From d6106b967041b0d21fa9b848956ce958df3bab26 Mon Sep 17 00:00:00 2001 From: Marin Esnault Date: Wed, 11 Nov 2020 12:48:39 +0100 Subject: [PATCH 1/7] add configuration of the postgreSQL username in environment variables --- docker/database.yml | 2 +- setup/env.example | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docker/database.yml b/docker/database.yml index b5a319899..fac41783d 100644 --- a/docker/database.yml +++ b/docker/database.yml @@ -5,7 +5,7 @@ default: &default adapter: postgresql encoding: unicode pool: 25 - username: postgres + username: <%= ENV["POSTGRES_USERNAME"] %> password: <%= ENV["POSTGRES_PASSWORD"] %> host: <%= ENV["POSTGRES_HOST"] %> diff --git a/setup/env.example b/setup/env.example index bf6195e53..5c16d57e1 100644 --- a/setup/env.example +++ b/setup/env.example @@ -1,4 +1,5 @@ POSTGRES_HOST=postgres +POSTGRES_USERNAME=postgres REDIS_HOST=redis ELASTICSEARCH_HOST=elasticsearch From 943580949069915b50b180536df024ae896517f7 Mon Sep 17 00:00:00 2001 From: Marin Esnault Date: Tue, 24 Nov 2020 12:31:36 +0100 Subject: [PATCH 2/7] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30a73a448..1d2919752 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ # Changelog Fab-manager - +- Add configuration of the postgreSQL username in environment variables - Fix a bug: unable to build homepage custom stylesheet ## v4.6.3 2020 October 28 From 5486c6fa6628180181892c587633a52035572e61 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 25 Nov 2020 09:35:22 +0100 Subject: [PATCH 3/7] updated documentation about POSTGRES_USERNAME --- doc/environment.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/environment.md b/doc/environment.md index f11250f34..8cd8b8895 100644 --- a/doc/environment.md +++ b/doc/environment.md @@ -26,11 +26,11 @@ If you run the application in production with docker, the settings are localized DNS name or IP address of the server hosting the PostgreSQL database of the application (see [PostgreSQL](../README.md#postgresql)). This value is only used when deploying in production, otherwise this is configured in [config/database.yml](../config/database.yml.default). When using docker-compose, you should provide the name of the service in your [docker-compose.yml](../docker/docker-compose.yml) file (`postgres` by default). - + - POSTGRES_PASSWORD + POSTGRES_USERNAME, POSTGRES_PASSWORD -Password for the PostgreSQL user, as specified in `database.yml` (default: `postgres`). +Username and password for the connection to the PostgreSQL database. This value is only used when deploying in production, otherwise this is configured in [config/database.yml](../config/database.yml.default). When using docker-compose, the default configuration (with `postgres` user) does not uses any password as it is confined in the docker container. From 450972c46984d41e367d8ca44596d950601d88f9 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 25 Nov 2020 09:38:27 +0100 Subject: [PATCH 4/7] updated changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d2919752..faa78492a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ # Changelog Fab-manager + +## Next release + - Add configuration of the postgreSQL username in environment variables - Fix a bug: unable to build homepage custom stylesheet +- [TODO DEPLOY] add `POSTGRES_USERNAME=postgres` to the environment variables (see [doc/environment.md](doc/environment.md#POSTGRES_USERNAME) for configuration details) ## v4.6.3 2020 October 28 From e79514c947417148d49b97063d217265032ae56a Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 25 Nov 2020 10:39:51 +0100 Subject: [PATCH 5/7] Setup Brakeman security scanner --- .github/workflows/brakeman-analysis.yml | 44 +++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/brakeman-analysis.yml diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml new file mode 100644 index 000000000..113c533cb --- /dev/null +++ b/.github/workflows/brakeman-analysis.yml @@ -0,0 +1,44 @@ +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +# This section configures the trigger for the workflow. Feel free to customize depending on your convention +on: + push: + branches: [ dev ] + pull_request: + branches: [ dev ] + +jobs: + brakeman-scan: + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v2 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: actions/setup-ruby@v1 + with: + ruby-version: '2.6.5' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: output.sarif.json From f71fe8437bd7473dda125ffdbe30868820af9eb4 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 25 Nov 2020 10:42:28 +0100 Subject: [PATCH 6/7] Using ruby 2.6 --- .github/workflows/brakeman-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml index 113c533cb..7ba7ae58f 100644 --- a/.github/workflows/brakeman-analysis.yml +++ b/.github/workflows/brakeman-analysis.yml @@ -23,7 +23,7 @@ jobs: - name: Setup Ruby uses: actions/setup-ruby@v1 with: - ruby-version: '2.6.5' + ruby-version: '2.6' - name: Setup Brakeman env: From ecd24d92f8546e2aeebe0fd0e6f13eb7cb6d8713 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 25 Nov 2020 11:39:53 +0100 Subject: [PATCH 7/7] updated ruby version to 2.6.6 --- .ruby-version | 2 +- CHANGELOG.md | 2 ++ Dockerfile | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.ruby-version b/.ruby-version index d7edb5686..f6ab44e9b 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -ruby-2.6.5 +ruby-2.6.6 diff --git a/CHANGELOG.md b/CHANGELOG.md index faa78492a..fa50ac39b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,10 @@ ## Next release +- Updated ruby version to 2.6.6 - Add configuration of the postgreSQL username in environment variables - Fix a bug: unable to build homepage custom stylesheet +- Fix some security issues: [CVE-2020-10663](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663) and [CVE-2020-10933](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10933) - [TODO DEPLOY] add `POSTGRES_USERNAME=postgres` to the environment variables (see [doc/environment.md](doc/environment.md#POSTGRES_USERNAME) for configuration details) ## v4.6.3 2020 October 28 diff --git a/Dockerfile b/Dockerfile index 116661ca0..bf24df5e8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ -FROM ruby:2.6.5-alpine -MAINTAINER peng@sleede.com +FROM ruby:2.6.6-alpine +MAINTAINER contact@fab-manager.com # Install upgrade system packages RUN apk update && apk upgrade && \