defectdojo / godojo Goto Github PK

Golang installer for DefectDojo

License: GNU General Public License v3.0

Go 84.11% Shell 1.01% Roff 2.12% Smarty 12.76%

godojo's Introduction

godojo - an installer for DefectDojo

godojo is an installer for DefectDojo created as a much more powerful replacement for setup.bash. It provides a way to complete a 'server' install of DefectDojo. This is a traditional installation where DefectDojo is installed on the disk of a server/VM as part of the running OS.

godojo simplifies installing DefectDojo since the only thing needed to complete the install is the godojo binary. The installer handles pulling the requested version of the source code and any needed dependencies.

godojo supports the following types of installations:

Installing a numbered release of DefectDojo e.g. version 1.14.1
Installing head of a specific branch e.g. dev branch
Installing a specific commit

The currently supported Linux distros and database configurations are listed here

godojo is developed targeting .deb (Debian) based distributions especially Ubuntu but should work on any Debian-based distro.

For information on starting DefectDojo after installing and upgrading an install done by godojo, see here

DefectDojo also supports other methods of installation that are not covered by godojo.

Dependencies

None, just download the most recent godojo release and either:

Accept the default configuration (one will be created for you the first time you run godojo)
Edit dojoConfig.yml to meet your needs then run godojo
Set environmental variable(s) to override the default configuration in dojoConfig.yml when you run godojo

The defaults in dojoConfig.yml are pretty sane. All you really need to do is:

decide what version of DefectDojo you want to install (a release, branch or commit)
set a password for the initial Admin user (Install > Admin > Pass).

You can see all the configuration options with descriptions in the example config file.

Note: godojo is built with go version 1.16.3 (or newer)

Assumptions / requirements

Bash is available and in $PATH
Installer is run as root or with sudo like:

$ sudo ./godojo

# ./godojo

Installer can create a 'logs' directory where the installer is run to write a log of the install
Installer can create a file in the directory where it is run to save the runtime config
Installer can create a base directory for the DefectDojo install (default is /opt/dojo).
Installer can download the source code for DefectDojo and it's dependencies (Internet access)

Other benefits of godojo

The same installer can install multiple versions of DefectDojo
Supports both MySQL and PostgreSQL databases
Supports creating a new database or using an existing database. Database can be local (same host) or remote.
godojo doesn't care where it is run from - the only important location is where DefectDojo will be installed which defaults to /opt/dojo
godojo creates logs in a 'logs' subdirectory in the directory where it is run.
- Logs are configurable from none ("Quiet: true" in dojoConfig.yml) to trace ("Trace: true" in dojoConfig.yml)
Any passwords, keys or other sensitive data is redacted in the logs by default ("Redact: true" in dojoConfig.yml)
All dojoConfig.yml configuration items can be overridden with environmental variables at run time

Example installation

If you don't have a dojoConfig.yml in the same directory as godojo (or this is your first install), one will be created for you:

$ sudo ./godojo

NOTE: A dojoConfig.yml file was not found in the current directory:
	/home/example
A default configuration file was written there.

Please review the configuration settings, adjusting as needed and
re-run the godojo installer to begin the install you configured.

Once you have a dojoConfig.yml you're happy with, just run godojo:

 sudo ./godojo
        ____       ____          __     ____          _
       / __ \___  / __/__  _____/ /_   / __ \____    (_)___
      / / / / _ \/ /_/ _ \/ ___/ __/  / / / / __ \  / / __ \ 
     / /_/ /  __/ __/  __/ /__/ /_   / /_/ / /_/ / / / /_/ /
    /_____/\___/_/  \___/\___/\__/  /_____/\____/_/ /\____/
                                               /___/
    version  1.1.1

  Welcome to godojo, the official way to install DefectDojo on iron.
  For more information on how goDojo does an install, see:
  https://github.com/DefectDojo/godojo

==============================================================================
  Starting the dojo install at Sun Apr 25, 2021 05:43:44 UTC
==============================================================================


==============================================================================
  Determining OS for installation
==============================================================================

OS was determined to be Linux, Ubuntu:20.10
DefectDojo installation on this OS is supported, continuing

==============================================================================
  Bootstrapping the godojo installer
==============================================================================

Bootstrapping...(-*--------)

Note: The above is a snippet of godojo in action. With Quiet set to 'false' you will see output for the various stages godojo completes with a progress bar for each part.

godojo's People

Contributors

Stargazers

Watchers

godojo's Issues

Admin password from dojoConfig.yml not working

I downloaded godojo release v1.1.9 and ran the godojo file to install defectdojo and then used the scripts dojo-start to start the service. The service is up and running , however I am not able to login with the username and password provided in dojoConfig.yml

No longer installs

Due to upstream changes, and unless the Dev's do something about it, this will no longer install any version of DefectDojo.

I recently tried version 1.17 and 1.16 to install v2.4.1 plus many other version, all fail with missing python packages in the requirements.txt. Trying to install these by hand results in yet another error.

PostgreSQL DB error while installing godojo in Debian OS

Installing godojo in Virtualbox VM Debian 10 (guest OS)

Running the command ./godojo in console, getting the error message as "ERROR: Unable to run pg_isready to validate PostgreSQL DB status".

godojo - OS supported but fails to bootstrap due to unsupported OS

Attempting to run defectdojo via godojo on a clean Amazon Linux 2 EC2 instance fails with the following issue.

==============================================================================
  Starting the dojo install at Thu Sep 29, 2022 12:30:05 UTC
==============================================================================


==============================================================================
  Determining OS for installation
==============================================================================

OS was determined to be Linux, Amzn:2
DefectDojo installation on this OS is supported, continuing

==============================================================================
  Bootstrapping the godojo installer
==============================================================================

Unsupported OS to bootstrap, quitting.

prepInstall.go uses different envar names for database gear

prepInstall.go is using different envar names for for database gear.

For example, dojoConfig.yml specifies:

 DB:
    Engine: "PostgreSQL" # DD_DB_Engine - Database engine to use (SQLite, MySQL, PostgreSQL, MariaDB) Note: CASE sEnSiTiVE!
    Local: true # DD_DB_Local - Boolean for when DB is on the same host/server/vm (local)
    Exists: false # DD_DB_Exists - Boolean for when DB for DefectDojo already exists so no install needed
    Ruser: "postgres" # DD_DB_Ruser - Superuser for the database, root for MySQL/MaraiDB & posgres for PostgreSQL. Note: this and Rpass below REQUIRED for remote and existing DBs
    Rpass: "vee0Thoanae1daePooz0ieka" # DD_DB_Rpass - Password for the database superuser TODO: Note: set to 24 random characters if left blank
    Name: "dojodb" # DD_DB_Name - Name of the database that DefectDojo will use
    User: "dojodbusr" # DD_DB_User - Username of the database user that DefectDojo will use
    Pass: "vee0Thoanae1daePooz0ieka" # DD_DB_Pass - Password for the database user DefectDojo will use Note: set to 24 random characters
    Host: "localhost" # DD_DB_Host - Database hostname
    Port: 5432 # DD_DB_Port - Port the database is listening on - 3306 for MySQL/MariaDB and 5432 for PostgreSQL
    Drop: false # DD_DB_Drop - Boolean to tell the installer to drop an existing DB if found

But prepInstall.go has:

		case "DD_DATABASE_ENGINE":
			conf.Settings.DatabaseEngine = v
		case "DD_DATABASE_HOST":
			conf.Settings.DatabaseHost = v
		case "DD_DATABASE_NAME":
			conf.Settings.DatabaseName = v
		case "DD_DATABASE_PASSWORD":
			conf.Settings.DatabasePassword = v
		case "DD_DATABASE_PORT":
			conf.Settings.DatabasePort = v
		case "DD_DATABASE_TYPE":
			conf.Settings.DatabaseType = v
		case "DD_DATABASE_URL":
			conf.Settings.DatabaseURL = v
		case "DD_DATABASE_USER":
			conf.Settings.DatabaseUser = v

It is causing a lot of confusion. And worse, it seems to be breaking my ability to add a variable for DD_DB_Exists so the installer will actually skip the database installation and configuration when DD_DB_Exists=true.

