release-4.8.9

charts/cdefense/Chart.yaml

@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.8.8
+version: 4.8.9
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "4.8.8"
+appVersion: "4.8.9"

charts/cdefense/templates/api/config.yaml

@@ -31,4 +31,7 @@ data:
   CLOUDDEFENSE_NEWAPI_BASE_URL: https://{{ .Values.hostname }}/
   K8_RESOURCES_REQUEST_MEMORY: "3Gi"
   K8_RESOURCES_REQUEST_CPU: "2000m"
-  K8_RESOURCES_LIMIT_MEMORY: "4Gi"
+  K8_RESOURCES_LIMIT_MEMORY: "4Gi"
+  DATAJOB_WEBHOOK_URL: "https://discord.com/api/webhooks/1006160865386582077/HndjuqofW-wYXspUb5_iv-AJN46UojZZvQDksz1a2cgvx1Q1lUJkdZ_IhZrlsh_ytKKO"
+  PROFILER_WEBHOOK_URL: "https://discord.com/api/webhooks/1102883054806114375/DwZqyzMTpYf66kMyQ47b7lgFLNFGfqmxQxEBfnfOZtH6cMJIFzoNw17pmQnG9OmNk9Tv"
+  CLOUDDEFENSE_SENDGRID_EMAIL: "[email protected]" 

charts/cdefense/templates/api/deployment.yaml

@@ -88,7 +88,7 @@ spec:
         terminationMessagePolicy: File
       containers:
       - name: api
-        image: {{ .Values.api.image }}:{{ .Values.api.version }}
+        image: {{ .Values.api.image }}:{{ .Values.version }}
         imagePullPolicy: Always
         envFrom:
           - configMapRef:
@@ -298,6 +298,48 @@ spec:
             configMapKeyRef:
               name: scan-server-config
               key: K8_RESOURCES_LIMIT_MEMORY
+        - name: AWS_S3_ENDPOINT
+          valueFrom:
+            configMapKeyRef:
+              name: scan-server-config
+              key: AWS_S3_ENDPOINT
+        - name: DATAJOB_WEBHOOK_URL
+          valueFrom:
+            configMapKeyRef:
+              name: scan-server-config
+              key: DATAJOB_WEBHOOK_URL
+        - name: PROFILER_WEBHOOK_URL
+          valueFrom:
+            configMapKeyRef:
+              name: scan-server-config
+              key: PROFILER_WEBHOOK_URL
+        - name: CLOUDDEFENSE_CRYPT_BASE_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: CLOUDDEFENSE_CRYPT_BASE_SECRET
+              name: scan-server-secrets
+        - name: CLOUDDEFENSE_SENDGRID_API_KEY
+          valueFrom:
+            secretKeyRef:
+              key: SENDGRID_KEY
+              name: authservice-secrets
+        - name: CLOUDDEFENSE_SENDGRID_EMAIL
+          valueFrom:
+            secretKeyRef:
+              key: CLOUDDEFENSE_SENDGRID_EMAIL
+              name: scan-server-config
+        - name: AWS_SCAN_S3_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              key: AWS_SCAN_S3_ACCESS_KEY
+              name: scan-server-secrets
+              optional: true
+        - name: AWS_SCAN_S3_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: AWS_SCAN_S3_SECRET_KEY
+              name: scan-server-secrets
+              optional: true
         ports:
         - containerPort: 8080
         livenessProbe:
@@ -371,6 +413,16 @@ spec:
             secretKeyRef:
               name: vulnscrape-secrets
               key: VULNERABILITY_SCRAPER_SERVICE_TOKEN
+        - name: DATAJOB_WEBHOOK_URL
+          valueFrom:
+            configMapKeyRef:
+              name: scan-server-config
+              key: DATAJOB_WEBHOOK_URL
+        - name: NVD_KEY
+          valueFrom:
+            secretKeyRef:
+              name: scan-server-secrets
+              key: NVD_KEY
         # resources:
         #   requests:
         #     memory: "1G"

