloak/keycloak:20.0
hostname: keycloak.csaf.internal
- container_name: keycloak
+ #container_name: keycloak
env_file: .env
environment:
# https://www.keycloak.org/server/all-config
@@ -72,7 +72,7 @@ services:
# Run this manually to import the default keycloak config since 'depends_on' is currently broken.
keycloak-cli:
image: adorsys/keycloak-config-cli:latest-20.0.1
- container_name: keycloak-cli
+ #container_name: keycloak-cli
profiles: [ "run_manually" ]
env_file: .env
environment:
@@ -88,7 +88,7 @@ services:
oauth2-proxy:
image: bitnami/oauth2-proxy:7.4.0
hostname: oauth2.csaf.internal
- container_name: oauth2-proxy
+ #container_name: oauth2-proxy
command: [""]
env_file: .env
environment:
@@ -137,10 +137,10 @@ services:
aliases:
- "oauth2.csaf.internal"
- validation-server:
+ validator:
build:
context: https://github.com/secvisogram/csaf-validator-service.git#main
- container_name: validation-server
+ #container_name: validator
hostname: validator.csaf.internal
env_file: .env
ports:
@@ -161,7 +161,21 @@ services:
default:
aliases:
- "secvisogram.csaf.internal"
-
+
+ reverse-proxy:
+ image: nginx:1.23-alpine
+ hostname: "reverseproxy.csaf.internal"
+ restart: on-failure
+ ports:
+ - "80:80"
+ volumes:
+ - "./docker/reverseproxy/nginx.conf:/etc/nginx/nginx.conf"
+ depends_on:
+ - secvisogram
+ - keycloak
+ - oauth2-proxy
+ - validator
+
volumes:
csaf-couchdb-data:
driver: local
From 6c50cd21e586e88f3a9b32eb2bd06f4c121c47b5 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 13:36:19 +0200
Subject: [PATCH 05/25] chore: Rename container & add hostname
---
compose.yaml | 59 ++++++++++++++++++++++++++++++++++++----------------
1 file changed, 41 insertions(+), 18 deletions(-)
diff --git a/compose.yaml b/compose.yaml
index 1fb7af8f..1f640d12 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -3,9 +3,10 @@
###############################################################################
services:
- csaf-couchdb:
+ cms-couchdb:
image: couchdb:3.3
- container_name: csaf-couchdb
+ hostname: couchdb.csaf.internal
+ container_name: cms-couchdb
restart: on-failure
env_file: .env
environment:
@@ -15,10 +16,15 @@ services:
- csaf-couchdb-data:/opt/couchdb/data
ports:
- "${CSAF_COUCHDB_PORT}:5984"
+ networks:
+ default:
+ aliases:
+ - "couchdb.csaf.internal"
- csaf-keycloak-db:
+ keycloak-db:
image: postgres:14
- container_name: csaf-keycloak-db
+ hostname: keycloak-db.csaf.internal
+ container_name: keycloak-db
volumes:
- csaf-keycloak-db-data:/var/lib/postgresql/data
env_file: .env
@@ -29,17 +35,22 @@ services:
restart: on-failure
ports:
- "${CSAF_KEYCLOAK_DATABASE_PORT}:5432"
+ networks:
+ default:
+ aliases:
+ - "keycloak-db.csaf.internal"
- csaf-keycloak:
+ keycloak:
image: quay.io/keycloak/keycloak:20.0
- container_name: csaf-keycloak
+ hostname: keycloak.csaf.internal
+ container_name: keycloak
env_file: .env
environment:
# https://www.keycloak.org/server/all-config
KC_HEALTH_ENABLED: "true"
KC_METRICS_ENABLED: "true"
KC_DB: postgres
- KC_DB_URL_HOST: csaf-keycloak-db
+ KC_DB_URL_HOST: keycloak-db.csaf.internal
KC_DB_URL_PORT: 5432
KC_DB_URL_DATABASE: ${CSAF_KEYCLOAK_DATABASE_NAME}
KC_DB_USERNAME: ${CSAF_KEYCLOAK_DATABASE_USER}
@@ -53,31 +64,35 @@ services:
ports:
- "${CSAF_KEYCLOAK_PORT}:8080"
command: ["start-dev"] # https://www.keycloak.org/server/configuration#_starting_keycloak_in_production_mode
-
+ networks:
+ default:
+ aliases:
+ - "keycloak.csaf.internal"