When I attempt to add a DD_DATABASE_EXISTS it produces a compile error:

./prepInstall.go:277:17: conf.Settings.DatabaseExists undefined (type "github.com/mtesauro/godojo/config".SettingsConfig has no field or method DatabaseExists)

Unable to start defect dojo after installation using godojo

Tried installing defect dojo using godojo in Ubuntu.
The installation was successful. but could not launch defect dojo post installation.
Please give us steps to start defect dojo web app (UI) after installation using godojo.

Issues in Godojo Installation

Hi Team,
I am trying to install godojo in my Ubuntu 20.04.4.
While running the godojo installer , I am getting below error.

The yarn package is getting installed properly via terminal, but when I am trying to call the same from dojoConfig.yml file I am getting this error.
Please guide me to resolve the same issue so that I will be able to install the godojo app.

TIA

Godojo install fails: psycopg2 missing?

Hello,
first time user here trying to install DefectDojo with godojo but get the following error:

Setting up Django for DefectDojo...(-----*----) 
##############################################################################
  ERROR: 2022/05/01 09:50:35 - Failed to run OS command cd /opt/dojo/django-DefectDojo && source ../bin/activate && python3 manage.py makemigrations dojo, error was: exit status 1
##############################################################################

...so something going wrong with Django makemigrations. The whole output can be seen below.
When I then test this manually in the defectdojo virtualenv I get the following:

root@dojoserver:/opt/godojo# cd /opt/dojo/
root@dojoserver:/opt/dojo/django-DefectDojo# source bin/activate
(dojo) root@dojoserver:/opt/dojo/django-DefectDojo# python3 manage.py makemigrations
[01/May/2022 09:53:32] INFO [dojo.models:3653] enabling audit logging
[01/May/2022 09:53:33] DEBUG [dojo.forms:2089] templates: [('', '---'), ('issue-trackers/jira_full', 'jira_full'), ('issue-trackers/jira_limited', 'jira_limited')]
Traceback (most recent call last):
  File "manage.py", line 11, in <module>
    execute_from_command_line(sys.argv)
  File "/opt/dojo/lib/python3.8/site-packages/django/core/management/__init__.py", line 401, in execute_from_command_line
    utility.execute()
  File "/opt/dojo/lib/python3.8/site-packages/django/core/management/__init__.py", line 395, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/opt/dojo/lib/python3.8/site-packages/django/core/management/base.py", line 330, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/opt/dojo/lib/python3.8/site-packages/django/core/management/base.py", line 368, in execute
    self.check()
  File "/opt/dojo/lib/python3.8/site-packages/django/core/management/base.py", line 392, in check
    all_issues = checks.run_checks(
  File "/opt/dojo/lib/python3.8/site-packages/django/core/checks/registry.py", line 70, in run_checks
    new_errors = check(app_configs=app_configs, databases=databases)
  File "/opt/dojo/lib/python3.8/site-packages/django/core/checks/urls.py", line 13, in check_url_config
    return check_resolver(resolver)
  File "/opt/dojo/lib/python3.8/site-packages/django/core/checks/urls.py", line 23, in check_resolver
    return check_method()
  File "/opt/dojo/lib/python3.8/site-packages/django/urls/resolvers.py", line 408, in check
    for pattern in self.url_patterns:
  File "/opt/dojo/lib/python3.8/site-packages/django/utils/functional.py", line 48, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
  File "/opt/dojo/lib/python3.8/site-packages/django/urls/resolvers.py", line 589, in url_patterns
    patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
  File "/opt/dojo/lib/python3.8/site-packages/django/utils/functional.py", line 48, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
  File "/opt/dojo/lib/python3.8/site-packages/django/urls/resolvers.py", line 582, in urlconf_module
    return import_module(self.urlconf_name)
  File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 848, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/opt/dojo/django-DefectDojo/dojo/urls.py", line 34, in <module>
    from dojo.product.urls import urlpatterns as prod_urls
  File "/opt/dojo/django-DefectDojo/dojo/product/urls.py", line 3, in <module>
    from dojo.product import views
  File "/opt/dojo/django-DefectDojo/dojo/product/views.py", line 37, in <module>
    from django.contrib.postgres.aggregates import StringAgg
  File "/opt/dojo/lib/python3.8/site-packages/django/contrib/postgres/aggregates/__init__.py", line 1, in <module>
    from .general import *  # NOQA
  File "/opt/dojo/lib/python3.8/site-packages/django/contrib/postgres/aggregates/general.py", line 1, in <module>
    from django.contrib.postgres.fields import ArrayField
  File "/opt/dojo/lib/python3.8/site-packages/django/contrib/postgres/fields/__init__.py", line 1, in <module>
    from .array import *  # NOQA
  File "/opt/dojo/lib/python3.8/site-packages/django/contrib/postgres/fields/array.py", line 3, in <module>
    from django.contrib.postgres import lookups
  File "/opt/dojo/lib/python3.8/site-packages/django/contrib/postgres/lookups.py", line 4, in <module>
    from .search import SearchVector, SearchVectorExact, SearchVectorField
  File "/opt/dojo/lib/python3.8/site-packages/django/contrib/postgres/search.py", line 1, in <module>
    import psycopg2
ModuleNotFoundError: No module named 'psycopg2'
(dojo) root@dojoserver:/opt/dojo/django-DefectDojo#

..so seems like psycopg2 has not been installed. It is only present in the requirements.cya file, not in the requirements.txt file:

(dojo) root@dojoserver:/opt/dojo/django-DefectDojo# ls -la requirements.*
-rw-r--r-- 1 dojo-srv dojo-srv 1644 May  1 09:49 requirements.cya
-rw-r--r-- 1 dojo-srv dojo-srv 1651 May  1 09:49 requirements.txt
(dojo) root@dojoserver:/opt/dojo/django-DefectDojo# grep psycopg2 requirements.*
requirements.cya:psycopg2-binary==2.9.1
(dojo) root@dojoserver:/opt/dojo/django-DefectDojo#

The psycopg2 is present in the defectDojo git repository requirements file:
https://github.com/DefectDojo/django-DefectDojo/blob/fef0d194ff985358be8e7ebbd4c13a02b9c5a539/requirements.txt#L34

...so what is going on here?

Complete godojo instsallation output:

(dojo) root@dojoserver:/opt/godojo# ./godojo
        ____       ____          __     ____          _      
       / __ \___  / __/__  _____/ /_   / __ \____    (_)___  
      / / / / _ \/ /_/ _ \/ ___/ __/  / / / / __ \  / / __ \ 
     / /_/ /  __/ __/  __/ /__/ /_   / /_/ / /_/ / / / /_/ / 
    /_____/\___/_/  \___/\___/\__/  /_____/\____/_/ /\____/  
                                               /___/         
    version  1.1.7

  Welcome to godojo, the official way to install DefectDojo on iron.
  For more information on how goDojo does an install, see:
  https://github.com/DefectDojo/godojo

==============================================================================
  Starting the dojo install at Sun May 1, 2022 10:00:46 UTC
==============================================================================


==============================================================================
  Determining OS for installation
==============================================================================

OS was determined to be Linux, Ubuntu:20.04
DefectDojo installation on this OS is supported, continuing

==============================================================================
  Bootstrapping the godojo installer
==============================================================================

Boostraping godojo installer complete

==============================================================================
  Checking for Python 3
==============================================================================

Python 3 found, install can continue

==============================================================================
  Downloading the source for DefectDojo
==============================================================================

Downloading the configured release of DefectDojo => version 2.9.1
Successfully downloaded and extracted the DefectDojo release file

==============================================================================
  Prompt set to false, non-interactive installation
==============================================================================


==============================================================================
  Installing OS packages needed for DefectDojo
==============================================================================

Installing OS packages complete

==============================================================================
  Installing database needed for DefectDojo
==============================================================================

Installing Database complete

==============================================================================
  Starting the database needed for DefectDojo
==============================================================================

Starting Database complete

==============================================================================
  Preparing the database needed for DefectDojo
==============================================================================

Validating DB connection

==============================================================================
  Preparing the OS for DefectDojo installation
==============================================================================

Preparing the OS complete

==============================================================================
  Creating settings.py for DefectDojo
==============================================================================

Creating settings.py for DefectDojo complete

==============================================================================
  Setting up Django for DefectDojo
==============================================================================

Setting up Django for DefectDojo...(----*-----) 
##############################################################################
  ERROR: 2022/05/01 10:01:45 - Failed to run OS command cd /opt/dojo/django-DefectDojo && source ../bin/activate && python3 manage.py makemigrations dojo, error was: exit status 1
##############################################################################

Unsupported OS to bootstrap in CentOS

While installing DefectDojo using Godojo, the message displays as the OS is supported, then it gives the message "Unsupported OS to bootstrap, quitting."
Please find screenshot:

OS : CentOS 7.9

Trying to upgrade to a more recent Defectdojo version using an old godojo version

Hello.

