Merge remote-tracking branch 'origin/main' into 1933-elixir-security-importer-package-first

Author: michaelehab

Makefile

@@ -29,6 +29,7 @@ ACTIVATE?=. ${VENV}/bin/activate;
 VIRTUALENV_PYZ=etc/thirdparty/virtualenv.pyz
 # Do not depend on Python to generate the SECRET_KEY
 GET_SECRET_KEY=`base64 /dev/urandom | head -c50`
+GET_ALTCHA_HMAC_KEY=`head -c 32 /dev/urandom | xxd -p -c 32`
 # Customize with `$ make envfile ENV_FILE=/etc/vulnerablecode/.env`
 ENV_FILE=.env
 # Customize with `$ make postgres VULNERABLECODE_DB_PASSWORD=YOUR_PASSWORD`
@@ -63,6 +64,7 @@ envfile:
 	@if test -f ${ENV_FILE}; then echo ".env file exists already"; exit 1; fi
 	@mkdir -p $(shell dirname ${ENV_FILE}) && touch ${ENV_FILE}
 	@echo SECRET_KEY=\"${GET_SECRET_KEY}\" > ${ENV_FILE}
+	@echo ALTCHA_HMAC_KEY=\"${GET_ALTCHA_HMAC_KEY}\" >> ${ENV_FILE}
 
 isort:
 	@echo "-> Apply isort changes to ensure proper imports ordering"

vulnerabilities/forms.py

@@ -46,11 +46,7 @@ class AdvisorySearchForm(forms.Form):
 class ApiUserCreationForm(forms.ModelForm):
     """Support a simplified creation for API-only users directly from the UI."""
 
-    captcha = AltchaField(
-        floating=True,
-        hidefooter=True,
-        hidelogo=True,
-    )
+    captcha = AltchaField(floating=True, hidefooter=True)
 
     class Meta:
         model = ApiUser
@@ -66,18 +62,15 @@ def __init__(self, *args, **kwargs):
         first_name_field = self.fields["first_name"]
         last_name_field = self.fields["last_name"]
         email_field.required = True
-        email_field.label = "Email"
         email_field.widget.attrs["class"] = "input"
-        email_field.widget.attrs["style"] = "width: 50%"
-        email_field.widget.attrs["placeholder"] = "[email protected]"
-        first_name_field.label = "First Name"
+        email_field.widget.attrs["placeholder"] = "Email"
         first_name_field.widget.attrs["class"] = "input"
-        first_name_field.widget.attrs["style"] = "width: 50%"
-        first_name_field.widget.attrs["placeholder"] = "Jon"
-        last_name_field.label = "Last Name"
+        first_name_field.widget.attrs["placeholder"] = "First Name"
         last_name_field.widget.attrs["class"] = "input"
-        last_name_field.widget.attrs["style"] = "width: 50%"
-        last_name_field.widget.attrs["placeholder"] = "Doe"
+        last_name_field.widget.attrs["placeholder"] = "Last Name"
+        email_field.label = ""
+        first_name_field.label = ""
+        last_name_field.label = ""
 
     def save(self, commit=True):
         return ApiUser.objects.create_api_user(
@@ -109,8 +102,4 @@ class PipelineSchedulePackageForm(forms.Form):
 
 
 class AdminLoginForm(AdminAuthenticationForm):
-    captcha = AltchaField(
-        floating=True,
-        hidefooter=True,
-        hidelogo=True,
-    )
+    captcha = AltchaField(floating=True, hidefooter=True)

vulnerabilities/migrations/0098_alter_advisory_options_alter_advisoryalias_options_and_more.py

@@ -0,0 +1,50 @@
+# Generated by Django 4.2.22 on 2025-07-04 09:30
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0097_alter_advisoryv2_advisory_id_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="advisory",
+            options={
+                "ordering": ["date_published", "unique_content_id"],
+                "verbose_name_plural": "Advisories",
+            },
+        ),
+        migrations.AlterModelOptions(
+            name="advisoryalias",
+            options={"ordering": ["alias"], "verbose_name_plural": "Advisory aliases"},
+        ),
+        migrations.AlterModelOptions(
+            name="advisoryseverity",
+            options={
+                "ordering": ["url", "scoring_system", "value"],
+                "verbose_name_plural": "Advisory severities",
+            },
+        ),
+        migrations.AlterModelOptions(
+            name="advisoryweakness",
+            options={"verbose_name_plural": "Advisory weaknesses"},
+        ),
+        migrations.AlterModelOptions(
+            name="alias",
+            options={"ordering": ["alias"], "verbose_name_plural": "Aliases"},
+        ),
+        migrations.AlterModelOptions(
+            name="vulnerabilityseverity",
+            options={
+                "ordering": ["url", "scoring_system", "value"],
+                "verbose_name_plural": "Vulnerability severities",
+            },
+        ),
+        migrations.AlterModelOptions(
+            name="weakness",
+            options={"verbose_name_plural": "Weaknesses"},
+        ),
+    ]