+
# Run this manually to import the default keycloak config since 'depends_on' is currently broken.
- csaf-keycloak-cli:
+ keycloak-cli:
image: adorsys/keycloak-config-cli:latest-20.0.1
- container_name: csaf-keycloak-cli
+ container_name: keycloak-cli
profiles: [ "run_manually" ]
env_file: .env
environment:
- KEYCLOAK_URL: "http://csaf-keycloak:8080/"
+ KEYCLOAK_URL: "http://keycloak.csaf.internal:8080/"
KEYCLOAK_USER: ${CSAF_KEYCLOAK_ADMIN_USER}
KEYCLOAK_PASSWORD: ${CSAF_KEYCLOAK_ADMIN_PASSWORD}
IMPORT_FILES_LOCATIONS: "/config/csaf-realm.json"
volumes:
- ./keycloak:/config:z
- restart: on-failure
- csaf-oauth2-proxy:
+ oauth2-proxy:
image: bitnami/oauth2-proxy:7.4.0
- container_name: csaf-oauth2-proxy
+ hostname: oauth2.csaf.internal
+ container_name: oauth2-proxy
command: [""]
env_file: .env
environment:
# listening address and proxy target
OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:4180"
- OAUTH2_PROXY_UPSTREAMS: "http://host.docker.internal:${CSAF_VALIDATOR_PORT}/api/v1/validate,http://host.docker.internal:${CSAF_VALIDATOR_PORT}/api/v1/tests,http://host.docker.internal:${CSAF_CMS_BACKEND_PORT}/api/v1/"
+ OAUTH2_PROXY_UPSTREAMS: "http://validator.csaf.internal:${CSAF_VALIDATOR_PORT}/api/v1/validate,http://validator.csaf.internal:${CSAF_VALIDATOR_PORT}/api/v1/tests,http://host.docker.internal:${CSAF_CMS_BACKEND_PORT}/api/v1/"
# Security related config
OAUTH2_PROXY_COOKIE_SECURE: "false"
@@ -91,7 +106,7 @@ services:
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "CSAF OIDC Provider"
# You need to set your keycloak "Frontend URL", in our case "http://localhost:9000/auth/"
# If you don't want to use autodiscovery, you have to set all urls by hand (login-url, oidc-jwks-url, redeem-url, ...)
- OAUTH2_PROXY_OIDC_ISSUER_URL: "http://csaf-keycloak:8080/realms/${CSAF_REALM}"
+ OAUTH2_PROXY_OIDC_ISSUER_URL: "http://keycloak.csaf.internal:8080/realms/${CSAF_REALM}"
OAUTH2_PROXY_INSECURE_OIDC_SKIP_ISSUER_VERIFICATION: "true"
OAUTH2_PROXY_WHITELIST_DOMAINS: "localhost:4180,localhost:8080"
@@ -113,15 +128,23 @@ services:
extra_hosts:
- "host.docker.internal:host-gateway"
restart: on-failure
-
+ networks:
+ default:
+ aliases:
+ - "oauth2.csaf.internal"
+
csaf-validation-server:
build:
context: https://github.com/secvisogram/csaf-validator-service.git#main
container_name: csaf-validation-server
+ hostname: validator.csaf.internal
env_file: .env
ports:
- "$CSAF_VALIDATOR_PORT:8082"
-
+ networks:
+ default:
+ aliases:
+ - "validator.csaf.internal"
volumes:
csaf-couchdb-data:
From d87a4065d3882575e8ddfc4b0fcb77012ceee872 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 13:40:05 +0200
Subject: [PATCH 06/25] feat: add secvisogram container
---
compose.yaml | 16 ++++++++++++++--
docker/secvisogram/Dockerfile | 19 +++++++++++++++++++
.../appspecific/de.bsi.secvisogram.json | 7 +++++++
3 files changed, 40 insertions(+), 2 deletions(-)
create mode 100644 docker/secvisogram/Dockerfile
create mode 100644 docker/secvisogram/appspecific/de.bsi.secvisogram.json
diff --git a/compose.yaml b/compose.yaml
index 1f640d12..d196faf8 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -133,10 +133,10 @@ services:
aliases:
- "oauth2.csaf.internal"
- csaf-validation-server:
+ validation-server:
build:
context: https://github.com/secvisogram/csaf-validator-service.git#main
- container_name: csaf-validation-server
+ container_name: validation-server
hostname: validator.csaf.internal
env_file: .env
ports:
@@ -146,6 +146,18 @@ services:
aliases:
- "validator.csaf.internal"
+ secvisogram:
+ build:
+ context: ./docker/secvisogram
+ dockerfile: Dockerfile
+ hostname: secvisogram.csaf.internal
+ volumes:
+ - "${PWD}/docker/secvisogram/appspecific:/usr/share/nginx/html/.well-known/appspecific"
+ networks:
+ proxy-internal:
+ aliases:
+ - "secvisogram.csaf.internal"
+
volumes:
csaf-couchdb-data:
driver: local
diff --git a/docker/secvisogram/Dockerfile b/docker/secvisogram/Dockerfile
new file mode 100644
index 00000000..4986e530
--- /dev/null
+++ b/docker/secvisogram/Dockerfile
@@ -0,0 +1,19 @@
+# Build Stage 1
+# This build created a staging docker image
+#
+FROM node:20-alpine AS build
+WORKDIR /usr/src
+RUN apk add git; \
+ git clone https://github.com/secvisogram/secvisogram.git; \
+ cd secvisogram; \
+ npm ci; \
+ npm run build
+
+# Build Stage 2
+# This build takes the production build from staging build
+#
+
+FROM nginx:1.23-alpine
+COPY --from=build /usr/src/secvisogram/app/dist /usr/share/nginx/html
+EXPOSE 80
+VOLUME /usr/share/nginx/html/.well-known/appspecific/
\ No newline at end of file