I am trying to upgrade my Defectdojo server, but I have faced multiple issues with Python's version.

I am currently using Defectdojo v2.19.2 and I wanted to move to v2.35.3. The 2.19.2 version was installed with no problem in Ubuntu 22.04, using Python 3.10.

Since I am using godojo for the installation, the Python's version was a huge problem, but at the end I was able to solve the issues. What I have not been capable to solve is when I execute dojo-start, it uses /opt/dojo/lib/python3.10 instead of Python3.11. This behavior provokes multiple errors.

I manually ran the dojo-start commands to check out the error, here is the head:

/opt/dojo/django-DefectDojo$ C_FORCE_ROOT="true" celery -A dojo worker -l info --concurrency 3
[27/Jun/2024 21:45:05] ERROR [celery.utils.dispatch.signal:280] Signal handler <bound method DjangoFixup.on_import_modules of <celery.fixups.django.DjangoFixup object at 0x7fb680640280>> raised: TypeError("catch_warnings.__init__() got an unexpected keyword argument 'action'")
Traceback (most recent call last):
  File "/opt/dojo/lib/python3.10/site-packages/celery/utils/dispatch/signal.py", line 276, in send
    response = receiver(signal=self, sender=sender, **named)
  File "/opt/dojo/lib/python3.10/site-packages/celery/fixups/django.py", line 100, in on_import_modules
    self.worker_fixup.validate_models()
  File "/opt/dojo/lib/python3.10/site-packages/celery/fixups/django.py", line 138, in validate_models
    self.django_setup()
  File "/opt/dojo/lib/python3.10/site-packages/celery/fixups/django.py", line 134, in django_setup
    django.setup()
  File "/opt/dojo/lib/python3.10/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/opt/dojo/lib/python3.10/site-packages/django/apps/registry.py", line 116, in populate

It should be running using Python3.11. How can I replace the Python it should use?

Can't start godojo

Hello,

I tried installer the godojo, first I setup my DB in dojoConfig.yml and executed the script godojo.

After this I used the script to started the service. (https://github.com/DefectDojo/godojo/tree/master/docs-and-scripts)
But doesn't work.

So, executed the command manually one-by-one, but doestn't work.

When I tried ( python manage.py runserver 0.0.0.0:8000 ), I Received the error below:

Traceback (most recent call last): File "manage.py", line 11, in <module> execute_from_command_line(sys.argv) File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 364, in execute_from_command_line utility.execute() File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 308, in execute settings.INSTALLED_APPS File "/usr/local/lib/python2.7/dist-packages/django/conf/__init__.py", line 56, in __getattr__ self._setup(name) File "/usr/local/lib/python2.7/dist-packages/django/conf/__init__.py", line 41, in _setup self._wrapped = Settings(settings_module) File "/usr/local/lib/python2.7/dist-packages/django/conf/__init__.py", line 110, in __init__ mod = importlib.import_module(self.SETTINGS_MODULE) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/opt/dojo/django-DefectDojo/dojo/__init__.py", line 5, in <module> from .celery import app as celery_app # noqa File "/opt/dojo/django-DefectDojo/dojo/celery.py", line 2, in <module> from celery import Celery ImportError: cannot import name Celery

The Celery already installed:

test@ip-192-168-10-21:/opt/dojo/django-DefectDojo# pip2 install celery DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality. Requirement already satisfied: celery in /usr/local/lib/python2.7/dist-packages (4.4.7) Requirement already satisfied: billiard<4.0,>=3.6.3.0 in /usr/local/lib/python2.7/dist-packages (from celery) (3.6.4.0) Requirement already satisfied: kombu<4.7,>=4.6.10 in /usr/local/lib/python2.7/dist-packages (from celery) (4.6.11) Requirement already satisfied: pytz>dev in /usr/local/lib/python2.7/dist-packages (from celery) (2022.2.1) Requirement already satisfied: vine==1.3.0 in /usr/local/lib/python2.7/dist-packages (from celery) (1.3.0) Requirement already satisfied: amqp<2.7,>=2.6.0 in /usr/local/lib/python2.7/dist-packages (from kombu<4.7,>=4.6.10->celery) (2.6.1) Requirement already satisfied: importlib-metadata>=0.18; python_version < "3.8" in /usr/local/lib/python2.7/dist-packages (from kombu<4.7,>=4.6.10->celery) (2.1.3) Requirement already satisfied: contextlib2; python_version < "3" in /usr/local/lib/python2.7/dist-packages (from importlib-metadata>=0.18; python_version < "3.8"->kombu<4.7,>=4.6.10->celery) (0.6.0.post1) Requirement already satisfied: pathlib2; python_version < "3" in /usr/local/lib/python2.7/dist-packages (from importlib-metadata>=0.18; python_version < "3.8"->kombu<4.7,>=4.6.10->celery) (2.3.7.post1) Requirement already satisfied: configparser>=3.5; python_version < "3" in /usr/local/lib/python2.7/dist-packages (from importlib-metadata>=0.18; python_version < "3.8"->kombu<4.7,>=4.6.10->celery) (4.0.2) Requirement already satisfied: zipp>=0.5 in /usr/local/lib/python2.7/dist-packages (from importlib-metadata>=0.18; python_version < "3.8"->kombu<4.7,>=4.6.10->celery) (1.2.0) Requirement already satisfied: scandir; python_version < "3.5" in /usr/local/lib/python2.7/dist-packages (from pathlib2; python_version < "3"->importlib-metadata>=0.18; python_version < "3.8"->kombu<4.7,>=4.6.10->celery) (1.10.0) Requirement already satisfied: typing; python_version < "3.5" in /usr/local/lib/python2.7/dist-packages (from pathlib2; python_version < "3"->importlib-metadata>=0.18; python_version < "3.8"->kombu<4.7,>=4.6.10->celery) (3.10.0.0) Requirement already satisfied: six in /usr/local/lib/python2.7/dist-packages (from pathlib2; python_version < "3"->importlib-metadata>=0.18; python_version < "3.8"->kombu<4.7,>=4.6.10->celery) (1.16.0)

I tried installed godojo in Ubuntu 20.04.

where am i wrong?

Installer does not honor DD_DB_Exists

It appears the installer does not honor DD_DB_Exists. According to the notes in dojoConfig.yml:

...
# Each line represents a value used by the installer in this format:
# [name]: [default] # [ENV] - [Description]
# where
# [name] is the name of the configuration item
# [default] is the default value for the configuration item
# [ENV] is the environmental variable used to override the config item at run time
# [Description] is a description of that the config item's purpose
...

  DB:
    Engine: "PostgreSQL" # DD_DB_Engine - Database engine to use ...
    Local: true # DD_DB_Local - Boolean for when DB is on the same host/server/vm (local)
    Exists: false # DD_DB_Exists - Boolean for when DB for DefectDojo already exists so no install needed

I set DD_DB_Exists=true as an envar to skip the database stuff, but the installer still tries to install PostgreSQL and configure the dojodb database (and fails):

Starting PostgreSQL database for DefectDojo...(-*--------) 
##############################################################################
  ERROR: 2022/09/01 00:41:31 - Failed to run OS command /usr/bin/postgresql-setup --initdb, error was: exit status 1
##############################################################################

Starting Database complete

==============================================================================
  Preparing the database needed for DefectDojo
==============================================================================

Checking connectivity to PostgreSQL
Validating DB connection settings

##############################################################################
  ERROR: Unable to create a new PostgreSQL database for DefectDojo
##############################################################################

When I look at the cmd-output log file:

...
[godojo] # PGPASSWORD="[~REDACTED~]" pg_isready --host=localhost --username=postgres --port=5432 
localhost:5432 - accepting connections
[godojo] # sudo -u postgres PGPASSWORD="[~REDACTED~]" psql --host=localhost --username=postgres --port=5432 --command="\l"
could not change directory to "/home/jwalton/godojo": Permission denied
                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges    
-----------+----------+----------+-------------+-------------+------------------------
 dojodb    | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres          +
           |          |          |             |             | postgres=CTc/postgres +
           |          |          |             |             | dojodbusr=CTc/postgres
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres           +
           |          |          |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres           +
           |          |          |             |             | postgres=CTc/postgres
(4 rows)

[godojo] # sudo -u postgres PGPASSWORD="[~REDACTED~]" psql --host=localhost --username=postgres --port=5432 --command="CREATE DATABASE dojodb;"
could not change directory to "/home/jwalton/godojo": Permission denied
ERROR:  database "dojodb" already exists

Here's the script I am using. There's not much to it. It is able to connect to the PostgreSQL database, so db_exists=true. A set -x verified the logic and commands.