vulnerabilities/models.py

@@ -210,6 +210,7 @@ class VulnerabilitySeverity(models.Model):
     objects = BaseQuerySet.as_manager()
 
     class Meta:
+        verbose_name_plural = "Vulnerability severities"
         ordering = ["url", "scoring_system", "value"]
 
 
@@ -534,6 +535,9 @@ class Weakness(models.Model):
 
     cwe_by_id = {}
 
+    class Meta:
+        verbose_name_plural = "Weaknesses"
+
     def get_cwe(self, cwe_id):
         if not self.cwe_by_id:
             db = Database()
@@ -1310,6 +1314,7 @@ class Alias(models.Model):
     objects = AliasQuerySet.as_manager()
 
     class Meta:
+        verbose_name_plural = "Aliases"
         ordering = ["alias"]
 
     def __str__(self):
@@ -1414,6 +1419,7 @@ class Advisory(models.Model):
     objects = AdvisoryQuerySet.as_manager()
 
     class Meta:
+        verbose_name_plural = "Advisories"
         ordering = ["date_published", "unique_content_id"]
 
     def save(self, *args, **kwargs):
@@ -2523,6 +2529,7 @@ class AdvisorySeverity(models.Model):
     objects = BaseQuerySet.as_manager()
 
     class Meta:
+        verbose_name_plural = "Advisory severities"
         ordering = ["url", "scoring_system", "value"]
 
 
@@ -2535,6 +2542,9 @@ class AdvisoryWeakness(models.Model):
 
     cwe_by_id = {}
 
+    class Meta:
+        verbose_name_plural = "Advisory weaknesses"
+
     def get_cwe(self, cwe_id):
         if not self.cwe_by_id:
             db = Database()
@@ -2627,6 +2637,7 @@ class AdvisoryAlias(models.Model):
     )
 
     class Meta:
+        verbose_name_plural = "Advisory aliases"
         ordering = ["alias"]
 
     def __str__(self):

vulnerabilities/templates/api_user_creation_form.html

@@ -4,6 +4,8 @@
 VulnerableCode API key request
 {% endblock %}
 
+
+
 {% block content %}
     <section class="section pt-0">
         {% for message in messages %}
@@ -44,31 +46,15 @@ <h1 class="title is-4">VulnerableCode API Key Request</h1>
 
     <br/>
       <div class="columns is-centered">
-        <div class="column is-half">
+        <div class="column is-one-third">
           <form method = "post">
               {% csrf_token %}
-              <div class="field">
-                <div class="control">
-                  <input class="input" placeholder="Email" type="email" name="email" id="{{form.email.id_for_label}}"
-                  autofocus required >
-                </div>
-              </div>
-              <div class="field">
-                <div class="control">
-                  <input class="input" placeholder="First Name" type="text" name="first_name" id="{{form.first_name.id_for_label}}"
-                  autofocus required>
-                </div>
-              </div>
-              <div class="field">
-                <div class="control">
-                  <input class="input" placeholder="Last Name" type="text" name="last_name" id="{{form.last_name.id_for_label}}"
-                  autofocus required>
-                </div>
-              </div>
-              <div class="field">
-                {{ form.captcha }}
-              </div>
-              <input class="button is-link mt-5" type="submit" value="Request my API Key">
+                  {% for field in form %}
+                      <p class="mb-4">
+                          {{ field }}
+                      </p>
+                  {% endfor %}
+              <input class="button is-link mt-2" type="submit" value="Request my API Key">
           </form>
         </div>
       </div>

vulnerablecode/settings.py

@@ -38,6 +38,10 @@
 
 CSRF_TRUSTED_ORIGINS = env.list("CSRF_TRUSTED_ORIGINS", default=[])
 
+# Altcha 32-byte hexadecimal key
+
+ALTCHA_HMAC_KEY = env.str("ALTCHA_HMAC_KEY")
+
 # SECURITY WARNING: do not run with debug turned on in production
 DEBUG = env.bool("VULNERABLECODE_DEBUG", default=False)