Security improvements (#6890)

* Set write permissions at job level * publish scorecard results * Update scorecard.yml * Update scorecard.yml * Create .sonarcloud.properties * Delete .deepsource.toml * replace badge * pin requests, pyyaml, jc * pin yarn version * pin uv * reduce settings * set test path
2024-08-30 18:33:04 +00:00 · 2024-04-02 07:35:01 +01:00 · 2024-04-02 07:35:01 +01:00 · 4db61df8cd
commit 4db61df8cd
parent 364a9d4fc1
10 changed files with 27 additions and 47 deletions
--- a/.deepsource.toml
+++ b/.deepsource.toml
@ -1,33 +0,0 @@
-version = 1
-exclude_patterns = [
-  "docs/docs/javascripts/**",      # Docs: Helpers
-  "docs/ci/**",                    # Docs: CI
-  "InvenTree/InvenTree/static/**", # Backend: CUI static files
-  "ci/**",                         # Backend: CI
-  "InvenTree/**/migrations/*.py",  # Backend: Migration files
-  "src/frontend/src/locales/**",   # Frontend: Translations
-]
-test_patterns = ["**/test_*.py", "**/test.py", "**/tests.py"]
-
-
-[[analyzers]]
-name = "shell"
-
-[[analyzers]]
-name = "javascript"
-
-[analyzers.meta]
-plugins = ["react"]
-
-[[analyzers]]
-name = "python"
-
-[analyzers.meta]
-runtime_version = "3.x.x"
-
-[[analyzers]]
-name = "docker"
-
-[[analyzers]]
-name = "test-coverage"
-enabled = false
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@ -76,8 +76,8 @@ jobs:
          python-version: ${{ env.python_version }}
      - name: Version Check
        run: |
-          pip install requests
-          pip install pyyaml
+          pip install requests==2.31.0
+          pip install pyyaml==6.0.1
          python3 ci/version_check.py
          echo "git_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
          echo "git_commit_date=$(git show -s --format=%ci)" >> $GITHUB_ENV
--- a/.github/workflows/qc_checks.yaml
+++ b/.github/workflows/qc_checks.yaml
@ -92,7 +92,7 @@ jobs:
        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # pin@v3.0.1
      - name: Check Version
        run: |
-          pip install requests
+          pip install requests==2.31.0
          python3 ci/version_check.py

  mkdocs:
@ -110,7 +110,7 @@ jobs:
          python-version: ${{ env.python_version }}
      - name: Check Config
        run: |
-          pip install pyyaml
+          pip install pyyaml==6.0.1
          pip install -r docs/requirements.txt
          python docs/ci/check_mkdocs_config.py
      - name: Check Links
@ -156,7 +156,7 @@ jobs:
      - name: Download public schema
        if: needs.paths-filter.outputs.api == 'false'
        run: |
-          pip install requests >/dev/null 2>&1
+          pip install requests==2.31.0 >/dev/null 2>&1
          version="$(python3 ci/version_check.py only_version 2>&1)"
          echo "Version: $version"
          url="https://raw.githubusercontent.com/inventree/schema/main/export/${version}/api.yaml"
@ -175,7 +175,7 @@ jobs:
        id: version
        if: github.ref == 'refs/heads/master' && needs.paths-filter.outputs.api == 'true'
        run: |
-          pip install requests >/dev/null 2>&1
+          pip install requests==2.31.0 >/dev/null 2>&1
          version="$(python3 ci/version_check.py only_version 2>&1)"
          echo "Version: $version"
          echo "version=$version" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -19,7 +19,7 @@ jobs:
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1
      - name: Version Check
        run: |
-          pip install requests
+          pip install requests==2.31.0
          python3 ci/version_check.py
      - name: Push to Stable Branch
        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # pin@v0.8.0
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -54,7 +54,7 @@ jobs:
          # For private repositories:
          #   - `publish_results` will always be set to `false`, regardless
          #     of the value entered here.
-          publish_results: false
+          publish_results: true

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
--- a/.github/workflows/translations.yml
+++ b/.github/workflows/translations.yml
@ -10,12 +10,14 @@ env:
  node_version: 18

 permissions:
-  contents: write
+  contents: read

 jobs:
  build:

    runs-on: ubuntu-latest
+    permissions:
+      contents: write

    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.sonarcloud.properties
+++ b/.sonarcloud.properties
@ -0,0 +1,11 @@
+# Path to sources
+sonar.sources=InvenTree,src,docs
+
+# Path to tests
+sonar.tests=**/test*.py
+#sonar.test.exclusions=
+#sonar.test.inclusions=
+
+# Source encoding
+sonar.sourceEncoding=UTF-8
+sonar.python.version=3.9
--- a/6
+++ b/6
@ -102,7 +102,7 @@ RUN ./install_build_packages.sh --no-cache --virtual .build-deps && \
 # Frontend builder image:
 FROM prebuild AS frontend

-RUN apk add --no-cache --update nodejs npm && npm install -g yarn
+RUN apk add --no-cache --update nodejs npm && npm install -g yarn@v1.22.22
 RUN yarn config set network-timeout 600000 -g
 COPY InvenTree ${INVENTREE_HOME}/InvenTree
 COPY src ${INVENTREE_HOME}/src
@ -139,11 +139,11 @@ EXPOSE 5173
 # Install packages required for building python packages
 RUN ./install_build_packages.sh

-RUN pip install uv --no-cache-dir && pip install -r base_requirements.txt --no-cache
+RUN pip install uv==0.1.26 --no-cache-dir && pip install -r base_requirements.txt --no-cache

 # Install nodejs / npm / yarn

-RUN apk add --no-cache --update nodejs npm && npm install -g yarn
+RUN apk add --no-cache --update nodejs npm && npm install -g yarn@v1.22.22
 RUN yarn config set network-timeout 600000 -g

 # The development image requires the source code to be mounted to /home/inventree/
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@
 [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7179/badge)](https://bestpractices.coreinfrastructure.org/projects/7179)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/inventree/InvenTree/badge)](https://securityscorecards.dev/viewer/?uri=github.com/inventree/InvenTree)
 [![Netlify Status](https://api.netlify.com/api/v1/badges/9bbb2101-0a4d-41e7-ad56-b63fb6053094/deploy-status)](https://app.netlify.com/sites/inventree/deploys)
-[![DeepSource](https://app.deepsource.com/gh/inventree/InvenTree.svg/?label=active+issues&show_trend=false&token=trZWqixKLk2t-RXtpSIAslVJ)](https://app.deepsource.com/gh/inventree/InvenTree/)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=inventree_InvenTree&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=inventree_InvenTree)

 [![Coveralls](https://img.shields.io/coveralls/github/inventree/InvenTree)](https://coveralls.io/github/inventree/InvenTree)
 [![Crowdin](https://badges.crowdin.net/inventree/localized.svg)](https://crowdin.com/project/inventree)
--- a/contrib/packager.io/functions.sh
+++ b/contrib/packager.io/functions.sh
@ -90,7 +90,7 @@ function detect_envs() {
    echo "# Using existing config file: ${INVENTREE_CONFIG_FILE}"

    # Install parser
-    pip install jc -q
+    pip install jc==1.25.2 -q

    # Load config
    local CONF=$(cat ${INVENTREE_CONFIG_FILE} | jc --yaml)