#!/usr/bin/env bash

if [[ "${EUID}" != 0 ]]; then
    echo "Please run this script as root"
    exit 1
fi

rm -rf godojo logs/* /opt/dojo/

# Test if the database exists and we can login. If so, skip database install and configuration.
if [[ -f dojoConfig.yml ]]; then
    username=$(grep 'DD_DB_Ruser' dojoConfig.yml | awk '{ print $2 }' | sed -e 's/^"//' -e 's/"$//')
    password=$(grep 'DD_DB_Rpass' dojoConfig.yml | awk '{ print $2 }' | sed -e 's/^"//' -e 's/"$//')
    hostname=$(grep 'DD_DB_Host'  dojoConfig.yml | awk '{ print $2 }' | sed -e 's/^"//' -e 's/"$//')
    database=$(grep 'DD_DB_Name'  dojoConfig.yml | awk '{ print $2 }' | sed -e 's/^"//' -e 's/"$//')

    # In case it was stopped...
    systemctl start postgresql.service 2>/dev/null

    echo "Testing connection to database \"${database}\" for user \"${username}\""

    if PGPASSWORD=${password} pg_isready -h "${hostname}" -U "${username}" -d "${database}"; then
        echo "Database is accepting connections. Skipping PostgreSQL install and configuration"
        db_exists="true"
    else
        db_exists="false"
    fi
else
    db_exists="false"
fi

if ! go build -o godojo ./*.go; then
    echo "Failed to build godojo"
    exit 1
fi

if ! systemctl stop postgresql.service; then
    echo "Unable to stop postgresql.service"
    # exit 1
fi

set -x

# Amazing... https://github.com/DefectDojo/godojo/issues/56
hard_password='vee0Thoanae1daePooz0ieka'
rand_password=$(head -c 30 /dev/urandom | base64)
sed -i "s/${hard_password}/${rand_password}/g" dojoConfig.yml

# We don't enable Debug and Test in production
if ! DD_DEBUG=false DD_DB_Exists="${db_exists}" ./godojo; then
    echo "Failed to execute godojo. Check logs/cmd-output-NNNN.log and logs/dojo-install-NNNN.log"
    exit 1
fi

cp -p docs-and-scripts/dojo-start docs-and-scripts/dojo-stop /opt/dojo
chmod ugo+x /opt/dojo/dojo-start /opt/dojo/dojo-stop

if ! systemctl start postgresql.service; then
    echo "Failed to start postgresql.service"
    exit 1
fi

echo "DefectDojo can be started with /opt/dojo/dojo-start"

exit 0

Typo in entry point scripts - needs to be fixed upstream

Searching for the typo in the django=DefectDojo source:

$ ag "DD_DATABASE_PASsWORD"
entrypoint_scripts/common/dojo-shared-resources.sh
226:        if [ -z "$DD_DATABASE_PASsWORD" -a "$BATCH_MODE" == "yes" ]; then
230:            DD_DATABASE_PASsWORD="dojodb_install"
237:    if mysql -fs --protocol=TCP -h "$DD_DATABASE_HOST" -P "$DD_DATABASE_PORT" -u"$DD_DATABASE_USER" -p"$DD_DATABASE_PASsWORD" "$DD_DATABASE_NAME" >/dev/null 2>&1 </dev/null; then
250:            mysqladmin -f --protocol=TCP --host="$DD_DATABASE_HOST" --port="$DD_DATABASE_PORT" --user="$DD_DATABASE_USER" --password="$DD_DATABASE_PASsWORD" drop "$DD_DATABASE_NAME"
251:            mysqladmin    --protocol=TCP --host="$DD_DATABASE_HOST" --port="$DD_DATABASE_PORT" --user="$DD_DATABASE_USER" --password="$DD_DATABASE_PASsWORD" create "$DD_DATABASE_NAME"
258:        if mysqladmin --protocol=TCP --host="$DD_DATABASE_HOST" --port="$DD_DATABASE_PORT" --user="$DD_DATABASE_USER" --password="$DD_DATABASE_PASsWORD" create $DD_DATABASE_NAME; then
274:    read -p "Password for user: " $DD_DATABASE_PASsWORD; echo
278:    if [ "$( PGPASSWORD=$DD_DATABASE_PASsWORD psql -h $DD_DATABASE_HOST -p $DD_DATABASE_PORT -U $DD_DATABASE_USER -tAc "SELECT 1 FROM pg_database WHERE datname='$DD_DATABASE_NAME'" )" = '1' ]
284:            PGPASSWORD=$DD_DATABASE_PASsWORD dropdb $DD_DATABASE_NAME -h $DD_DATABASE_HOST -p $DD_DATABASE_PORT -U $DD_DATABASE_USER
285:            PGPASSWORD=$DD_DATABASE_PASsWORD createdb $DD_DATABASE_NAME -h $DD_DATABASE_HOST -p $DD_DATABASE_PORT -U $DD_DATABASE_USER
294:        PGPASSWORD=$DD_DATABASE_PASsWORD createdb $DD_DATABASE_NAME -h $DD_DATABASE_HOST -p $DD_DATABASE_PORT -U $DD_DATABASE_USER
450:        SAFE_URL=$(urlenc "$DD_DATABASE_USER")":"$(urlenc "$DD_DATABASE_PASsWORD")"@"$(urlenc "$DD_DATABASE_HOST")":"$(urlenc "$DD_DATABASE_PORT")"/"$(urlenc "$DD_DATABASE_NAME")
453:        SAFE_URL=$(urlenc "$DD_DATABASE_USER")":"$(urlenc "$DD_DATABASE_PASsWORD")"@"$(urlenc "$DD_DATABASE_HOST")":"$(urlenc "$DD_DATABASE_PORT")"/"$(urlenc "$DD_DATABASE_NAME")
543:  if [[ -z "$DD_DATABASE_PASsWORD" ]]; then
544:    DD_DATABASE_PASsWORD=`pwgen -scn $DB_ROOT_PASS_LEN 1`
546:  mysql mysql -e "UPDATE user SET authentication_string=PASSWORD('$DD_DATABASE_PASsWORD'), plugin='mysql_native_password' WHERE User='root';FLUSH PRIVILEGES;"

entrypoint_scripts/run/startup-docker.bash
44:	#DD_DATABASE_PASsWORD=`pwgen -scn $DB_ROOT_PASS_LEN 1`
45:	#entrypoint_scripts/common/setup-superuser.expect user2 "$DD_DATABASE_PASsWORD"

Should be replaced with fully uppercased version aka s/DD_DATABASE_PASsWORD/DD_DATABASE_PASSWORD/g in those files

Unable to login with admin credentials from dojoConfig.yml

I've got DefectDojo from the tip of Master running on Fedora 35 with Postgres. When I attempt to login with it fails with the error "Please enter a correct username and password. Note that both fields may be case-sensitive."

I am fairly certain I am using the correct username and password:

$ cd godojo
$ grep -i -E 'USER|PASS|admin' dojoConfig.yml
 ...
 Admin:
    User: "admin" # DD_ADMIN_User - Admin user for the DefectDojo web app
    Pass: "ddadmin" # DD_ADMIN_Pass - Password for the DefectDojo web app admin user
    Email: "admin@localhost" # DD_ADMIN_Email - Email address for the web app admin user
    First: "Default" # DD_ADMIN_First - Web app admin users's first name
    Last: "Admin" # DD_ADMIN_Last - Web app admin users's last name
    Others: "" # DD_ADMIN_Others - List of additional DefectDojo web app admins
 ...

