diff --git a/charts/cdefense/Chart.yaml b/charts/cdefense/Chart.yaml index 817d588..f728af8 100755 --- a/charts/cdefense/Chart.yaml +++ b/charts/cdefense/Chart.yaml @@ -13,9 +13,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 4.8.8 +version: 4.8.9 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "4.8.8" +appVersion: "4.8.9" diff --git a/charts/cdefense/templates/api/config.yaml b/charts/cdefense/templates/api/config.yaml index 7486ac0..d8e25b6 100644 --- a/charts/cdefense/templates/api/config.yaml +++ b/charts/cdefense/templates/api/config.yaml @@ -31,4 +31,7 @@ data: CLOUDDEFENSE_NEWAPI_BASE_URL: https://{{ .Values.hostname }}/ K8_RESOURCES_REQUEST_MEMORY: "3Gi" K8_RESOURCES_REQUEST_CPU: "2000m" - K8_RESOURCES_LIMIT_MEMORY: "4Gi" \ No newline at end of file + K8_RESOURCES_LIMIT_MEMORY: "4Gi" + DATAJOB_WEBHOOK_URL: "https://discord.com/api/webhooks/1006160865386582077/HndjuqofW-wYXspUb5_iv-AJN46UojZZvQDksz1a2cgvx1Q1lUJkdZ_IhZrlsh_ytKKO" + PROFILER_WEBHOOK_URL: "https://discord.com/api/webhooks/1102883054806114375/DwZqyzMTpYf66kMyQ47b7lgFLNFGfqmxQxEBfnfOZtH6cMJIFzoNw17pmQnG9OmNk9Tv" + CLOUDDEFENSE_SENDGRID_EMAIL: "support-noreply@clouddefense.ai" \ No newline at end of file diff --git a/charts/cdefense/templates/api/deployment.yaml b/charts/cdefense/templates/api/deployment.yaml index caaedac..647ad24 100644 --- a/charts/cdefense/templates/api/deployment.yaml +++ b/charts/cdefense/templates/api/deployment.yaml @@ -88,7 +88,7 @@ spec: terminationMessagePolicy: File containers: - name: api - image: {{ .Values.api.image }}:{{ .Values.api.version }} + image: {{ .Values.api.image }}:{{ .Values.version }} imagePullPolicy: Always envFrom: - configMapRef: @@ -298,6 +298,48 @@ spec: configMapKeyRef: name: scan-server-config key: K8_RESOURCES_LIMIT_MEMORY + - name: AWS_S3_ENDPOINT + valueFrom: + configMapKeyRef: + name: scan-server-config + key: AWS_S3_ENDPOINT + - name: DATAJOB_WEBHOOK_URL + valueFrom: + configMapKeyRef: + name: scan-server-config + key: DATAJOB_WEBHOOK_URL + - name: PROFILER_WEBHOOK_URL + valueFrom: + configMapKeyRef: + name: scan-server-config + key: PROFILER_WEBHOOK_URL + - name: CLOUDDEFENSE_CRYPT_BASE_SECRET + valueFrom: + secretKeyRef: + key: CLOUDDEFENSE_CRYPT_BASE_SECRET + name: scan-server-secrets + - name: CLOUDDEFENSE_SENDGRID_API_KEY + valueFrom: + secretKeyRef: + key: SENDGRID_KEY + name: authservice-secrets + - name: CLOUDDEFENSE_SENDGRID_EMAIL + valueFrom: + secretKeyRef: + key: CLOUDDEFENSE_SENDGRID_EMAIL + name: scan-server-config + - name: AWS_SCAN_S3_ACCESS_KEY + valueFrom: + secretKeyRef: + key: AWS_SCAN_S3_ACCESS_KEY + name: scan-server-secrets + optional: true + - name: AWS_SCAN_S3_SECRET_KEY + valueFrom: + secretKeyRef: + key: AWS_SCAN_S3_SECRET_KEY + name: scan-server-secrets + optional: true ports: - containerPort: 8080 livenessProbe: @@ -371,6 +413,16 @@ spec: secretKeyRef: name: vulnscrape-secrets key: VULNERABILITY_SCRAPER_SERVICE_TOKEN + - name: DATAJOB_WEBHOOK_URL + valueFrom: + configMapKeyRef: + name: scan-server-config + key: DATAJOB_WEBHOOK_URL + - name: NVD_KEY + valueFrom: + secretKeyRef: + name: scan-server-secrets + key: NVD_KEY # resources: # requests: # memory: "1G" diff --git a/charts/cdefense/templates/ingress.yaml b/charts/cdefense/templates/ingress.yaml index 602c070..3ccfcac 100644 --- a/charts/cdefense/templates/ingress.yaml +++ b/charts/cdefense/templates/ingress.yaml @@ -79,13 +79,6 @@ spec: name: authservice port: number: 80 - - path: /v1/* - pathType: ImplementationSpecific - backend: - service: - name: graphql - port: - number: 80 - path: /api/* pathType: ImplementationSpecific backend: @@ -153,18 +146,6 @@ spec: name: web port: number: 80 - {{ if .Values.recommendation.enabled }} - - host: {{ if .Values.recommendation.hostname }}"{{ .Values.recommendation.hostname }}"{{- else }}"recommendation.{{ .Values.domain }}"{{- end }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: recommendation - port: - number: 80 - {{ end }} - host: {{ if .Values.uptime.hostname}}"{{.Values.uptime.hostname}}"{{- else }}"status.