diff --git a/docker/secvisogram/appspecific/de.bsi.secvisogram.json b/docker/secvisogram/appspecific/de.bsi.secvisogram.json
new file mode 100644
index 00000000..9cf4bddf
--- /dev/null
+++ b/docker/secvisogram/appspecific/de.bsi.secvisogram.json
@@ -0,0 +1,7 @@
+{
+ "loginAvailable": true,
+ "loginUrl": "/oauth2/sign_in?rd=http%3A%2F%2Flocalhost%3A9000",
+ "logoutUrl": "/oauth2/sign_out?rd=http%3A%2F%2Flocalhost%3A9000",
+ "userInfoUrl": "/oauth2/userinfo",
+ "validatorUrl": "/validate"
+}
\ No newline at end of file
From 5d3c2bb3a00f0b6ba48b232ca421b56dc29950c8 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 13:48:50 +0200
Subject: [PATCH 07/25] fix: dependencies of containers fixed
---
compose.yaml | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/compose.yaml b/compose.yaml
index d196faf8..e4b0f186 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -59,7 +59,7 @@ services:
KEYCLOAK_ADMIN: ${CSAF_KEYCLOAK_ADMIN_USER}
KEYCLOAK_ADMIN_PASSWORD: ${CSAF_KEYCLOAK_ADMIN_PASSWORD}
depends_on:
- - csaf-keycloak-db
+ - keycloak-db
restart: on-failure
ports:
- "${CSAF_KEYCLOAK_PORT}:8080"
@@ -82,6 +82,8 @@ services:
IMPORT_FILES_LOCATIONS: "/config/csaf-realm.json"
volumes:
- ./keycloak:/config:z
+ depends_on:
+ - keycloak
oauth2-proxy:
image: bitnami/oauth2-proxy:7.4.0
@@ -128,6 +130,8 @@ services:
extra_hosts:
- "host.docker.internal:host-gateway"
restart: on-failure
+ depends_on:
+ - keycloak
networks:
default:
aliases:
@@ -154,7 +158,7 @@ services:
volumes:
- "${PWD}/docker/secvisogram/appspecific:/usr/share/nginx/html/.well-known/appspecific"
networks:
- proxy-internal:
+ default:
aliases:
- "secvisogram.csaf.internal"
From cf5ec726234bf5c7e76b5dacb71243701a777ab0 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 14:05:58 +0200
Subject: [PATCH 08/25] feat: add reverse proxy
---
compose.yaml | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/compose.yaml b/compose.yaml
index e4b0f186..7cf9a680 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -6,7 +6,7 @@ services:
cms-couchdb:
image: couchdb:3.3
hostname: couchdb.csaf.internal
- container_name: cms-couchdb
+ #container_name: cms-couchdb
restart: on-failure
env_file: .env
environment:
@@ -24,7 +24,7 @@ services:
keycloak-db:
image: postgres:14
hostname: keycloak-db.csaf.internal
- container_name: keycloak-db
+ #container_name: keycloak-db
volumes:
- csaf-keycloak-db-data:/var/lib/postgresql/data
env_file: .env
@@ -43,7 +43,7 @@ services:
keycloak:
image: quay.io/keycloak/keycloak:20.0
hostname: keycloak.csaf.internal
- container_name: keycloak
+ #container_name: keycloak
env_file: .env
environment:
# https://www.keycloak.org/server/all-config
@@ -72,7 +72,7 @@ services:
# Run this manually to import the default keycloak config since 'depends_on' is currently broken.
keycloak-cli:
image: adorsys/keycloak-config-cli:latest-20.0.1
- container_name: keycloak-cli
+ #container_name: keycloak-cli
profiles: [ "run_manually" ]
env_file: .env
environment:
@@ -88,7 +88,7 @@ services:
oauth2-proxy:
image: bitnami/oauth2-proxy:7.4.0
hostname: oauth2.csaf.internal
- container_name: oauth2-proxy
+ #container_name: oauth2-proxy
command: [""]
env_file: .env
environment:
@@ -137,10 +137,10 @@ services:
aliases:
- "oauth2.csaf.internal"
- validation-server:
+ validator:
build:
context: https://github.com/secvisogram/csaf-validator-service.git#main
- container_name: validation-server
+ #container_name: validator
hostname: validator.csaf.internal
env_file: .env
ports:
@@ -161,7 +161,21 @@ services:
default:
aliases:
- "secvisogram.csaf.internal"
-
+
+ reverse-proxy:
+ image: nginx:1.23-alpine
+ hostname: "reverseproxy.csaf.internal"
+ restart: on-failure
+ ports:
+ - "80:80"
+ volumes:
+ - "./docker/reverseproxy/nginx.conf:/etc/nginx/nginx.conf"
+ depends_on:
+ - secvisogram
+ - keycloak
+ - oauth2-proxy
+ - validator
+
volumes:
csaf-couchdb-data:
driver: local
From 00335b0d45f6eca4c85a0b7b7869efc5b16bf958 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 14:20:27 +0200
Subject: [PATCH 09/25] fix: make /about - response valid json
---
.../bsi/secvisogram/csaf_cms_backend/rest/MainController.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/main/java/de/bsi/secvisogram/csaf_cms_backend/rest/MainController.java b/src/main/java/de/bsi/secvisogram/csaf_cms_backend/rest/MainController.java
index 9f6e098d..2dc71997 100644
--- a/src/main/java/de/bsi/secvisogram/csaf_cms_backend/rest/MainController.java
+++ b/src/main/java/de/bsi/secvisogram/csaf_cms_backend/rest/MainController.java
@@ -53,7 +53,7 @@ public class MainController {
)
public String about() {