The docs don't offer much guidance. The README just says to "set a password for the initial Admin user (Install > Admin > Pass)." It appears that is completed. The web says the default username/password pair is admin/admin. The web credentials don't work, either.

There is no dojoConfig.yml in /opt/dojo. The only place it is located is in my home directory.

I'm not sure if this is related to GH #28.

Not able to install Defcetdojo on Ubuntu 20.04

We are trying to install latest version of Defect Dojo with Godojo installer on on ubuntu 20.04 but we are getting this error - ERROR: 2023/02/08 20:04:53 - Failed to run OS command /opt/dojo/bin/pip3 install -r /opt/dojo/django-DefectDojo/requirements.txt, error was: exit status 1

Checking connectivity to PostgreSQL
Validating DB connection settings
Note: pg_hba.conf has not been altered by godojo.
It may need to be updated to allow DefectDojo to connect to the DB.
Please consult the PostgreSQL documentation for further information.

==============================================================================
Preparing the OS for DefectDojo installation

Preparing the OS for DefectDojo...(--*-------)
##############################################################################
ERROR: 2023/01/31 14:59:35 - Failed to run OS command /opt/dojo/bin/pip3 install -r /opt/dojo/django-DefectDojo/requirements.txt, error was: exit status 1
##############################################################################

Can someone please let us know how we can resolve this issue?

Server-only install option

Thanks for merging the PRs I opened. I'm wondering if you'd be open to me creating a PR to add a server-only install option that doesn't make any modifications to the database. Because my company has the expectation that any server can be thrown away and automatically replaced, I made the changes in a fork and added a server-only install option.

Considers Debian 11 supported but cant perform most operations

Appologies in advance if this sounds like a big rant.

I am surprised this is placed as a one binary doing everything solution but it fails in a lot of ways for me..

Debian 11 is not listed as supported so installer should stop it didnt and specifically claimed debian 11 is supported.
Postgressql cant be installed coz it doesn't know what to install.
Once installation is done it has no directions on whats next.
found https://github.com/DefectDojo/godojo/tree/master/docs-and-scripts from the readme not even being highlighted. however once i got the code in place it fails as
a. screen is not installed
b. /opt/dojo/bin/activate assumption is made about this path with no idea what consideration but this doesnt exist on system.

This could all be because of the fact that debian 11 is not the supported option. I am also surprised to see that the Ubuntu 22.04 is also not supported. these are LTS releases i would assume they will have better support.
I will use the shell script for setup i assume.

Installation completed, now what?

Apologizes for sounding like an idiot, but I have completed the installation successfully, now what?

How do I launch it? How do I go to the internal website? I went to localhost:8080 and nothing.

Static content don't load with use default dojoConfig.yml

I tried to install DefectDojo (2.25.0) with godojo (1.2.0) in a VM (Ubuntu Mate 22.04.1). finish the install I used a dojo-start script to start application, and after load a notice that static content like images, js files didn't load.

After check de code and configuration I found that if I set Whitenoise as true in dojoConfig.yml and install again, the static content load correctly.

Can I suggest that default value of Whitenoise in dojoConfig.yml can be true to mantein all content from the app in the same host.

godojo is using hard-coded passwords rather than generating new ones

Ugh... godojo is using hard-coded passwords rather than generating new ones for each installation.

I deleted dojoConfig.yml. I dropped the dojodb database and dojodbusr user. I deleted /opt/dojo/*. Then I ran godojo again to produce an new dojoConfig.yml.

$ grep DD_DB_Rpass dojoConfig.yml 
    Rpass: "vee0Thoanae1daePooz0ieka" # DD_DB_Rpass - Password for the database superuser

That's the same password as the last installation. That's also CWE-259, Use of Hard-coded Password.

I expect to have to tell offshore teams not to use hard-coded passwords. Do we really need to tell the DefectDojo devs they should not use hard-coded passwords?

SQL issues

Upgrading from 2.6.2 => 2.9.0 results in a database issue, not finding some columns.
Followed the upgrade guide (https://github.com/DefectDojo/godojo/blob/master/docs-and-scripts/upgrading.md) and even did the migrate_staff_users scripts per the 2.9.0 upgrade guide (./manage.py migrate_staff_users)

This occurred while I was testing and made a change the System Settings.

ProgrammingError at /system_settings

column "enable_finding_groups" of relation "dojo_system_settings" does not exist
LINE 1: ...ofile_editable", "enable_product_tracking_files", "enable_fi...
                                                             ^

Request Method: 	POST
Request URL: 	http://127.0.0.1:8000/system_settings
Django Version: 	3.2.12
Exception Type: 	ProgrammingError
Exception Value: 	

column "enable_finding_groups" of relation "dojo_system_settings" does not exist
LINE 1: ...ofile_editable", "enable_product_tracking_files", "enable_fi...
                                                             ^

Exception Location: 	/opt/dojo/lib/python3.8/site-packages/django/db/backends/utils.py, line 84, in _execute
Python Executable: 	/opt/dojo/bin/python
Python Version: 	3.8.10
Python Path: 	

['/opt/dojo/django-DefectDojo',
 '/opt/dojo/lib/python3.8/site-packages/git/ext/gitdb',
 '/opt/dojo/django-DefectDojo',
 '/usr/lib/python38.zip',
 '/usr/lib/python3.8',
 '/usr/lib/python3.8/lib-dynload',
 '/opt/dojo/lib/python3.8/site-packages',
 '/opt/dojo/lib/python3.8/site-packages/gitdb/ext/smmap']

Missing file after installation : /run/defectdojo/uwsgi_server" failed (2: No such file or directory) in /etc/nginx/nginx.conf

Hello !

I encountered this error after installing DefectDojo and tried to restart Nginx. Do you know what could be the problem ?

mai 28 15:55:47 test-VirtualBox nginx[91407]: nginx: [emerg] open() "/run/defectdojo/uwsgi_server" failed (2: No such file or directory) in /etc/nginx/nginx.conf

Thank you.

Installer does not work with Local:false and Exists:true

I am trying to run the installer to use an existing RDS database. Its failing with exit status 9.
Does godojo work with existing external database ?

godojo terminating with context canceled

When i run godojo -default, it run to completion, but if i run it twice without arguments (one to create config, then the run) it just terminate after "downloading the source" and the logs show :
error closing response Error was "context canceled"

this prevents me from using any release other than 2.0.3 :(

Cannot load io/fs: malformed module path "io/fs": missing dot in first path element

I'm trying to build the installer on Ubuntu 20.04.3 LTS, x86_64. I'm using Master. Running go build results in:

$ go build
build github.com/mtesauro/godojo: cannot load io/fs: malformed module path "io/fs": missing dot in first path element

SSL not working This site can’t provide a secure connection

Hi team,

I have installed defectdojo and everything is working fine on port 8000.

Actually i want to enable SSL and to make it work on Port 443.

I have imported my cert & key under /etc/ssl/

I have changed thte nginx.conf with the content nginx_TLS.conf and made the following modification

[...]
server {
server_tokens off;
listen 443 ssl;
server_name mywebsite.com;
ssl_certificate /etc/ssl/def.crt;
ssl_certificate_key /etc/ssl/def.key;
[...]

I have modified also on dojo-start like follow
[...] 0.0.0.0:443

But when i run it I get the following error

Is there any other files i need to update, to make it work ?

Thanks in advance

Facing error while running Godojo

ERROR: 2022/08/25 05:16:07 - Failed to run OS command cd /opt/dojo/django-DefectDojo && source ../bin/activate && python3 manage.py makemigrations dojo, error was: exit status 1
OS : Ubuntu 20.04 LTS

Error Installing via GoDojo

Looking in /opt/dojo/django-DefectDojo/dojo/fixtures, the role.json file is missing?

Any thoughts? Thanks!

Unable to install DefectDojo 2.20.1

Hello.

I'm trying to install the DefectDojo 2.20.1 with the default configuration from dojoConfig.yml.
The only thing I have changed from this default file generated by the godojo it was these parameters:

I ran the godojo with the root user and with another user with sudo privileges and I always have the same error:

I have the PostgreSQL database up and running without problems.

PostgreSQL:
15.2

Ubuntu:
22.04.2 LTS

Thank you and have a nice day.

