Dependency-Track: new software

cc594e0f · Jérome Perrin · 191036b8 · cc594e0f · cc594e0f · cc594e0f
Commit cc594e0f authored Jun 28, 2024 by Jérome Perrin
11 changed files
--- a/software/dependency-track/README.md
+++ b/software/dependency-track/README.md
+# OWASP Dependency Track
+
+https://dependencytrack.org/
+
+Can be used to ingest SBOM of slapos software release produced with [nxdbom](https://lab.nexedi.com/nexedi/nxd-bom)
--- a/software/dependency-track/buildout.hash.cfg
+++ b/software/dependency-track/buildout.hash.cfg
+[instance-profile]
+filename = instance.cfg.in
+md5sum = 5545f52ea36d5116523c5569999915ae
--- a/software/dependency-track/instance-dependency-track-input-schema.json
+++ b/software/dependency-track/instance-dependency-track-input-schema.json
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {}
+}
--- a/software/dependency-track/instance-dependency-track-output-schema.json
+++ b/software/dependency-track/instance-dependency-track-output-schema.json
+{
+  "$schema": "https://json-schema.org/draft-04/schema#",
+  "type": "object",
+  "properties": {
+    "url": {
+      "title": "URL",
+      "description": "URL to access Dependency-Track.",
+      "type": "string",
+      "format": "uri"
+    }
+  }
+}
--- a/software/dependency-track/instance.cfg.in
+++ b/software/dependency-track/instance.cfg.in
+[buildout]
+parts =
+  publish-connection-parameter
+
+extends = ${monitor2-template:output}
+eggs-directory = ${buildout:eggs-directory}
+develop-eggs-directory = ${buildout:develop-eggs-directory}
+offline = true
+
+
+[dependency-track-instance]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${directory:service}/$${:_buildout_section_name_}
+command-line =
+  ${java:location}/bin/java
+  -jar ${dependency-track-bundled.jar:location}/dependency-track-bundled.jar
+  -host $${:ip}
+  -port $${:port}
+environment =
+  ALPINE_DATABASE_MODE=external
+  ALPINE_DATABASE_URL=jdbc:postgresql://$${postgresql:ipv4}:$${postgresql:port}/$${postgresql:dbname}
+  ALPINE_DATABASE_DRIVER=org.postgresql.Driver
+  ALPINE_DATABASE_USERNAME=$${postgresql:superuser}
+  ALPINE_DATABASE_PASSWORD=$${postgresql:password}
+  HOME=$${directory:srv-dependency-track}
+hash-existing-files =
+  $${buildout:directory}/software_release/buildout.cfg
+
+ip = $${instance-parameter:ipv4-random}
+port = 18080
+promises =
+  $${dependency-track-promise:name}
+
+[dependency-track-frontend-certificate]
+recipe = plone.recipe.command
+command =
+  if [ ! -e $${:cert-file} ]
+  then
+    ${openssl-output:openssl} req -x509 -nodes -sha256 -days 3650 \
+      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
+      -newkey rsa -keyout $${:cert-file} \
+      -out $${:cert-file}
+  fi
+update-command = $${:command}
+cert-file = $${directory:var}/$${:_buildout_section_name_}.pem
+common-name = $${dependency-track-frontend-config:ip}
+location =
+  $${:cert-file}
+
+[dependency-track-frontend-config]
+recipe = slapos.recipe.template:jinja2
+url = ${stack-haproxy-default-backend-config:target}
+output = $${directory:etc}/$${:_buildout_section_name_}
+context =
+  key pidfile :pidfile
+  key content :content
+content =
+  listen app
+  log global
+  bind $${:ip}:$${:port} ssl crt $${dependency-track-frontend-certificate:cert-file} alpn h2,http/1.1
+  server app $${dependency-track-instance:ip}:$${dependency-track-instance:port}
+
+pidfile = $${directory:run}/$${:_buildout_section_name_}.pid
+ip = $${instance-parameter:ipv6-random}
+port = 8443
+
+[dependency-track-frontend]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${directory:services}/$${:_buildout_section_name_}
+command-line =
+  ${haproxy:location}/sbin/haproxy -f $${dependency-track-frontend-config:output}
+
+url = https://[$${dependency-track-frontend-config:ip}]:$${dependency-track-frontend-config:port}
+
+[dependency-track-promise]
+<= monitor-promise-base
+promise = check_url_available
+name = $${:_buildout_section_name_}.py
+config-url= $${dependency-track-frontend:url}/
+
+[postgresql-password]
+recipe = slapos.cookbook:generate.password
+
+[postgresql]
+recipe = slapos.cookbook:postgres
+bin = ${postgresql:location}/bin
+services = $${directory:service}
+dbname  = dependency-track_db
+superuser = dependency-track-psql
+password = $${postgresql-password:passwd}
+pgdata-directory = $${directory:srv}/postgresql
+
+ipv4 = $${instance-parameter:ipv4-random}
+# disable listening on ipv6
+ipv6 =
+port = 5432
+
+promises = $${postgresql-promise:name}
+
+
+[postgresql-psql]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${directory:bin}/$${:_buildout_section_name_}
+command-line =
+    $${postgresql:bin}/psql
+        -h $${postgresql:pgdata-directory}
+        -U $${postgresql:superuser}
+        -d $${postgresql:dbname}
+
+[postgresql-promise]
+<= monitor-promise-base
+promise = check_command_execute
+name = promise-postgresql.py
+config-command = $${postgresql-psql:wrapper-path} -c '\q'
+
+[postgresql-backup-crontab-entry]
+recipe = slapos.cookbook:cron.d
+name = $${:_buildout_section_name_}
+cron-entries = $${cron:cron-entries}
+time = daily
+command = $${postgresql-backup:wrapper-path}
+
+[postgresql-backup]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${directory:bin}/$${:_buildout_section_name_}
+# XXX there's a recipe for backup in slapos cookbook, but it does not create
+# the backup file in an atomic way, which is not acceptable here, because we
+# don't want to risk pulling a partial file. To prevent this, we create a
+# temp file and move it when finished.