LOG.info("about");
- return "{version:\"" + buildProperties.getVersion() + "\"}";
+ return "{\"version\":\"" + buildProperties.getVersion() + "\"}";
}
}
From 16c8af55fda3502b81eb276a3253f0cd9a789d70 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 14:21:07 +0200
Subject: [PATCH 10/25] feat: add reverse proxy
---
compose.yaml | 2 +-
docker/reverseproxy/nginx.conf | 62 ++++++++++++++++++++++++++++++++++
2 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 docker/reverseproxy/nginx.conf
diff --git a/compose.yaml b/compose.yaml
index 7cf9a680..50fb7cc1 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -156,7 +156,7 @@ services:
dockerfile: Dockerfile
hostname: secvisogram.csaf.internal
volumes:
- - "${PWD}/docker/secvisogram/appspecific:/usr/share/nginx/html/.well-known/appspecific"
+ - "./docker/secvisogram/appspecific:/usr/share/nginx/html/.well-known/appspecific"
networks:
default:
aliases:
diff --git a/docker/reverseproxy/nginx.conf b/docker/reverseproxy/nginx.conf
new file mode 100644
index 00000000..745f022d
--- /dev/null
+++ b/docker/reverseproxy/nginx.conf
@@ -0,0 +1,62 @@
+worker_processes 1;
+
+events { worker_connections 1024; }
+
+http {
+ sendfile on;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $server_name;
+
+
+ #https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
+ proxy_buffer_size 16k; # should be enough for most PHP websites, or adjust as above
+ proxy_busy_buffers_size 24k; # essentially, proxy_buffer_size + 2 small buffers of 4k
+ proxy_buffers 64 4k; # should be enough for most PHP websites, adjust as above to get an accurate value
+
+ server {
+ listen 80;
+
+ location /realms {
+ proxy_pass http://keycloak.csaf.internal:8080/realms;
+ proxy_redirect off;
+ }
+
+ location /resources{
+ proxy_pass http://keycloak.csaf.internal:8080/resources;
+ proxy_redirect off;
+ }
+
+ location /validate/api/v1/tests {
+ proxy_pass http://validator.csaf.internal:8082/api/v1/tests;
+ proxy_redirect off;
+ }
+
+ location /validate/api/v1/validate {
+ proxy_pass http://validator.csaf.internal:8082/api/v1/validate;
+ proxy_redirect off;
+ }
+
+ location /api/ {
+ proxy_pass http://oauth2.csaf.internal:4180;
+ proxy_redirect off;
+ }
+
+ location /oauth2 {
+ proxy_pass http://oauth2.csaf.internal:4180/oauth2;
+ proxy_redirect off;
+ }
+
+ location /.well-known/appspecific/de.bsi.secvisogram.json {
+ proxy_pass http://secvisogram.csaf.internal/.well-known/appspecific/de.bsi.secvisogram.json;
+ proxy_redirect off;
+ }
+
+ location / {
+ proxy_pass http://secvisogram.csaf.internal/;
+ proxy_redirect off;
+ }
+ }
+}
\ No newline at end of file
From 06216990d0c420bd383f88589facf5ebd748b11c Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Thu, 15 Aug 2024 14:32:25 +0200
Subject: [PATCH 11/25] docs: Update readme start test environment
---
README.md | 42 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 41 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 0db5454c..72ff1bb1 100644
--- a/README.md
+++ b/README.md
@@ -87,13 +87,53 @@ If you want different passwords, database names or ports you can change them
in that file. Please note that the following setup is for development purposes
only and should not be used in production.
+```mermaid
+ C4Component
+ title Component diagram for CSAF CMS Backend
+
+ Person(user,"User")
+ Container(reverseproxy, "Reverse-Proxy", "nginx")
+
+ Container_Boundary(c4, "Internal") {
+ Container(secvisogram, "Secvisogram", "nginx + javascript", "Provides secvisogramm via their web browser.")
+
+ Container_Boundary(c2, "Keycloak") {
+ Container(keycloak, "Keycloak", "keycloak")
+ ContainerDb(keycloak-db, "PostGreSQL", "Keycloak-Database")
+ }
+
+ Container_Boundary(c3, "Oauth") {
+ Container(oauth, "OAuth2-Proxy", "Authentication for REST-API")
+ Container(validator, "CSAF validator service", "node")
+
+ Container_Boundary(c1, "Backend") {
+ Container(backend, "CSAF-CMS-Backend", "Spring Boot")
+ ContainerDb(backend-db, "CouchDB", "CMS-Backend-Database")
+ }
+ }
+ }
+
+ Rel(user, reverseproxy,"","HTTPS")
+ Rel(reverseproxy, secvisogram,"/")
+ Rel(reverseproxy, oauth,"/api/*")
+ Rel(reverseproxy, keycloak,"/realm/csaf/")
+ Rel(oauth, validator, "/api/v1/test")
+ Rel(oauth, validator, "/api/v1/validate")
+ Rel(oauth, backend, "/api/v1/advisories/*")
+ Rel(backend, backend-db,"")
+ Rel(backend, keycloak,"")
+ Rel(keycloak, keycloak-db,"")
+
+
+```
+
- run `docker compose up`
- After Keycloak is up, open a second terminal window and run
`docker compose up csaf-keycloak-cli` to import a realm with all the users
and roles already set up.