Unable to upgrade/install with existing database

When I attempt to upgrade DefectDojo with the godojo script, it states that its unable to install because of existing databases. I have set the options to Exist:TRUE and DROP:FALSE

Checking connectivity to PostgreSQL
Validating DB connection settings

##############################################################################
  ERROR: Unable to create a new PostgreSQL database for DefectDojo
##############################################################################

dojoConfig.yml

    Engine: "PostgreSQL" # DD_DB_Engine - Database engine to use (SQLite, MySQL, PostgreSQL, MariaDB) Note: CASE sEnSiTiVE!
    Local: true # DD_DB_Local - Boolean for when DB is on the same host/server/vm (local)
    Exists: true # DD_DB_Exists - Boolean for when DB for DefectDojo already exists so no install needed
    Ruser: "postgres" # DD_DB_Ruser - Superuser for the database, root for MySQL/MaraiDB & posgres for PostgreSQL. Note: this and Rpass below REQUIRED for remote and existin$
    Rpass: "vee0Thoanae1daePooz0ieka" # DD_DB_Rpass - Password for the database superuser TODO: Note: set to 24 random characters if left blank
    Name: "dojodb" # DD_DB_Name - Name of the database that DefectDojo will use
    User: "dojodbusr" # DD_DB_User - Username of the database user that DefectDojo will use
    Pass: "vee0Thoanae1daePooz0ieka" # DD_DB_Pass - Password for the database user DefectDojo will use Note: set to 24 random characters
    Host: "localhost" # DD_DB_Host - Database hostname
    Port: 5432 # DD_DB_Port - Port the database is listening on - 3306 for MySQL/MariaDB and 5432 for PostgreSQL
    Drop: false # DD_DB_Drop - Boolean to tell the installer to drop an existing DB if found

install log

INFO:    2021/11/29 15:39:05 Validating DB connection settings
TRACE:   2021/11/29 15:39:05 Postgres query: \l
TRACE:   2021/11/29 15:39:05 Entering tryCmd
TRACE:   2021/11/29 15:39:05 Non-error return from tryCmd
TRACE:   2021/11/29 15:39:05 Creating database for DefectDojo on PostgreSQL
TRACE:   2021/11/29 15:39:05 Postgres query: CREATE DATABASE dojodb;
TRACE:   2021/11/29 15:39:05 Entering tryCmd
TRACE:   2021/11/29 15:39:05 2021/11/29 15:39:05 - sudo -u postgres PGPASSWORD="[~REDACTED~]" psql --host=localhost --username=postgres --port=5432 --command="CREATE DATABASE dojodb;" errored with exit status: 1
TRACE:   2021/11/29 15:39:05 2021/11/29 15:39:05 - Command sudo -u postgres PGPASSWORD="[~REDACTED~]" psql --host=localhost --username=postgres --port=5432 --command="CREATE DATABASE dojodb;" errored with Unable to create a new PostgreSQL database for DefectDojo. Underlying error is exit status 1
TRACE:   2021/11/29 15:39:05 Error running Posgres command - CREATE DATABASE dojodb;
TRACE:   2021/11/29 15:39:05 Failed to create new database for DefectDojo to use
ERROR:   2021/11/29 15:39:05 Unable to create a new PostgreSQL database for DefectDojo

runtime-install-config.yml

install:
  admin:
    email: admin@localhost
    first: Default
    last: Admin
    others: ""
    pass: ddadmin
    user: admin
  app: dojo
  db:
    drop: false
    engine: PostgreSQL
    exists: true
    host: localhost
    local: true
    name: dojodb
    pass: vee0Thoanae1daePooz0ieka
    port: 5432
    rpass: vee0Thoanae1daePooz0ieka
    ruser: postgres
    user: dojodbusr

ERROR: Failed to run OS command, error was: exit status 1 - godojo 1.1.3

Hey what's with this error when running this latest version of godojo??

##############################################################################
ERROR: Failed to run OS command, error was: exit status 1
##############################################################################

ERROR: Error attempting to install Dojo from a release

While running godojo in Virtualbox VM Debian 10 (guest OS)

sudo ./godojo

Getting error as,
ERROR: Error attempting to install Dojo from a release was: Get "https://github.com/DefectDojo/django-DefectDojo/archive/2.0.3.tar.gz": read TCP 10.0.2.15:35100->140.82.112.4:443: read: connection reset by peer

How to fix this issue

Getting "The redirect URI included is not valid." when trying to login using Gitlab

I have deployed Defectdojo using Dojo and have made changes to settings.dist.py to enable GitLab Auth following this link https://defectdojo.github.io/django-DefectDojo/integrations/social-authentication/#gitlab.

However on clicking on "Login with Gitlab" I am getting the error "The redirect URI included is not valid"

The redirect_uri in the query string is taking http , where as I have configured a https redirect url in GitLab application.

Also could you please tell where I can find Defectdojo logs so that I could investigate the issue further ? I tried using the '-L' in the screen command but still cant find the logs.

Node.js 12 is no longer supported

I'm running godojo from the command line. While inspecting the output of the commands log file I see this:

[godojo] # curl -sL https://rpm.nodesource.com/setup_12.x | bash - 

================================================================================
================================================================================

                              DEPRECATION WARNING                            

  Node.js 12.x is no longer actively supported!

  You will not receive security or critical stability updates for this version.
  ...

It may be wise to use the Node.js provided by the distribution instead of fetching an unsupported version. Using a distro's version should ensure updates are available and vulnerabilities are patched.

Based on some testing, it looks like https://rpm.nodesource.com/setup_18.x is available nowadays from nodesource.com.

Failed to run OS command Error

Hi, I am installing on ubuntu 20.04 using godojo. I am getting the below error.
defect-dojo version 2.18.3
godojo version 1.1.7

Checking connectivity to PostgreSQL
Validating DB connection settings
Note: pg_hba.conf has not been altered by godojo.
      It may need to be updated to allow DefectDojo to connect to the DB.
      Please consult the PostgreSQL documentation for further information.

==============================================================================
  Preparing the OS for DefectDojo installation
==============================================================================

Preparing the OS for DefectDojo...(--*-------) 
##############################################################################
  ERROR: 2023/01/31 14:59:35 - Failed to run OS command /opt/dojo/bin/pip3 install -r /opt/dojo/django-DefectDojo/requirements.txt, error was: exit status 1
##############################################################################

dojodbusr user appears to have too many privileges

When I look at the Access Privileges on my PostgreSQL database after running the installer I see this:

                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges    
-----------+----------+----------+-------------+-------------+------------------------
 dojodb    | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres          +
           |          |          |             |             | postgres=CTc/postgres +
           |          |          |             |             | dojodbusr=CTc/postgres
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres           +
           |          |          |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres           +
           |          |          |             |             | postgres=CTc/postgres
(4 rows)

Intuitively, the admin account postgres and the dojo user account dojodbusr have the same privileges. Something seems sideways.

According to PostgreSQL manual, Section 5.7. Privileges, the privileges CTc are "All Privileges" on the Database. I don't think dojodbusr should have that kind of power. Shooting from the hip, they should have rawTX, which is SELECT, INSERT, UPDATE, TRIGGER and EXECUTE on the Tables.

Privilege	Abbreviation	Applicable Object Types
SELECT	r (“read”)	LARGE OBJECT, SEQUENCE, TABLE (and table-like objects), table column
INSERT	a (“append”)	TABLE, table column
UPDATE	w (“write”)	LARGE OBJECT, SEQUENCE, TABLE, table column
DELETE	d	TABLE
TRUNCATE	D	TABLE
REFERENCES	x	TABLE, table column
TRIGGER	t	TABLE
CREATE	C	DATABASE, SCHEMA, TABLESPACE
CONNECT	c	DATABASE
TEMPORARY	T	DATABASE
EXECUTE	X	FUNCTION, PROCEDURE
USAGE	U	DOMAIN, FOREIGN DATA WRAPPER, FOREIGN SERVER, LANGUAGE, SCHEMA, SEQUENCE, TYPE

Unable to login if using any version >2.0.3

If I install using godojo any version other than v2.0.3, it results in my password for my admin user being unable to login.

