Merge branch 'master' into checklistView

CHANGELOG

@@ -1,3 +1,40 @@
+v2.10.5
+
+Package.json Fix @DMedina6 (#5727)
+Update okta.strategy.ts to work with passport-openidconnect 0.1.1 @em-c-rod (#5725)
+Fix Ironbank Deployment Pipeline Error @DMedina6 (#5707)
+Fix hdf converter test @em-c-rod (#5706)
+
+## Dependency Updates
+
+- Bump @aws-sdk/client-s3 from 3.554.0 to 3.556.0 @dependabot (#5737)
+- Bump @aws-sdk/client-config-service from 3.555.0 to 3.556.0 @dependabot (#5735)
+- Bump core-js from 3.36.1 to 3.37.0 @dependabot (#5736)
+- Bump sass-loader from 14.2.0 to 14.2.1 @dependabot (#5734)
+- Bump sequelize from 6.37.2 to 6.37.3 @dependabot (#5730)
+- Bump eslint-plugin-cypress from 2.15.1 to 2.15.2 @dependabot (#5728)
+- Bump eslint-plugin-vue from 9.24.1 to 9.25.0 @dependabot (#5729)
+- Bump cypress from 13.7.2 to 13.7.3 @dependabot (#5720)
+- Bump @aws-sdk/client-config-service from 3.554.0 to 3.555.0 @dependabot (#5726)
+- Bump @aws-sdk/client-s3 from 3.550.0 to 3.554.0 @dependabot (#5724)
+- Bump sass-loader from 14.1.1 to 14.2.0 @dependabot (#5723)
+- Bump @aws-sdk/client-config-service from 3.552.0 to 3.554.0 @dependabot (#5721)
+- Bump @aws-sdk/client-config-service from 3.549.0 to 3.552.0 @dependabot (#5714)
+- Bump @types/node from 20.12.5 to 20.12.7 @dependabot (#5718)
+- Bump @aws-sdk/client-sts from 3.549.0 to 3.552.0 @dependabot (#5716)
+- Bump vue-cookies from 1.8.3 to 1.8.4 @dependabot (#5715)
+- Bump typedoc from 0.25.12 to 0.25.13 @dependabot (#5712)
+- Bump eslint-plugin-vue from 9.24.0 to 9.24.1 @dependabot (#5711)
+- Bump @aws-sdk/client-s3 from 3.549.0 to 3.550.0 @dependabot (#5710)
+- Bump @types/node from 20.12.4 to 20.12.5 @dependabot (#5709)
+- Bump diff2html from 3.4.47 to 3.4.48 @dependabot (#5708)
+- Bump pg from 8.11.3 to 8.11.5 @dependabot (#5698)
+- Bump cypress from 13.7.1 to 13.7.2 @dependabot (#5697)
+- Bump @types/node from 20.11.30 to 20.12.4 @dependabot (#5701)
+- Bump @aws-sdk/client-s3 from 3.540.0 to 3.549.0 @dependabot (#5703)
+- Bump tsx from 4.7.1 to 4.7.2 @dependabot (#5704)
+- Bump @aws-sdk/client-config-service from 3.540.0 to 3.549.0 @dependabot (#5705)
+
 v2.10.4
 
 Hotfix for yarn.lock file mismatch

Dockerfile

@@ -1,6 +1,6 @@
 ARG BASE_CONTAINER=registry.access.redhat.com/ubi8/nodejs-18-minimal:1
 
-FROM $BASE_CONTAINER as builder
+FROM $BASE_CONTAINER AS builder
 
 ARG NODE_ENV=production
 ENV NODE_ENV=$NODE_ENV
@@ -29,7 +29,7 @@ COPY apps ./apps
 COPY libs ./libs
 RUN yarn build
 
-FROM $BASE_CONTAINER as app
+FROM $BASE_CONTAINER AS app
 
 EXPOSE 3000
 

README.md

@@ -175,10 +175,16 @@ Heimdall's frontend container image is distributed on [DockerHub](https://hub.do
 