- To set up our CouchDB server open `http://127.0.0.1:5984/_utils/#/setup`
and run the [Single Node Setup](https://docs.couchdb.org/en/stable/setup/single-node.html). This creates databases like **_users** and
- stops CouchDB from spamming our logs
+ stops CouchDB from spamming our logs (Admin credentials from .env)
- Open `http://localhost:9000/` and log in with the admin user.
- The port is defined in .env - CSAF_KEYCLOAK_PORT, default 9000
- On the left side, navigate to "Clients" and select the Secvisogram client.
From f2a0e5999ea4375095b835f0f963a2dc4f31bf52 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Fri, 16 Aug 2024 06:50:48 +0200
Subject: [PATCH 12/25] doc: add further information
---
README.md | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index 72ff1bb1..16b2da1b 100644
--- a/README.md
+++ b/README.md
@@ -132,16 +132,16 @@ only and should not be used in production.
`docker compose up csaf-keycloak-cli` to import a realm with all the users
and roles already set up.
- To set up our CouchDB server open `http://127.0.0.1:5984/_utils/#/setup`
- and run the [Single Node Setup](https://docs.couchdb.org/en/stable/setup/single-node.html). This creates databases like **_users** and
- stops CouchDB from spamming our logs (Admin credentials from .env)
+ and run the [Single Node Setup](https://docs.couchdb.org/en/stable/setup/single-node.html). This creates databases like **_users** and stops CouchDB from spamming our logs (Admin credentials from .env)
+- Create a database in CouchDB with the name specified in `CSAF_COUCHDB_DBNAME`
- Open `http://localhost:9000/` and log in with the admin user.
- The port is defined in .env - CSAF_KEYCLOAK_PORT, default 9000
+ - Select `CSAF`-Realm
- On the left side, navigate to "Clients" and select the Secvisogram client.
- Select the **Credentials** tab and copy the Secret. This is our
`CSAF_CLIENT_SECRET` environment variable.
- [Generate a cookie secret](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#generating-a-cookie-secret)
and paste it in `CSAF_COOKIE_SECRET`.
-- Create a database in CouchDB with the name specified in `CSAF_COUCHDB_DBNAME`
- restart compose
- (required for exports) install [pandoc (tested with version 2.18)](https://pandoc.org/installing.html)
as well as [weasyprint (tested with version 56.0)](https://weasyprint.org/) and make sure both are in
@@ -149,10 +149,24 @@ only and should not be used in production.
- (optional for exports) define the path to a company logo that should be used in the exports through the environment variable `CSAF_COMPANY_LOGO_PATH`. The path can either be relative to the project root or absolute. See .env.example file for an example.
You should now be able to start the spring boot application, navigate to
-`localhost:4180/api/v1/about`, log in with one of the users and get a
+`http://localhost/api/v1/about`, log in with one of the users and get a
response from the server.
The port is defined in .env - CSAF_APP_EXTERNAL_PORT, default 4180
+You should now be able to access Secvisogram, navigate to `http://localhost/`.
