fix(exit in bash): Fix handling exit in initializer

[kiblik]

The original exit (e.g. from #9002) worked correctly in sh.
However, by adding shellcheck, #9147 changed sh to bash which handles these situations differently.
Linter introduced an error that nobody noticed.
Issue discovered during investigation of #10490

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes are part of the entrypoint-initializer.sh script used in a Docker environment for the DefectDojo application. This script is responsible for initializing and configuring the application during the startup process. The key changes include setting the set -e flag to handle errors effectively, loading external scripts for sensitive operations, initializing test types and permissions, creating an announcement banner, loading additional settings, managing audit log settings, creating an admin user with a random password, generating a JIRA webhook secret, and loading fixtures and installing the Watson search index.

From a security perspective, these changes appear to be focused on ensuring the application is properly configured and secured. The script handles several security-related tasks, such as managing permissions, audit logging, and user credentials. However, it's important to review the external scripts and additional settings files to ensure that they do not introduce any security vulnerabilities, such as improper handling of sensitive information or the introduction of potential attack vectors.

Files Changed:

• docker/entrypoint-initializer.sh: This script is responsible for initializing and configuring the DefectDojo application in a Docker environment. The key changes include:
  • Setting the set -e flag to handle errors effectively
  • Loading external scripts for sensitive operations
  • Initializing test types and permissions
  • Creating an announcement banner
  • Loading additional settings
  • Checking and setting audit log settings
  • Creating an admin user with a random password
  • Generating a JIRA webhook secret
  • Loading fixtures and installing the Watson search index

Powered by DryRun Security

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the initialization and setup process of the DefectDojo application, with a strong emphasis on security-related aspects, including error handling, database initialization, admin user creation, JIRA webhook secret management, fixtures loading, Watson search index installation, and announcement banner creation.

Expand for full summary

Summary:

The provided code changes are focused on improving the initialization and setup process of the DefectDojo application, with a strong emphasis on security-related aspects. The changes include improvements to error handling, database initialization, admin user creation, JIRA webhook secret management, fixtures loading, Watson search index installation, and announcement banner creation. These changes are generally positive from an application security perspective, as they help to ensure a more secure and reliable deployment of the application.

The key security-related improvements include the implementation of immediate script exit on command failures, secure generation of admin user passwords and JIRA webhook secrets, and proper handling of database migrations and application settings. Additionally, the script ensures the consistent loading of various fixtures and the proper installation of the Watson search index, which are crucial for the overall security and functionality of the application.

Files Changed:

• docker/entrypoint-initializer.sh: This file is responsible for initializing the DefectDojo application during the container startup process. The changes include:
  1. Improved error handling with set -e to ensure the script exits immediately on command failures.
  2. Database initialization checks, including database migration and enable_auditlog setting consistency.
  3. Secure creation of admin user with randomly generated password.
  4. Generation of a random JIRA webhook secret and setting it in the system settings.
  5. Proper loading of various fixtures, including system settings, initial banner configuration, product types, and test types.
  6. Installation of the Watson search index, which is a crucial component for the application's search functionality.
  7. Creation of an announcement banner to inform users about cloud and on-premise subscriptions.

Overall, these changes demonstrate a strong focus on improving the security and reliability of the DefectDojo application's initialization and setup process.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[Maffooch]

It looks like there has not been any activity here for a while. In order to keep the list of pull requests in a manageable state, we are closing this one for now. If we are making a mistake here, please reopen the pull request, and leave us a note 😄