+command-line =
+    sh -c "$${postgresql:bin}/pg_dump \
+      -h $${postgresql:pgdata-directory} \
+      -U $${postgresql:superuser} \
+      --format=custom \
+      -f $${:backup-file}.tmp \
+      $${postgresql:dbname} \
+    && mv $${:backup-file}.tmp $${:backup-file}"
+backup-file = $${directory:srv-backup}/backup.pg_dump
+
+[postgresql-restore-backup]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${directory:bin}/$${:_buildout_section_name_}
+command-line =
+  sh -e -c "\
+    echo 'This will replace current database with latest backup. Hit Ctrl+C to cancel';
+    sleep 10;
+    $${postgresql:bin}/dropdb \
+        -h $${postgresql:pgdata-directory} \
+        -U $${postgresql:superuser} \
+        --if-exists \
+        $${postgresql:dbname};
+    $${postgresql:bin}/createdb \
+        -h $${postgresql:pgdata-directory} \
+        -U $${postgresql:superuser} \
+        $${postgresql:dbname};
+    $${postgresql:bin}/pg_restore \
+        --exit-on-error \
+        -h $${postgresql:pgdata-directory} \
+        -U $${postgresql:superuser} \
+        -d $${postgresql:dbname} \
+        $${postgresql-backup:backup-file}"
+
+[cron]
+recipe = slapos.cookbook:cron
+dcrond-binary = ${dcron-output:crond}
+cron-entries = $${directory:etc-cron.d}
+crontabs = $${directory:var-crontabs}
+cronstamps = $${directory:var-cronstamps}
+catcher = $${cron-simplelogger:wrapper}
+binary = $${directory:bin}/crond
+
+[cron-service]
+recipe = slapos.cookbook:wrapper
+command-line = $${cron:binary}
+wrapper-path = $${directory:services}/crond
+hash-existing-files = $${buildout:directory}/software_release/buildout.cfg
+
+[cron-simplelogger]
+recipe = slapos.cookbook:simplelogger
+wrapper = $${directory:bin}/cron_simplelogger
+log = $${directory:log}/cron.log
+
+
+[rapidcdn-frontend]
+<= slap-connection
+recipe = slapos.cookbook:requestoptional
+name = Dependency Track Frontend
+# XXX We have hardcoded SR URL here.
+software-url = http://git.erp5.org/gitweb/slapos.git/blob_plain/HEAD:/software/apache-frontend/software.cfg
+shared = true
+config-url = $${dependency-track-frontend:url}
+return = domain secure_access
+
+[rapidcdn-frontend-available-promise]
+<= monitor-promise-base
+promise = check_url_available
+name = $${:_buildout_section_name_}.py
+config-url = $${rapidcdn-frontend:connection-secure_access}
+
+[instance-parameter]
+recipe = slapos.cookbook:slapconfiguration
+computer = $${slap-connection:computer-id}
+partition = $${slap-connection:partition-id}
+url = $${slap-connection:server-url}
+key = $${slap-connection:key-file}
+cert = $${slap-connection:cert-file}
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+etc = $${buildout:directory}/etc
+etc-cron.d = $${:etc}/cron.d
+var = $${buildout:directory}/var
+var-crontabs = $${:var}/crontabs
+var-cronstamps = $${:var}/cronstamps
+var-cron-entries = $${:var}/cron-entries
+srv = $${buildout:directory}/srv
+bin = $${buildout:directory}/bin
+tmp = $${buildout:directory}/tmp
+run = $${buildout:directory}/run
+service = $${:etc}/service
+srv-dependency-track = $${:srv}/dependency-track
+srv-backup = $${:srv}/backup
+
+[publish-connection-parameter]
+recipe = slapos.cookbook:publish
+url = $${rapidcdn-frontend-available-promise:config-url}
+backup-crontab = $${postgresql-backup-crontab-entry:name}
+restore-backup-script = $${postgresql-restore-backup:wrapper-path}
--- a/software/dependency-track/software.cfg
+++ b/software/dependency-track/software.cfg
+[buildout]
+extends =
+    ../../component/defaults.cfg
+    ../../component/java/buildout.cfg
+    ../../component/postgresql/buildout.cfg
+    ../../component/dcron/buildout.cfg
+    ../../stack/haproxy/default-backend.cfg
+    ../../stack/slapos.cfg
+    buildout.hash.cfg
+    ../../stack/monitor/buildout.cfg
+
+parts =
+  slapos-cookbook
+  instance-profile
+
+[java]
+<= java-re-temurin-21
+
+[dependency-track-bundled.jar]
+recipe = slapos.recipe.build:download