+There are the following default users:
+|User |Password |Roles |
+|----- |-------- |----- |
+|registered |registered |**registered** |
+|author |author |registered, editor, **author** |
+|editor |editor |registered, **editor** |
+|publisher |publisher |registered, editor, **publisher** |
+|reviewer |reviewer |registered, **reviewer** |
+|auditor |auditor |**auditor** |
+|all |all |**auditor, reviewer, publisher, editor, author, registred** |
+|none |none | |
+
+
### build and execute tests
./mvnw clean verify
From 8c9a75d30c5d6f01047797d77fa868f48d6b34e4 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Fri, 16 Aug 2024 06:51:16 +0200
Subject: [PATCH 13/25] fix: remove volume definition
---
docker/secvisogram/Dockerfile | 1 -
1 file changed, 1 deletion(-)
diff --git a/docker/secvisogram/Dockerfile b/docker/secvisogram/Dockerfile
index 4986e530..5ec08dc4 100644
--- a/docker/secvisogram/Dockerfile
+++ b/docker/secvisogram/Dockerfile
@@ -16,4 +16,3 @@ RUN apk add git; \
FROM nginx:1.23-alpine
COPY --from=build /usr/src/secvisogram/app/dist /usr/share/nginx/html
EXPOSE 80
-VOLUME /usr/share/nginx/html/.well-known/appspecific/
\ No newline at end of file
From 4660e5e11427d32a8c626edd0c0c5fde88c47f91 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Fri, 16 Aug 2024 06:55:09 +0200
Subject: [PATCH 14/25] chore: remove unnecessary urls from oauth-proxy
---
compose.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/compose.yaml b/compose.yaml
index 48405b40..c6291914 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -94,7 +94,7 @@ services:
environment:
# listening address and proxy target
OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:4180"
- OAUTH2_PROXY_UPSTREAMS: "http://validator.csaf.internal:${CSAF_VALIDATOR_PORT}/api/v1/validate,http://validator.csaf.internal:${CSAF_VALIDATOR_PORT}/api/v1/tests,http://host.docker.internal:${CSAF_CMS_BACKEND_PORT}/api/v1/"
+ OAUTH2_PROXY_UPSTREAMS: "http://host.docker.internal:${CSAF_CMS_BACKEND_PORT}/api/v1/"
# Security related config
OAUTH2_PROXY_COOKIE_SECURE: "false"
From 466529ccc4b27fd18d41db68351c74e8f3377e5a Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Tue, 20 Aug 2024 12:55:45 +0200
Subject: [PATCH 15/25] fix: logout problems in combination of Proxy and
keycloak
---
README.md | 11 +++++++++++
.../secvisogram/appspecific/de.bsi.secvisogram.json | 4 ++--
keycloak/csaf-realm.json | 2 +-
3 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 16b2da1b..726bc6a1 100644
--- a/README.md
+++ b/README.md
@@ -166,6 +166,17 @@ There are the following default users:
|all |all |**auditor, reviewer, publisher, editor, author, registred** |
|none |none | |
+### Login & Logout in combination with Secvisogram
+
+Some explantion on the logoutUrl configured in `.well-known/appspecific/de.bsi.secvisogram.json` for Secvisogram
+
+```
+"logoutUrl": "/oauth2/sign_out?rd=http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost&client_id=secvisogram",
+```
+
+`/oauth2/sign_out` is the logout URI from the OAUTH-Proxy. This will invalidate the session on the proxy. Then a redirect to Keycloak (`http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost&client_id=secvisogram`) is necessary to log out the session on keyloak. Then there is a redirect back to Secvisogram (`localhost`).
+
+When changes hostnames this has to adopted.
### build and execute tests
diff --git a/docker/secvisogram/appspecific/de.bsi.secvisogram.json b/docker/secvisogram/appspecific/de.bsi.secvisogram.json
index 9cf4bddf..27fc7cec 100644
--- a/docker/secvisogram/appspecific/de.bsi.secvisogram.json
+++ b/docker/secvisogram/appspecific/de.bsi.secvisogram.json
@@ -1,7 +1,7 @@
{
"loginAvailable": true,
- "loginUrl": "/oauth2/sign_in?rd=http%3A%2F%2Flocalhost%3A9000",
- "logoutUrl": "/oauth2/sign_out?rd=http%3A%2F%2Flocalhost%3A9000",
+ "loginUrl": "/oauth2/sign_in?rd=http%3A%2F%2Flocalhost",
+ "logoutUrl": "/oauth2/sign_out?rd=http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost&client_id=secvisogram",
"userInfoUrl": "/oauth2/userinfo",
"validatorUrl": "/validate"
}
\ No newline at end of file
diff --git a/keycloak/csaf-realm.json b/keycloak/csaf-realm.json
index bc6a106a..cc3161ac 100644
--- a/keycloak/csaf-realm.json
+++ b/keycloak/csaf-realm.json
@@ -42,7 +42,7 @@
"registrationAllowed": false,
"verifyEmail": false,
"attributes" : {
- "frontendUrl": "http://localhost:9000/"
+ "frontendUrl": "http://localhost/"
},
"roles": {
"client": {
From 87b6528977a8920d324f591681edd871d2775e2d Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Wed, 21 Aug 2024 10:14:52 +0200
Subject: [PATCH 16/25] Update README.md
Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
---
README.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 726bc6a1..b647ad6f 100644
--- a/README.md
+++ b/README.md
@@ -174,8 +174,7 @@ Some explantion on the logoutUrl configured in `.well-known/appspecific/de.bsi.s
"logoutUrl": "/oauth2/sign_out?rd=http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost&client_id=secvisogram",
```
-`/oauth2/sign_out` is the logout URI from the OAUTH-Proxy. This will invalidate the session on the proxy. Then a redirect to Keycloak (`http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost&client_id=secvisogram`) is necessary to log out the session on keyloak. Then there is a redirect back to Secvisogram (`localhost`).
-
+`/oauth2/sign_out` is the logout URI from the OAUTH-Proxy. This will invalidate the session on the proxy. Then, a redirect to Keycloak (`http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost&client_id=secvisogram`) is necessary to log out from the session on Keyloak. Subsequently, there is a redirect back to Secvisogram (`localhost`).
When changes hostnames this has to adopted.