System: Ubuntu 18 LTS and 20 LTS
PostgreSQL 14 (I have also tried 10-13)

dojoConfig.yml

  Version: "2.1.0" # DD_Version - Release version of DefectDojo from Github Releases
  SourceInstall: false # DD_SourceInstall - Boolean if a source install is desired (vs a release)
  # If ^ is true, a souce code install will occur overriding the release version provided
  SourceBranch: "release" # DD_SourceBranch - The branch's HEAD to be checked out if SourceInstall is true

    User: "issmonitor" # DD_ADMIN_User - Admin user for the DefectDojo web app
    Pass: "J**********************$" # DD_ADMIN_Pass - Password for the DefectDojo web app admin user Note: set to 24 random characters
    Email: "admin@localhost" # DD_ADMIN_Email - Email address for the web app admin user
    First: "Default" # DD_ADMIN_First - Web app admin users's first name
    Last: "Admin" # DD_ADMIN_Last - Web app admin users's last name
    Others: "" # DD_ADMIN_Others - List of additional DefectDojo web app admins e.g. username1:pass1,username2:pass2

Database shows my username is correct and in the database

runtime-install-config.yml shows my information matches what I put into my dojoConfig.yml

How to persist DefectDojo installation with godojo

Hello!
I installed DefectDojo with godojo from a DockerFile. The problem is that if I stop the container and then start it again, everything that was installed with godojo is lost.
I'm using Podman Desktop. How can I persist the installation?

This is my DockerFile where I download an Ubuntu image and inside it I install DefectDojo with godojo.

# Download Ubuntu 22.04
FROM ubuntu:22.04

# Update and install packages
RUN apt update
RUN apt install wget unzip build-essential net-tools gawk bison screen systemd nano iputils-ping curl -y

# Downloading and unpacking godojo installer
WORKDIR /opt
RUN wget -c https://github.com/DefectDojo/godojo/releases/download/1.2.1/godojo-v1.2.1_standard.zip -O godojo-v1.2.1_standard.zip
RUN unzip godojo-v1.2.1_standard.zip

# Download scripts to start and stop defectdojo
# https://github.com/DefectDojo/godojo/tree/master/docs-and-scripts
WORKDIR /opt/standard
RUN wget -c https://raw.githubusercontent.com/DefectDojo/godojo/master/docs-and-scripts/dojo-start
RUN wget -c https://raw.githubusercontent.com/DefectDojo/godojo/master/docs-and-scripts/dojo-stop

# Giving permission to run
RUN chmod +x dojo-start
RUN chmod +x dojo-stop
RUN chmod +x godojo

# Copy env.prod file to image
COPY env.prod /opt/dojo/django-DefectDojo/dojo/settings/.env.prod

# Running godojo installer to generate a default dojoConfig.yml file
RUN ./godojo

Thanks!

A fresh install includes Debug and Test gear

I've got DefectDojo from the tip of Master running on Fedora 35 with Postgres. When I look at the installed warez I see a lot of debug and test gear. I don't think the debug and testing gear should be present after an install since it increases attack surface. It also takes time when trying to audit an installation. Finally, it adds to the backup and restore times.

And to be clear... prior to installation, you should run the tests. Once tested, you install the production stuff only (or delete the test gear).

It looks like there's about 2500 questionable files:

# cd /opt/dojo
# find . -iname '*test*' | wc -l
2556

And:

# cd /opt/dojo
# find . -iname '*test*'
./django-DefectDojo/.github/workflows/integration-tests.yml
./django-DefectDojo/.github/workflows/k8s-testing.yml
./django-DefectDojo/.github/workflows/test-helm-chart.yml
./django-DefectDojo/.github/workflows/unit-tests.yml
./django-DefectDojo/Dockerfile.integration-tests
./django-DefectDojo/components/node_modules/ast-transform/node_modules/esutils/test
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/build/test-prefix.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/build/test-suffix.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-api.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-array-set.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-base64-vlq.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-base64.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-binary-search.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-dog-fooding.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-source-map-consumer.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-source-map-generator.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-source-node.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/source-map/test-util.js
./django-DefectDojo/components/node_modules/ast-transform/node_modules/source-map/test/run-tests.js
...

And my apologies if I missed a setting in dojoConfig.yml. I don't recall seeing one for the installation type (debug vs release or production). godojo -help does say the following, but I did not use the -dev option:

  -dev
        OPTIONAL - Do an dev install with fixed values especially for testing
                   Must be used alone and without other arguments

I also see what may be test gear in the database. I am not sure if these are false positives. Given that there are tables like dojo_engagement_files and dojo_engagement_notes, it looks like the other ones could like dojo_test_files and dojo_test_notes are superfluous.

$ PGPASSWORD=XXXXXXXX psql -h localhost -U postgres dojodb
psql (13.4)