{{ .Values.domain }}"{{- end }} http: paths: @@ -176,136 +157,5 @@ spec: port: number: 80 --- -{{ if .Values.graphql.enabled }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: graphql-ingress - namespace: {{ .Release.Namespace | default "default"}} - annotations: - {{ if eq .Values.ingress.type "alb" }} - kubernetes.io/ingress.class: alb - alb.ingress.kubernetes.io/certificate-arn: {{ .Values.aws.certificatearn }} - alb.ingress.kubernetes.io/scheme: internal - alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' - alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' - alb.ingress.kubernetes.io/healthcheck-interval-seconds: '20' - alb.ingress.kubernetes.io/healthcheck-path: / - alb.ingress.kubernetes.io/healthcheck-port: '80' - alb.ingress.kubernetes.io/healthcheck-protocol: HTTP - alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5' - alb.ingress.kubernetes.io/healthy-threshold-count: '2' - nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600' - nginx.ingress.kubernetes.io/proxy-read-timeout: '3600' - nginx.ingress.kubernetes.io/proxy-send-timeout: '3600' - {{ else if eq .Values.ingress.type "nginx" }} - cert-manager.io/cluster-issuer: {{ .Values.ingress.nginx.certificate }} - kubernetes.io/ingress.class: nginx-internal - nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/ssl-passthrough: "false" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - # nginx.ingress.kubernetes.io/backend-protocol: HTTPS - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-credentials: "true" - nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS, DELETE" - nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,ipaddress" - nginx.ingress.kubernetes.io/cors-expose-headers: "Content-Length,Content-Range" - nginx.ingress.kubernetes.io/proxy-body-size: "10m" - nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600' - nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" - # nginx.ingress.kubernetes.io/rewrite-target: /$1 - {{ else if eq .Values.ingress.type "gce"}} - kubernetes.io/ingress.class: "gce" - kubernetes.io/ingress.global-static-ip-name: "cdefense-ip" - {{ else if eq .Values.ingress.type "kong" }} - kubernetes.io/ingress.class: kong - nginx.ingress.kubernetes.io/ssl-redirect: "false" - certmanager.k8s.io/issuer: "letsencrypt" - certmanager.k8s.io/acme-challenge-type: dns01 - # certmanager.k8s.io/acme-dns01-provider: route53 - {{ end }} -spec: -{{ if eq .Values.ingress.type "nginx" }} - tls: - - hosts: - - graphql-{{ .Values.hostname }} - secretName: graphql-on-prem-tls -{{ end }} - rules: - - host: graphql-{{ .Values.hostname }} - http: - paths: - - path: /* - pathType: ImplementationSpecific - backend: - service: - name: graphql - port: - number: 80 ---- -{{ end }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: admin-ui-ingress - namespace: {{ .Release.Namespace | default "default"}} - annotations: - {{ if eq .Values.ingress.type "alb" }} - kubernetes.io/ingress.class: alb - alb.ingress.kubernetes.io/certificate-arn: {{ .Values.aws.certificatearn }} - alb.ingress.kubernetes.io/scheme: internal - alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' - alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' - alb.ingress.kubernetes.io/healthcheck-interval-seconds: '20' - alb.ingress.kubernetes.io/healthcheck-path: / - alb.ingress.kubernetes.io/healthcheck-port: '80' - alb.ingress.kubernetes.io/healthcheck-protocol: HTTP - alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5' - alb.ingress.kubernetes.io/healthy-threshold-count: '2' - nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600' - nginx.ingress.kubernetes.io/proxy-read-timeout: '3600' - nginx.ingress.kubernetes.io/proxy-send-timeout: '3600' - {{ else if eq .Values.ingress.type "nginx" }} - cert-manager.io/cluster-issuer: {{ .Values.ingress.nginx.certificate }} - kubernetes.io/ingress.class: nginx-internal - nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/proxy-connect-timeout: '3600' - nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" - # nginx.ingress.kubernetes.io/rewrite-target: /$1 - {{ else if eq .Values.ingress.type "gce"}} - kubernetes.io/ingress.class: "gce" - kubernetes.io/ingress.global-static-ip-name: "cdefense-ip" - {{ else if eq .Values.ingress.type "kong" }} - kubernetes.io/ingress.class: kong - nginx.ingress.kubernetes.io/ssl-redirect: "false" - certmanager.k8s.io/issuer: "letsencrypt" - certmanager.k8s.io/acme-challenge-type: dns01 - # certmanager.k8s.io/acme-dns01-provider: route53 - {{ end }} -spec: - rules: - - host: admin-{{ .Values.hostname }} - http: - paths: - - path: /* - pathType: ImplementationSpecific - backend: - service: - name: adminbackend - port: - number: 80 - - host: adminui-{{ .Values.hostname }} - http: - paths: - - path: /* - pathType: ImplementationSpecific - backend: - service: - name: adminui - port: - number: 80 + {{ end }} \ No newline at end of file diff --git a/charts/cdefense/templates/web/deployment.yaml b/charts/cdefense/templates/web/deployment.yaml index e9597dd..4eb831c 100644 --- a/charts/cdefense/templates/web/deployment.yaml +++ b/charts/cdefense/templates/web/deployment.yaml @@ -28,7 +28,7 @@ spec: - name: regcred containers: - name: web - image: {{ .Values.web.image }}:{{ .Values.web.version }} + image: {{ .Values.web.image }}:{{ .Values.version }} imagePullPolicy: Always args: - ./run.sh diff --git a/charts/cdefense/values.yaml b/charts/cdefense/values.yaml index 8c6735f..05069b2 100644 --- a/charts/cdefense/values.yaml +++ b/charts/cdefense/values.yaml @@ -1,4 +1,4 @@ -version: "release-4.8.8" +version: "release-4.8.9" domain: clouddefenseai.com hostname: cdefense.clouddefenseai.com @@ -105,7 +105,6 @@ api: nodeSelector: cdefense tolerations: [] image: cdefense/scan-api - version: "release-4.8.8" service: type: NodePort ports: @@ -200,7 +199,6 @@ web: tolerations: [] replicas: 1 image: cdefense/webconsole - version: "release-4.8.8" service: type: NodePort ports: @@ -208,44 +206,6 @@ web: port: 80 targetPort: 80 -admin: - backend: - nodeSelector: cdefense - tolerations: [] - replicas: 1 - image: cdefense/admin-ui-be - version: "latest" - service: - type: NodePort - ports: - - name: http - port: 80 - targetPort: 8080 - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 3 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: 80 - frontend: - nodeSelector: cdefense - tolerations: [] - replicas: 1 - image: cdefense/admin-ui-fe - version: "latest" - service: - type: NodePort - ports: - - name: http - port: 80 - targetPort: 80 - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 3 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: 80 - ai: enabled: true nodeSelector: cdefense diff --git a/release.md b/release.md index edfeb94..b6dc99f 100644 --- a/release.md +++ b/release.md @@ -1,19 +1,19 @@ -Release Date : 29.05.2024 -Release Notes : 4.8.8 +Release Date : 19.06.2024 +Release Notes : 4.8.9 -New feature list: -1) Delta Scan -2) Application team assignment: We have now provided application team assignment mechanism based on team pseudonym. -3) Automatic Jira ticket creation: We have provided automatic Jira ticket creation for the new detected vulnerabilities, configurable to enable/disable at severities level. -4) Recommendation/Solution under vulnerability report: We have provided recommendations under the CTO report. -5) Multi select False Positive and Allowed list: We have added ability to select multiple vulnerabilities to mark as false positive and add to allowed list. -6) DevSecOps configure with OKTA: We have provided SSO integration with OKTA. -7) Jira ticket having alert back to the vulnerability and show latest status: We have added a link back under the Jira ticket to have link back to the vulnerability for which it was created. -8) Show "Age" of a vulnerability: We have added age detail, day wise to show the age of a vulnerability when it was first detected under CTO report. -9) User to be able to request to add directories for exclusion: Added new interface that allows admins to manage your teammate's requests for excluding file-paths. +New Features: + +1) Refactored Rule Management: We have refactored the Rule Management for both Global and Application level, making it more user friendly with filter option on scan types and languages. +2) Integrate DAST with pipeline: The DAST scan can now be run under CI/CD pipeline via CLI, with scan result summary details. +3) User details export to CSV: The user details can now be exported to CSV from under User Management. +4) OWASP Top 10 slide-out code link: Added hyperlink for the OWASP Top 10 slide-out code link. +5) Added newly found vulnerabilities filter: Added newly found vulnerabilities filter under Report > Vulnerabilities Report page. +6) Added count on filter under Vulnerabilities Report Page: Added resource count when selecting filter under Vulnerabilities Report Page for better readability. +7) Added false-positive filter under Application overview page: We have added false-positive filter under Application overview page for better usability. Improvements: -1) Application Page Refactor: We have refactored our Application page, adding branches and pull requests view on the expansion of the application from list. By clicking on the link icon next to the application name, users can navigate directly to the specific source. Additionally, users can now filter to view only branches or pull requests by using the buttons located below the application name. -2) Fixed GitHub group name not coming for the repo name. -3) Scan steps handling asynchronously, removing the bottle-neck for running multiple scans concurrently. + +1) Refactored APIs and added new indexes: We have refactored APIs and added new indexes to improve the latency seen. +2) Bug Fixing on Backend: Fixed bugs across the application for better user experience. +3) Fixes pagination bug under Dashboard > Vulnerabilities by Age: We have fixed the pagination bug found under Dashboard > Vulnerabilities by Age. 4) Fixed list of UI issues. \ No newline at end of file