### build and execute tests
From 40c9e613cc82bb29977016560ce924bd0611c2a2 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Wed, 21 Aug 2024 10:15:04 +0200
Subject: [PATCH 17/25] Update README.md
Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index b647ad6f..46d7c4a0 100644
--- a/README.md
+++ b/README.md
@@ -175,7 +175,7 @@ Some explantion on the logoutUrl configured in `.well-known/appspecific/de.bsi.s
```
`/oauth2/sign_out` is the logout URI from the OAUTH-Proxy. This will invalidate the session on the proxy. Then, a redirect to Keycloak (`http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost&client_id=secvisogram`) is necessary to log out from the session on Keyloak. Subsequently, there is a redirect back to Secvisogram (`localhost`).
-When changes hostnames this has to adopted.
+When hostnames are changed, this has to adapted.
### build and execute tests
From f2017a17a361bd5228347998345bc6a611bfcad5 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Wed, 21 Aug 2024 11:34:19 +0200
Subject: [PATCH 18/25] docs: Clarification
---
README.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/README.md b/README.md
index 726bc6a1..557d4579 100644
--- a/README.md
+++ b/README.md
@@ -151,7 +151,6 @@ only and should not be used in production.
You should now be able to start the spring boot application, navigate to
`http://localhost/api/v1/about`, log in with one of the users and get a
response from the server.
-The port is defined in .env - CSAF_APP_EXTERNAL_PORT, default 4180
You should now be able to access Secvisogram, navigate to `http://localhost/`.
There are the following default users:
From c6a2eecc325b6861d286aa5bfd1720876f1302a3 Mon Sep 17 00:00:00 2001
From: mfd2007 <58845044+mfd2007@users.noreply.github.com>
Date: Wed, 21 Aug 2024 11:49:37 +0200
Subject: [PATCH 19/25] chore: Migrate mustache templates and scripts from
secvisogram.
---
.../csaf_cms_backend/mustache/Script.mjs | 46 +++++++++++--------
.../csaf_cms_backend/mustache/Template.html | 20 ++++----
2 files changed, 37 insertions(+), 29 deletions(-)
diff --git a/src/main/resources/de/bsi/secvisogram/csaf_cms_backend/mustache/Script.mjs b/src/main/resources/de/bsi/secvisogram/csaf_cms_backend/mustache/Script.mjs
index 7bbb753e..52dcb464 100644
--- a/src/main/resources/de/bsi/secvisogram/csaf_cms_backend/mustache/Script.mjs
+++ b/src/main/resources/de/bsi/secvisogram/csaf_cms_backend/mustache/Script.mjs
@@ -18,7 +18,7 @@ const PRODUCT_STATUS_ROW = `
const REMEDIATION = `
{{#replaceUnderscores}}{{#upperCase}}{{category}}{{/upperCase}}{{/replaceUnderscores}}{{#date}} ({{.}}){{/date}}
-{{details}}
+{{{details}}}
{{#product_ids.length}}
For products:
@@ -34,19 +34,19 @@ const REMEDIATION = `
- {{name}}
{{/group_ids}}
-{{/group_ids.length}}
-{{#url}}{{.}}
{{/url}}
+{{/group_ids.length}}
+{{#url}}{{> url }}{{/url}}
{{#entitlements}}
- {{.}}
+ {{{.}}}
{{/entitlements}}
{{#restart_required}}
Restart required: {{category}}
- {{details}}
+ {{{details}}}
{{/restart_required}}`
const THREAT = `
{{#replaceUnderscores}}{{#upperCase}}{{category}}{{/upperCase}}{{/replaceUnderscores}}{{#date}} ({{.}}){{/date}}
-{{details}}
+{{{details}}}
{{#product_ids.length}}
For products:
@@ -66,22 +66,27 @@ const THREAT = `
const VULNERABILITY_NOTE = `
{{#title}}{{.}}{{/title}}{{#audience}} ({{.}}){{/audience}}
-{{#text}}{{text}}
{{/text}}`
+{{#text}}{{{text}}}
{{/text}}`
const DOCUMENT_NOTE = `
{{#title}}{{.}}
{{/title}}
{{#audience}}{{.}}{{/audience}}
-{{#text}}{{text}}
{{/text}}`
+{{#text}}{{{text}}}
{{/text}}`
const ACKNOWLEDGEMENT = `
{{#.}}
- - {{#removeTrailingComma}}{{#names}}{{.}}, {{/names}}{{/removeTrailingComma}}{{#organization}}{{#names.length}} from {{/names.length}}{{.}} {{/organization}}{{#summary}} for {{.}}{{/summary}}{{#urls.length}} (see: {{#removeTrailingComma}}{{#urls}}{{.}}, {{/urls}}{{/removeTrailingComma}}){{/urls.length}}
+ - {{#removeTrailingComma}}{{#names}}{{.}}, {{/names}}{{/removeTrailingComma}}{{#organization}}{{#names.length}} from {{/names.length}}{{.}} {{/organization}}{{#summary}} for {{.}}{{/summary}}{{#urls.length}} (see: {{#removeTrailingComma}}{{#urls}}{{> url}}, {{/urls}}{{/removeTrailingComma}}){{/urls.length}}