+url = https://github.com/DependencyTrack/dependency-track/releases/download/4.11.4/dependency-track-bundled.jar
+md5sum = a1c5e8f216a999b6d497b133c93588a6
+
+[instance-profile]
+recipe = slapos.recipe.template
+url = ${:_profile_base_location_}/${:filename}
+output = ${buildout:directory}/instance.cfg
--- a/software/dependency-track/software.cfg.json
+++ b/software/dependency-track/software.cfg.json
+{
+  "name": "Dependency-Track",
+  "description": "Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.",
+  "serialisation": "xml",
+  "software-type": {
+    "default": {
+      "title": "Default",
+      "software-type": "default",
+      "description": "Default",
+      "request": "instance-dependency-track-input-schema.json",
+      "response": "instance-dependency-track-output-schema.json",
+      "index": 1
+    }
+  }
+}
--- a/software/dependency-track/test/README.md
+++ b/software/dependency-track/test/README.md
+Tests for DependencyTrack software release
--- a/software/dependency-track/test/setup.py
+++ b/software/dependency-track/test/setup.py
+##############################################################################
+#
+# Copyright (c) 2024 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+from setuptools import setup, find_packages
+
+version = '0.0.1.dev0'
+name = 'slapos.test.dependencytrack'
+with open("README.md") as f:
+  long_description = f.read()
+
+setup(name=name,
+      version=version,
+      description="Test for SlapOS' dependencytrack",
+      long_description=long_description,
+      long_description_content_type='text/markdown',
+      maintainer="Nexedi",
+      maintainer_email="info@nexedi.com",
+      url="https://lab.nexedi.com/nexedi/slapos",
+      packages=find_packages(),
+      install_requires=[
+        'slapos.core',
+        'slapos.cookbook',
+        'slapos.libnetworkcache',
+        'supervisor',
+        'requests'
+        ],
+      zip_safe=True,
+      test_suite='test',
+    )
--- a/software/dependency-track/test/test.py
+++ b/software/dependency-track/test/test.py
+##############################################################################
+#
+# Copyright (c) 2024 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+
+import os
+import requests
+
+from slapos.testing.testcase import makeModuleSetUpAndTestCaseClass
+
+
+setUpModule, InstanceTestCase = makeModuleSetUpAndTestCaseClass(
+    os.path.abspath(
+        os.path.join(os.path.dirname(__file__), '..', 'software.cfg')))
+
+
+class TestDependencyTrack(InstanceTestCase):
+  __partition_reference__ = 'DT'  # postgresql use a socket in data dir
+
+  def test(self):
+    url = self.computer_partition.getConnectionParameterDict()['url']
+    resp = requests.get(url, verify=False)
+    self.assertTrue(resp.text)
+    self.assertTrue(resp.ok)
--- a/software/slapos-sr-testing/software.cfg
+++ b/software/slapos-sr-testing/software.cfg
@@ -47,6 +47,11 @@ setup = ${slapos-repository:location}/software/backupserver/test/
 egg = slapos.test.dufs
 setup = ${slapos-repository:location}/software/dufs/test/

+[slapos.test.dependency-track-setup]
+<= setup-develop-egg
+egg = slapos.test.dependencytrack
+setup = ${slapos-repository:location}/software/dependency-track/test/
+
 [slapos.test.erp5-setup]
 <= setup-develop-egg
 egg = slapos.test.erp5
@@ -355,6 +360,7 @@ eggs +=
  ${slapos.test.caucase-setup:egg}
  ${slapos.test.cloudooo-setup:egg}
  ${slapos.test.dream-setup:egg}
+  ${slapos.test.dependency-track-setup:egg}
  ${slapos.test.dufs-setup:egg}
  ${slapos.test.erp5-setup:egg}
  ${slapos.test.erp5testnode-setup:egg}
@@ -446,6 +452,7 @@ tests =
  caucase ${slapos.test.caucase-setup:setup}
  cloudooo ${slapos.test.cloudooo-setup:setup}
  dream ${slapos.test.dream-setup:setup}
+  dependency-track ${slapos.test.dependency-track-setup:setup}
  dufs ${slapos.test.dufs-setup:setup}
  erp5 ${slapos.test.erp5-setup:setup}
  erp5-py3 ${slapos.test.erp5-setup:setup}