 5. Run the following commands in a terminal window from the Heimdall source directory. For more information on the .env file, visit [Environment Variables Configuration.](https://github.com/mitre/heimdall2/wiki/Environment-Variables-Configuration)
    ```bash
+   # For Linux or Mac
    ./setup-docker-env.sh
-   # If you would like to further configure your Heimdall instance, edit the .env file generated after running the previous line
+
+   # For Windows
+   ./setup-docker-env.bat
    ```
 
+> [!TIP]
+> If you would like to further configure your Docker-based Heimdall deployment, edit the .env file located in the root directory generated after running the `setup-docker-env.sh` or `setup-docker-env.bat` scripts
+
 6. Heimdall might need certificates to access the open internet or internal resources (ex. an LDAP server).  Please convert any certificates into PEM files and place them in `./certs/` where they will be automatically ingested.  Alternatively, you can place a shell script that will retrieve those certs in that directory, and modify the `command` attribute underneath the `certs` service in the `docker-compose.yml` to run that script.
   ```bash
   # Below is an example of what may be in the ./certs directory, including any scripts or certificates.
@@ -437,6 +443,9 @@ If you would like to change Heimdall to your needs, you can use Heimdall's 'Deve
 
 You can also open the apps/backend/.env file in a text editor and set additional optional configuration values. For more info on configuration values see [Environment Variables Configuration](https://github.com/mitre/heimdall2/wiki/Environment-Variables-Configuration).
 
+> [!NOTE]
+> The .env file in the root repository is for the Docker deployment of the Heimdall application. Running a local build will use the .env file in the `apps/backend` directory.
+
 6. Create the database:
 
    - ```bash
@@ -512,7 +521,8 @@ The application includes an End-to-End (E2E) frontend and Backend tests (built u
 
 The first command will start an instance of Heimdall Server and exposes additional routes required to allow the tests to run. The second will open the Cypress UI which will run the tests any time code changes are made.
 
-_NOTE: When running the tests locally, tests that integrate with external services such as LDAP or Splunk will fail without having that external service running and configured. If these failures occur locally and local development does not impact the code relevant to those tests, you may consider permitting these failing tests locally and check that they pass in the pipeline in lieu of standing up local services only for testing purposes._
+> [!NOTE] 
+> When running the tests locally, tests that integrate with external services such as LDAP or Splunk will fail without having that external service running and configured. If these failures occur locally and local development does not impact the code relevant to those tests, you may consider permitting these failing tests locally and check that they pass in the pipeline in lieu of standing up local services only for testing purposes.
 
 ### Creating a Release
 

VERSION

@@ -1 +1 @@
-v2.10.4
+v2.10.5

apps/backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "heimdall-server",
-  "version": "2.10.0",
+  "version": "2.10.5",
   "description": "",
   "license": "Apache-2.0",
   "author": "",

apps/backend/src/authn/oidc.strategy.ts

@@ -43,6 +43,7 @@ export class OidcStrategy extends PassportStrategy(Strategy, 'oidc') {
         //changed from 4-arity function to 9-arity, because 'profile' in 4-arity was not providing required data
         //by changing to 9-arity we can access the data we need from the 'uiProfile' parameter
         //the lack of needed data in 4-arity function may be a bug
+        // NOTE: Some variables are not used in this function, but they are required to be present in the function signature. These are indicated with an underscore prefix.
         _issuer: string,
         uiProfile: OIDCProfile,
         _idProfile: object,

apps/backend/src/authn/okta.strategy.ts

@@ -5,6 +5,11 @@ import {ConfigService} from '../config/config.service';