{{/.}}`
const REFERENCE = `
{{#.}}
- - {{summary}} {{#category}} ({{#replaceUnderscores}}{{.}}{{/replaceUnderscores}}){{/category}}{{#url}}: {{.}}{{/url}}
+ - {{{summary}}} {{#category}} ({{#replaceUnderscores}}{{.}}{{/replaceUnderscores}}){{/category}}{{#url}}{{> url}}{{/url}}
{{/.}}`
+const URL = `
+{{#.}}
+ {{.}}
+{{/.}}
+`
export function renderWithMustache(template, json, logo) {
const obj = JSON.parse(json);
@@ -93,13 +98,14 @@ export function renderWithMustache(template, json, logo) {
const doc = documentEntity.preview(obj);
print(doc.document.title)
return Mustache.render(template, obj, {
- product_status_header: PRODUCT_STATUS_HEADER,
- product_status_row: PRODUCT_STATUS_ROW,
- remediation: REMEDIATION,
- threat: THREAT,
- vulnerability_note: VULNERABILITY_NOTE,
- document_note: DOCUMENT_NOTE,
- acknowledgment: ACKNOWLEDGEMENT,
- reference: REFERENCE,
- });
-}
+ product_status_header: PRODUCT_STATUS_HEADER,
+ product_status_row: PRODUCT_STATUS_ROW,
+ remediation: REMEDIATION,
+ threat: THREAT,
+ vulnerability_note: VULNERABILITY_NOTE,
+ document_note: DOCUMENT_NOTE,
+ acknowledgment: ACKNOWLEDGEMENT,
+ reference: REFERENCE,
+ url: URL,
+ });
+}
\ No newline at end of file
diff --git a/src/main/resources/de/bsi/secvisogram/csaf_cms_backend/mustache/Template.html b/src/main/resources/de/bsi/secvisogram/csaf_cms_backend/mustache/Template.html
index 10b41764..74bd3a58 100644
--- a/src/main/resources/de/bsi/secvisogram/csaf_cms_backend/mustache/Template.html
+++ b/src/main/resources/de/bsi/secvisogram/csaf_cms_backend/mustache/Template.html
@@ -100,7 +100,7 @@ {{#document.tracking.id}}{{document.tracking.id}}: {{/document.tracking.id}}
| CVSSv3.1 Base Score: {{document.max_base_score}} |
Severity:
- {{#document.aggregate_severity.namespace}} {{document.aggregate_severity.text}}{{/document.aggregate_severity.namespace}}
+ {{#document.aggregate_severity.namespace}} {{document.aggregate_severity.text}}{{/document.aggregate_severity.namespace}}
{{^document.aggregate_severity.namespace}} {{document.aggregate_severity.text}}{{/document.aggregate_severity.namespace}}
|
@@ -135,7 +135,7 @@ {{#document.tracking.id}}{{document.tracking.id}}: {{/document.tracking.id}}
{{#product_tree.product_groups.length}}
Product groups
{{#product_tree.product_groups}}
- {{#summary}}{{.}}{{/summary}}{{^summary}}{{group_id}}{{/summary}}
+ {{#summary}}{{{.}}}{{/summary}}{{^summary}}{{group_id}}{{/summary}}
{{#product_ids}}
- {{name}}
@@ -236,7 +236,9 @@ Last affected
Known not affected
{{#product_status.known_not_affected}}
- - {{name}}
+ -
+ {{name}}{{#flags.length}} ({{#removeTrailingComma}}{{#flags}}{{#replaceUnderscores}}{{.}}{{/replaceUnderscores}}, {{/flags}}{{/removeTrailingComma}}){{/flags.length}}
+
{{/product_status.known_not_affected}}
{{/product_status.known_not_affected.length}}
@@ -313,7 +315,7 @@ Involvement
{{#involvements}}
{{#.}}
- - {{#date}}{{.}} {{/date}}{{#upperCase}}{{party}}{{/upperCase}}{{#status}} ({{#replaceUnderscores}}{{.}}{{/replaceUnderscores}}){{/status}}{{#summary}}: {{.}}{{/summary}}
+ - {{#date}}{{.}} {{/date}}{{#upperCase}}{{party}}{{/upperCase}}{{#status}} ({{#replaceUnderscores}}{{.}}{{/replaceUnderscores}}){{/status}}{{#summary}}: {{{.}}}{{/summary}}
{{/.}}
{{/involvements}}
@@ -364,7 +366,7 @@ Acknowledgments
{{name}}
Namespace: {{namespace}}
{{contact_details}}
- {{issuing_authority}}
+ {{{issuing_authority}}}
{{/document.publisher}}
{{#document.references.length}}
@@ -390,7 +392,7 @@ Revision history
| {{number}} |
{{date}} |
- {{summary}} |
+ {{{summary}}} |
{{/document.tracking.revision_history}}
@@ -401,10 +403,10 @@ Sharing rules
{{#tlp}}
{{#label}}TLP:{{.}}{{/label}}
- For the TLP version see: {{#url}}{{.}}{{/url}}{{^url}}https://www.first.org/tlp/{{/url}}
+ For the TLP version see: {{#url}}{{.}}{{/url}}{{^url}}https://www.first.org/tlp/{{/url}}
{{/tlp}}
- {{text}}
+ {{{text}}}
{{/document.distribution}}
{{#document.notes_legal_disclaimer}}
@@ -413,4 +415,4 @@ Sharing rules
-