dojodb=# \dt
                           List of relations
 Schema |                   Name                    | Type  |   Owner   
--------+-------------------------------------------+-------+-----------
 public | auditlog_logentry                         | table | dojodbusr
 public | auth_group                                | table | dojodbusr
 public | auth_group_permissions                    | table | dojodbusr
 public | auth_permission                           | table | dojodbusr
 public | auth_user                                 | table | dojodbusr
 public | auth_user_groups                          | table | dojodbusr
 public | auth_user_user_permissions                | table | dojodbusr
 public | authtoken_token                           | table | dojodbusr
 public | django_admin_log                          | table | dojodbusr
 public | django_celery_results_chordcounter        | table | dojodbusr
 public | django_celery_results_groupresult         | table | dojodbusr
 public | django_celery_results_taskresult          | table | dojodbusr
 public | django_content_type                       | table | dojodbusr
 public | django_migrations                         | table | dojodbusr
 public | django_session                            | table | dojodbusr
 public | django_site                               | table | dojodbusr
 public | dojo_alerts                               | table | dojodbusr
 public | dojo_answer                               | table | dojodbusr
 public | dojo_answered_survey                      | table | dojodbusr
 public | dojo_app_analysis                         | table | dojodbusr
 public | dojo_app_analysis_tags                    | table | dojodbusr
 public | dojo_bannerconf                           | table | dojodbusr
 public | dojo_benchmark_category                   | table | dojodbusr
 public | dojo_benchmark_product                    | table | dojodbusr
 public | dojo_benchmark_product_notes              | table | dojodbusr
 public | dojo_benchmark_product_summary            | table | dojodbusr
 public | dojo_benchmark_requirement                | table | dojodbusr
 public | dojo_benchmark_requirement_cwe_mapping    | table | dojodbusr
 public | dojo_benchmark_requirement_testing_guide  | table | dojodbusr
 public | dojo_benchmark_type                       | table | dojodbusr
 public | dojo_burprawrequestresponse               | table | dojodbusr
 public | dojo_check_list                           | table | dojodbusr
 public | dojo_check_list_auth_issues               | table | dojodbusr
 public | dojo_check_list_author_issues             | table | dojodbusr
 public | dojo_check_list_config_issues             | table | dojodbusr
 public | dojo_check_list_crypto_issues             | table | dojodbusr
 public | dojo_check_list_data_issues               | table | dojodbusr
 public | dojo_check_list_other_issues              | table | dojodbusr
 public | dojo_check_list_sensitive_issues          | table | dojodbusr
 public | dojo_check_list_session_issues            | table | dojodbusr
 public | dojo_child_rule                           | table | dojodbusr
 public | dojo_choice                               | table | dojodbusr
 public | dojo_choiceanswer                         | table | dojodbusr
 public | dojo_choiceanswer_answer                  | table | dojodbusr
 public | dojo_choicequestion                       | table | dojodbusr
 public | dojo_choicequestion_choices               | table | dojodbusr
 public | dojo_cobaltio_product                     | table | dojodbusr
 public | dojo_contact                              | table | dojodbusr
 public | dojo_cred_mapping                         | table | dojodbusr
 public | dojo_cred_user                            | table | dojodbusr
 public | dojo_cred_user_notes                      | table | dojodbusr
 public | dojo_cwe                                  | table | dojodbusr
 public | dojo_development_environment              | table | dojodbusr
 public | dojo_dojo_group                           | table | dojodbusr
 public | dojo_dojo_group_member                    | table | dojodbusr
 public | dojo_dojometa                             | table | dojodbusr
 public | dojo_endpoint                             | table | dojodbusr
 public | dojo_endpoint_endpoint_params             | table | dojodbusr
 public | dojo_endpoint_endpoint_status             | table | dojodbusr
 public | dojo_endpoint_params                      | table | dojodbusr
 public | dojo_endpoint_status                      | table | dojodbusr
 public | dojo_endpoint_tags                        | table | dojodbusr
 public | dojo_engagement                           | table | dojodbusr
 public | dojo_engagement_files                     | table | dojodbusr
 public | dojo_engagement_notes                     | table | dojodbusr
 public | dojo_engagement_presets                   | table | dojodbusr
 public | dojo_engagement_presets_network_locations | table | dojodbusr
 public | dojo_engagement_presets_test_type         | table | dojodbusr
 public | dojo_engagement_risk_acceptance           | table | dojodbusr
 public | dojo_engagement_survey                    | table | dojodbusr
 public | dojo_engagement_survey_questions          | table | dojodbusr
 public | dojo_engagement_tags                      | table | dojodbusr
 public | dojo_fieldrule                            | table | dojodbusr
 public | dojo_fileaccesstoken                      | table | dojodbusr
 public | dojo_fileupload                           | table | dojodbusr
 public | dojo_finding                              | table | dojodbusr
 public | dojo_finding_endpoint_status              | table | dojodbusr
 public | dojo_finding_endpoints                    | table | dojodbusr
 public | dojo_finding_files                        | table | dojodbusr
 public | dojo_finding_found_by                     | table | dojodbusr
 public | dojo_finding_group                        | table | dojodbusr
 public | dojo_finding_group_findings               | table | dojodbusr
 public | dojo_finding_notes                        | table | dojodbusr
 public | dojo_finding_reviewers                    | table | dojodbusr
 public | dojo_finding_tags                         | table | dojodbusr
 public | dojo_finding_template                     | table | dojodbusr
 public | dojo_finding_template_tags                | table | dojodbusr
 public | dojo_general_survey                       | table | dojodbusr
 public | dojo_github_clone                         | table | dojodbusr
 public | dojo_github_conf                          | table | dojodbusr
 public | dojo_github_details_cache                 | table | dojodbusr
 public | dojo_github_issue                         | table | dojodbusr
 public | dojo_github_pkey                          | table | dojodbusr
 public | dojo_global_role                          | table | dojodbusr
 public | dojo_jira_instance                        | table | dojodbusr
 public | dojo_jira_issue                           | table | dojodbusr
 public | dojo_jira_project                         | table | dojodbusr
 public | dojo_language_type                        | table | dojodbusr
 public | dojo_languages                            | table | dojodbusr
 public | dojo_network_locations                    | table | dojodbusr
 public | dojo_note_type                            | table | dojodbusr
 public | dojo_notehistory                          | table | dojodbusr
 public | dojo_notes                                | table | dojodbusr
 public | dojo_notes_history                        | table | dojodbusr
 public | dojo_notifications                        | table | dojodbusr
 public | dojo_objects_engagement                   | table | dojodbusr
 public | dojo_objects_product                      | table | dojodbusr
 public | dojo_objects_product_tags                 | table | dojodbusr
 public | dojo_objects_review                       | table | dojodbusr
 public | dojo_product                              | table | dojodbusr
 public | dojo_product_api_scan_configuration       | table | dojodbusr
 public | dojo_product_authorized_users             | table | dojodbusr
 public | dojo_product_group                        | table | dojodbusr
 public | dojo_product_line                         | table | dojodbusr
 public | dojo_product_member                       | table | dojodbusr
 public | dojo_product_regulations                  | table | dojodbusr
 public | dojo_product_tags                         | table | dojodbusr
 public | dojo_product_type                         | table | dojodbusr
 public | dojo_product_type_authorized_users        | table | dojodbusr
 public | dojo_product_type_group                   | table | dojodbusr
 public | dojo_product_type_member                  | table | dojodbusr
 public | dojo_question                             | table | dojodbusr
 public | dojo_regulation                           | table | dojodbusr
 public | dojo_report_type                          | table | dojodbusr
 public | dojo_risk_acceptance                      | table | dojodbusr
 public | dojo_risk_acceptance_accepted_findings    | table | dojodbusr
 public | dojo_risk_acceptance_notes                | table | dojodbusr
 public | dojo_role                                 | table | dojodbusr
 public | dojo_rule                                 | table | dojodbusr
 public | dojo_rule_child_rules                     | table | dojodbusr
 public | dojo_sonarqube_issue                      | table | dojodbusr
 public | dojo_sonarqube_issue_transition           | table | dojodbusr
 public | dojo_sonarqube_product                    | table | dojodbusr
 public | dojo_stub_finding                         | table | dojodbusr
 public | dojo_system_settings                      | table | dojodbusr
 public | dojo_tagulous_app_analysis_tags           | table | dojodbusr
 public | dojo_tagulous_endpoint_tags               | table | dojodbusr
 public | dojo_tagulous_engagement_tags             | table | dojodbusr
 public | dojo_tagulous_finding_tags                | table | dojodbusr
 public | dojo_tagulous_finding_template_tags       | table | dojodbusr
 public | dojo_tagulous_objects_product_tags        | table | dojodbusr
 public | dojo_tagulous_product_tags                | table | dojodbusr
 public | dojo_tagulous_test_tags                   | table | dojodbusr
 public | dojo_test                                 | table | dojodbusr
 public | dojo_test_files                           | table | dojodbusr
 public | dojo_test_import                          | table | dojodbusr
 public | dojo_test_import_finding_action           | table | dojodbusr
 public | dojo_test_notes                           | table | dojodbusr
 public | dojo_test_tags                            | table | dojodbusr
 public | dojo_test_type                            | table | dojodbusr
 public | dojo_testing_guide                        | table | dojodbusr
 public | dojo_testing_guide_category               | table | dojodbusr
 public | dojo_textanswer                           | table | dojodbusr
 public | dojo_textquestion                         | table | dojodbusr
 public | dojo_tool_configuration                   | table | dojodbusr
 public | dojo_tool_product_history                 | table | dojodbusr
 public | dojo_tool_product_settings                | table | dojodbusr
 public | dojo_tool_product_settings_notes          | table | dojodbusr
 public | dojo_tool_type                            | table | dojodbusr
 public | dojo_usercontactinfo                      | table | dojodbusr
 public | social_auth_association                   | table | dojodbusr
 public | social_auth_code                          | table | dojodbusr
 public | social_auth_nonce                         | table | dojodbusr
 public | social_auth_partial                       | table | dojodbusr
 public | social_auth_usersocialauth                | table | dojodbusr
 public | tagging_tag                               | table | dojodbusr
 public | tagging_taggeditem                        | table | dojodbusr
 public | watson_searchentry                        | table | dojodbusr
(168 rows)

Ubuntu 20.04 LTS not supported

@mtesauro

Looks like you missed type here...supposed to be Ubuntu20.04 not 21.04
https://github.com/DefectDojo/godojo/blob/master/distros/ubuntu.go

var ubuntuReleases = []c.Target{
	{
		ID:      "Ubuntu:22.04",
		Distro:  "Ubuntu",
		Release: "22.04",
		OS:      "Linux",
		Shell:   "bash",
	},
	{
		ID:      "Ubuntu:21.04",
		Distro:  "Ubuntu",
		Release: "21.04",
		OS:      "Linux",
		Shell:   "bash",
	},
}

We are also trying to install latest version of Dojo with Godojo installer on Ubuntu but we are getting same error - ERROR: 2023/02/08 20:04:53 - Failed to run OS command /opt/dojo/bin/pip3 install -r /opt/dojo/django-DefectDojo/requirements.txt, error was: exit status 1

          We are also trying to install latest version of Dojo with Godojo installer on Ubuntu but we are getting same error - ERROR: 2023/02/08 20:04:53 - Failed to run OS command /opt/dojo/bin/pip3 install -r /opt/dojo/django-DefectDojo/requirements.txt, error was: exit status 1

Can someone please help here or provide the guidance so we can resolve this issue?

Originally posted by @apeksha2528 in #60 (comment)

Potential bug in how gojdojo v 1.1.7 handles passwords in yaml file.

I had a report via OWASP's Slack that a password with a $ in if failed. It was something like Bobbyy9$

This is a note to my future self to validate there's a bug and fix it if there is.