 import {AuthnService} from './authn.service';
 
 interface OktaProfile {
+  id: string;
+  displayName: string;
+  name: {familyName: string; givenName: string};
+  emails: [{value: string}];
+  _raw: string;
   _json: {
     given_name: string;
     family_name: string;
@@ -35,24 +40,27 @@ export class OktaStrategy extends PassportStrategy(Strategy, 'okta') {
         }/oauth2/default/v1/userinfo`,
         clientID: configService.get('OKTA_CLIENTID') || 'disabled',
         clientSecret: configService.get('OKTA_CLIENTSECRET') || 'disabled',
-        callbackURL:
-          `${configService.get('EXTERNAL_URL')}/authn/okta/callback` ||
-          'disabled',
-        scope: 'openid email profile',
-        passReqToCallback: true
+        callbackURL: `${configService.get('EXTERNAL_URL')}/authn/okta/callback`,
+        scope: 'openid email profile'
       },
-      (
-        _req: Request,
-        _token: string,
-        _tokenSecret: string,
-        profile: OktaProfile,
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      async function (
+        // Like in oidc.strategy.ts, we changed the arity of the function to 9 to access the data we need from 'uiProfile' due to updates in the passport-openidconnect library which otherwise caused failures in the authentication process
+        // NOTE: Some variables are not used in this function, but they are required to be present in the function signature. These are indicated with an underscore prefix.
+        _issuer: string,
+        uiProfile: OktaProfile,
+        _idProfile: object,
+        _context: object,
+        _idToken: string,
+        _accessToken: string,
+        _refreshToken: string,
+        _params: object,
+        //eslint-disable-next-line @typescript-eslint/no-explicit-any
         done: any
-      ) => {
-        const userData = profile._json;
+      ) {
+        const userData = uiProfile._json;
         const {given_name, family_name, email, email_verified} = userData;
         if (email_verified) {
-          const user = this.authnService.validateOrCreateUser(
+          const user = await authnService.validateOrCreateUser(
             email,
             given_name,
             family_name,

apps/frontend/.gitignore

@@ -10,7 +10,7 @@ mitre-heimdall-lite*.tgz
 .env.local
 .env.*.local
 
-# Log files
+# log files
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*

apps/frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mitre/heimdall-lite",
-  "version": "2.10.4",
+  "version": "2.10.5",
   "description": "Heimdall-Lite 2 is a JavaScript based security results viewer and review tool supporting multiple security results formats, such as: InSpec, SonarQube, OWASP-Zap and Fortify which you can load locally or from S3 and other data sources.",
   "repository": {
     "type": "git",

apps/frontend/src/views/Login.vue

@@ -89,7 +89,7 @@ export default class Login extends Vue {
   checkForAuthenticationError() {
     if (this.$cookies.get('authenticationError')) {
       SnackbarModule.failure(
-        `Sorry, an problem occurred while signing you in. The reason given was: ${this.$cookies.get(
+        `Sorry, a problem occurred while signing you in. The reason given was: ${this.$cookies.get(
           'authenticationError'
         )}`
       );

lerna.json

@@ -1,5 +1,5 @@
 {
   "packages": ["apps/*", "libs/*", "test"],
-  "version": "2.10.4",
+  "version": "2.10.5",
   "npmClient": "yarn"
 }

libs/hdf-converters/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mitre/hdf-converters",
-  "version": "2.10.3",
+  "version": "2.10.5",
   "license": "Apache-2.0",
   "description": "Converter util library used to transform various scan results into HDF format",
   "files": [

package.json

@@ -17,7 +17,7 @@
     "lint:ci": "lerna run lint:ci",
     "pack:all": "lerna exec yarn pack --scope inspecjs --scope @mitre/heimdall-lite --scope @mitre/hdf-converters --parallel",
     "start": "yarn backend start",
-    "start:dev": "./node_modules/.bin/dotenv -e .env -- lerna exec yarn run start:dev --ignore @heimdall/interfaces --ignore @mitre/hdf-converters  --ignore @heimdall/password-complexity --ignore @heimdall/cypress-tests --ignore inspecjs",