charts/cdefense/templates/ingress.yaml

@@ -79,13 +79,6 @@ spec:
             name: authservice
             port:
               number: 80
-      - path: /v1/*
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: graphql
-            port:
-              number: 80
       - path: /api/*
         pathType: ImplementationSpecific
         backend:
@@ -153,18 +146,6 @@ spec:
             name: web
             port:
               number: 80
-  {{ if .Values.recommendation.enabled }}
-  - host: {{ if .Values.recommendation.hostname }}"{{ .Values.recommendation.hostname }}"{{- else }}"recommendation.{{ .Values.domain }}"{{- end }}
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: recommendation
-            port:
-              number: 80
-  {{ end }}
   - host: {{ if .Values.uptime.hostname}}"{{.Values.uptime.hostname}}"{{- else }}"status.{{ .Values.domain }}"{{- end }}
     http:
       paths:
@@ -176,136 +157,5 @@ spec:
             port:
               number: 80
 ---
-{{ if .Values.graphql.enabled }}
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: graphql-ingress
-  namespace: {{ .Release.Namespace | default "default"}}
-  annotations:
-    {{ if eq .Values.ingress.type  "alb" }}
-    kubernetes.io/ingress.class: alb
-    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.aws.certificatearn }}
-    alb.ingress.kubernetes.io/scheme: internal
-    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
-    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
-    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '20'
-    alb.ingress.kubernetes.io/healthcheck-path: /
-    alb.ingress.kubernetes.io/healthcheck-port: '80'
-    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
-    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
-    alb.ingress.kubernetes.io/healthy-threshold-count: '2'
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600'
-    nginx.ingress.kubernetes.io/proxy-read-timeout: '3600'
-    nginx.ingress.kubernetes.io/proxy-send-timeout: '3600'
-    {{ else if eq .Values.ingress.type "nginx" }}
-    cert-manager.io/cluster-issuer: {{ .Values.ingress.nginx.certificate }}
-    kubernetes.io/ingress.class: nginx-internal
-    nginx.ingress.kubernetes.io/use-regex: "true"
-    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    # nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
-    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS, DELETE"
-    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,ipaddress"
-    nginx.ingress.kubernetes.io/cors-expose-headers: "Content-Length,Content-Range"
-    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600'
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
-    # nginx.ingress.kubernetes.io/rewrite-target: /$1
-    {{ else if eq .Values.ingress.type "gce"}}
-    kubernetes.io/ingress.class: "gce"
-    kubernetes.io/ingress.global-static-ip-name: "cdefense-ip"
-    {{ else if eq .Values.ingress.type "kong" }}
-    kubernetes.io/ingress.class: kong 
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    certmanager.k8s.io/issuer: "letsencrypt"
-    certmanager.k8s.io/acme-challenge-type: dns01
-    # certmanager.k8s.io/acme-dns01-provider: route53
-    {{ end }}
-spec:
-{{ if eq .Values.ingress.type "nginx" }}
-  tls:
-  - hosts:
-    - graphql-{{ .Values.hostname }}
-    secretName: graphql-on-prem-tls
-{{ end }}
-  rules:
-  - host: graphql-{{ .Values.hostname }}
-    http:
-      paths:
-      - path: /*
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: graphql
-            port:
-              number: 80
----
-{{ end }}
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: admin-ui-ingress
-  namespace: {{ .Release.Namespace | default "default"}}
-  annotations:
-    {{ if eq .Values.ingress.type  "alb" }}
-    kubernetes.io/ingress.class: alb
-    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.aws.certificatearn }}
-    alb.ingress.kubernetes.io/scheme: internal
-    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
-    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
-    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '20'
-    alb.ingress.kubernetes.io/healthcheck-path: /
-    alb.ingress.kubernetes.io/healthcheck-port: '80'
-    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
-    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
-    alb.ingress.kubernetes.io/healthy-threshold-count: '2'
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600'
-    nginx.ingress.kubernetes.io/proxy-read-timeout: '3600'
-    nginx.ingress.kubernetes.io/proxy-send-timeout: '3600'
-    {{ else if eq .Values.ingress.type "nginx" }}
-    cert-manager.io/cluster-issuer: {{ .Values.ingress.nginx.certificate }}
-    kubernetes.io/ingress.class: nginx-internal
-    nginx.ingress.kubernetes.io/use-regex: "true"
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600'
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
-    # nginx.ingress.kubernetes.io/rewrite-target: /$1
-    {{ else if eq .Values.ingress.type "gce"}}
-    kubernetes.io/ingress.class: "gce"
-    kubernetes.io/ingress.global-static-ip-name: "cdefense-ip"
-    {{ else if eq .Values.ingress.type "kong" }}
-    kubernetes.io/ingress.class: kong 
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    certmanager.k8s.io/issuer: "letsencrypt"
-    certmanager.k8s.io/acme-challenge-type: dns01
-    # certmanager.k8s.io/acme-dns01-provider: route53
-    {{ end }}
-spec:
-  rules:
-  - host: admin-{{ .Values.hostname }}
-    http:
-      paths:
-      - path: /*
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: adminbackend
-            port:
-              number: 80
-  - host: adminui-{{ .Values.hostname }}
-    http:
-      paths:
-      - path: /*
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: adminui
-            port:
-              number: 80
+
 {{ end }}

charts/cdefense/templates/web/deployment.yaml

@@ -28,7 +28,7 @@ spec:
       - name: regcred
       containers:
       - name: web
-        image: {{ .Values.web.image }}:{{ .Values.web.version }}
+        image: {{ .Values.web.image }}:{{ .Values.version }}
         imagePullPolicy: Always
         args:
         - ./run.sh

charts/cdefense/values.yaml

@@ -1,4 +1,4 @@
-version: "release-4.8.8"
+version: "release-4.8.9"
 domain: clouddefenseai.com
 hostname: cdefense.clouddefenseai.com
 