+    "start:dev": "./node_modules/.bin/dotenv -e apps/backend/.env -- lerna exec yarn run start:dev --ignore @heimdall/interfaces --ignore @mitre/hdf-converters  --ignore @heimdall/password-complexity --ignore @heimdall/cypress-tests --ignore inspecjs",
     "test:ui": "cypress run",
     "test:ui:open": "cypress open"
   },

setup-docker-env.bat

@@ -0,0 +1,87 @@
+ECHO OFF
+SETLOCAL
+Setlocal EnableDelayedExpansion
+
+IF EXIST .env (
+	ECHO ".env already exists, if you would like to regenerate your secrets, please delete this file and re-run the script. WARNING: Re-running this script will cause the database password to be reset within the .env file, but the database will still be expecting the old password.  If this happens, you can 1) change DATABASE_PASSWORD in the .env file back to the old password, 2) connect to the database directly and reset the password to the newly generated one, or 3) remove the 'data/' folder (which will delete all data)."
+) ELSE (
+	ECHO ".env does not exist, creating..."
+  CD . > .env
+)
+
+
+REM Set the PostgreSQL db password
+FINDSTR /C:"DATABASE_PASSWORD" .env > Nul
+IF !ERRORLEVEL! EQU 1 (
+  ECHO "DATABASE_PASSWORD" was not found within the .env file, generating secret...
+  FOR /F "tokens=* USEBACKQ" %%F IN (`openssl rand -hex 33`) DO (
+    ECHO DATABASE_PASSWORD=%%F >> .env
+  )
+)
+
+REM Set the JWT expire time
+SET jwtexpiretime=1d
+FINDSTR /C:"JWT_EXPIRE_TIME" .env > Nul
+IF !ERRORLEVEL! EQU 1 (
+  ECHO "JWT_EXPIRE_TIME" was not found within the .env file, generating secret...
+  CALL :SET_JWT_EXPIRE_TIME
+)
+
+REM Generate the JWT SECRET (password)
+FINDSTR /C:"JWT_SECRET" .env > Nul
+IF !ERRORLEVEL! EQU 1 (
+  ECHO "JWT_SECRET" was not found within the .env file, generating secret...
+  FOR /F "tokens=* USEBACKQ" %%F IN (`openssl rand -hex 64`) DO (
+    ECHO JWT_SECRET=%%F >> .env
+  )
+)
+
+
+REM Enable API keys
+FINDSTR /C:"API_KEY_SECRET" .env > Nul
+IF !ERRORLEVEL! EQU 1 (
+  SET /P enableapikeys="API_KEY_SECRET was not found within the .env file. Enable API keys [Y/n]: "
+  IF /I "!enableapikeys!" EQU "Y" (
+    FOR /F "tokens=* USEBACKQ" %%F IN (`openssl rand -hex 33`) DO (
+      ECHO API_KEY_SECRET=%%F >> .env
+    )
+  )
+)  
+
+REM Set NGINX Host, if required
+FINDSTR /C:"NGINX_HOST" .env > Nul
+IF %ERRORLEVEL% EQU 1 (
+  ECHO "NGINX_HOST" was not found within the .env file, set NGINX_HOST IP...
+  CALL :SET_NGINX_HOST
+)  
+
+REM Generate the SSL certificates
+IF EXIST ./nginx/certs/ssl_certificate.crt (
+  ECHO "SSL Certificate already exists. If you would like to regenerate your certificates, please delete the files in ./nginx/certs/ and re-run this script."
+) ELSE (
+	ECHO "SSL Certificate does not exist, creating self-signed certificate..."
+	ECHO Be sure your production environment is configured to work with your self-signed certificate.
+	ECHO
+	ECHO "Generating certificate (Expires in 7 days)..."
+  openssl req -newkey rsa:4096 -x509 -sha256 -days 7 -nodes -out nginx/certs/ssl_certificate.crt -keyout nginx/certs/ssl_certificate_key.key -subj "/C=US/ST=SelfSigned/L=SelfSigned/O=SelfSigned/OU=SelfSigned"
+  ECHO Certificates were generated 
+)
+
+
+REM Exit the batch process
+EXIT /B !ERRORLEVEL!
+
+REM ------------------------------------------------------------------------------------------
+REM Supporting function - Note: we use the input function outside the IF %ERRORLEVEL%
+REM because the SET /P does not work as expected inside the IF %ERRORLEVEL% block
+
+:SET_JWT_EXPIRE_TIME
+  SET /P jwtexpiretime="Enter JWT_EXPIRE_TIME ex. 1d or 25m (leave blank to use default [!jwtexpiretime!]): "
+  ECHO JWT_EXPIRE_TIME=!%jwtexpiretime! >> .env
+EXIT /B 0
+
+:SET_NGINX_HOST
+  SET nginxhost=127.0.0.1
+  SET /P nginxhost="Enter your FQDN/Hostname/IP Address (leave blank to use default [%nginxhost%]): "
+  ECHO NGINX_HOST=%nginxhost% >> .env
+EXIT /B 0

test/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@heimdall/cypress-tests",
-  "version": "2.10.2",
+  "version": "2.10.5",
   "private": true,
   "description": "",
   "scripts": {