@@ -105,7 +105,6 @@ api:
   nodeSelector: cdefense
   tolerations: []
   image: cdefense/scan-api
-  version: "release-4.8.8"
   service:
     type: NodePort
     ports:
@@ -200,52 +199,13 @@ web:
   tolerations: []
   replicas: 1
   image: cdefense/webconsole
-  version: "release-4.8.8"
   service:
     type: NodePort
     ports:
     - name: http
       port: 80
       targetPort: 80
 
-admin:
-  backend:
-    nodeSelector: cdefense
-    tolerations: []
-    replicas: 1
-    image: cdefense/admin-ui-be
-    version: "latest"
-    service:
-      type: NodePort
-      ports:
-      - name: http
-        port: 80
-        targetPort: 8080
-    autoscaling:
-      enabled: false
-      minReplicas: 1
-      maxReplicas: 3
-      targetCPUUtilizationPercentage: 80
-      targetMemoryUtilizationPercentage: 80
-  frontend:
-    nodeSelector: cdefense
-    tolerations: []
-    replicas: 1
-    image: cdefense/admin-ui-fe
-    version: "latest"
-    service:
-      type: NodePort
-      ports:
-      - name: http
-        port: 80
-        targetPort: 80
-    autoscaling:
-      enabled: false
-      minReplicas: 1
-      maxReplicas: 3
-      targetCPUUtilizationPercentage: 80
-      targetMemoryUtilizationPercentage: 80
-
 ai:
   enabled: true
   nodeSelector: cdefense

release.md

@@ -1,19 +1,19 @@
-Release Date : 29.05.2024
-Release Notes : 4.8.8
+Release Date : 19.06.2024
+Release Notes : 4.8.9
 
-New feature list:
-1) Delta Scan
-2) Application team assignment: We have now provided application team assignment mechanism based on team pseudonym.
-3) Automatic Jira ticket creation: We have provided automatic Jira ticket creation for the new detected vulnerabilities, configurable to enable/disable at severities level.
-4) Recommendation/Solution under vulnerability report: We have provided recommendations under the CTO report.
-5) Multi select False Positive and Allowed list: We have added ability to select multiple vulnerabilities to mark as false positive and add to allowed list.
-6) DevSecOps configure with OKTA: We have provided SSO integration with OKTA. 
-7) Jira ticket having alert back to the vulnerability and show latest status: We have added a link back under the Jira ticket to have link back to the vulnerability for which it was created.
-8) Show "Age" of a vulnerability: We have added age detail, day wise to show the age of a vulnerability when it was first detected under CTO report.
-9) User to be able to request to add directories for exclusion: Added new interface that allows admins to manage your teammate's requests for excluding file-paths.
+New Features:
+
+1) Refactored Rule Management: We have refactored the Rule Management for both Global and Application level, making it more user friendly with filter option on scan types and languages.
+2) Integrate DAST with pipeline: The DAST scan can now be run under CI/CD pipeline via CLI, with scan result summary details.
+3) User details export to CSV: The user details can now be exported to CSV from under User Management.
+4) OWASP Top 10 slide-out code link: Added hyperlink for the OWASP Top 10 slide-out code link.
+5) Added newly found vulnerabilities filter: Added newly found vulnerabilities filter under Report > Vulnerabilities Report page. 
+6) Added count on filter under Vulnerabilities Report Page: Added resource count when selecting filter under Vulnerabilities Report Page for better readability.
+7) Added false-positive filter under Application overview page: We have added false-positive filter under Application overview page for better usability.
 
 Improvements:
-1) Application Page Refactor: We have refactored our Application page, adding branches and pull requests view on the expansion of the application from list. By clicking on the link icon next to the application name, users can navigate directly to the specific source. Additionally, users can now filter to view only branches or pull requests by using the buttons located below the application name.
-2) Fixed GitHub group name not coming for the repo name.
-3) Scan steps handling asynchronously, removing the bottle-neck for running multiple scans concurrently.
+
+1) Refactored APIs and added new indexes: We have refactored APIs and added new indexes to improve the latency seen.
+2) Bug Fixing on Backend: Fixed bugs across the application for better user experience.
+3) Fixes pagination bug under Dashboard > Vulnerabilities by Age: We have fixed the pagination bug found under Dashboard > Vulnerabilities by Age.
 4) Fixed list of UI issues.