Create stackhawk-analysis.yml

.github/workflows/stackhawk-analysis.yml

@@ -0,0 +1,57 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+#           🦅 STACKHAWK        https://stackhawk.com
+
+# The StackHawk HawkScan action makes it easy to integrate dynamic application security testing (DAST) into your
+# CI pipeline. See the Getting Started guide (https://docs.stackhawk.com/hawkscan/) to get up and running with
+# StackHawk quickly.
+
+# To use this workflow, you must:
+#
+# 1.  Create an API Key and Application: Sign up for a free StackHawk account to obtain an API Key and
+#     create your first app and configuration file at https://app.stackhawk.com.
+#
+# 2.  Save your API Key as a Secret: Save your API key as a GitHub Secret named HAWK_API_KEY.
+#
+# 3.  Add your Config File: Add your stackhawk.yml configuration file to the base of your repository directory.
+#
+# 4.  Set the Scan Failure Threshold: Add the hawk.failureThreshold configuration option
+#     (https://docs.stackhawk.com/hawkscan/configuration/#hawk) to your stackhawk.yml configuration file. If your scan
+#     produces alerts that meet or exceed the hawk.failureThreshold alert level, the scan will return exit code 42
+#     and trigger a Code Scanning alert with a link to your scan results.
+#
+# 5.  Update the "Start your service" Step: Update the "Start your service" step in the StackHawk workflow below to
+#     start your service so that it can be scanned with the "Run HawkScan" step.
+
+
+name: "StackHawk"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '27 14 * * 1'
+
+jobs:
+  stackhawk:
+    name: StackHawk
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Start your service
+        run: ./your-service.sh &                  # ✏️ Update this to run your own service to be scanned
+
+      - name: Run HawkScan
+        uses: stackhawk/hawkscan-action@4c3258cd62248dac6d9fe91dd8d45928c697dee0
+        continue-on-error: true                   # ✏️ Set to false to break your build on scan errors
+        with:
+          apiKey: ${{ secrets.HAWK_API_KEY }}
+          codeScanningAlerts: true
+          githubToken: ${{ github.token }}

.gitlab-ci.yml

@@ -1,5 +1,12 @@
 variables:
-  SAST_EXCLUDED_ANALYZERS: "brakeman,kubesec,mobsf,nodejs-scan,pmd-apex,security-code-scan,sobelow,spotbugs"
+  SAST_EXCLUDED_ANALYZERS: "brakeman,eslint,flawfinder,kubesec,mobsf,nodejs-scan,pmd-apex,security-code-scan,sobelow,spotbugs"
+  SECURE_LOG_LEVEL: debug
+  SAST_EXCLUDED_PATHS: "html,tests,localhost,gitlab"
+  SAST_FLAWFINDER_LEVEL: 5
+
+semgrep-sast:
+  variables:
+    SAST_ANALYZER_IMAGE_TAG: "2.13.1"
 
 stages:
   - visual_pre
@@ -16,6 +23,17 @@ include:
   - template: SAST.gitlab-ci.yml
   - template: License-Scanning.gitlab-ci.yml
 
+.db_config: &mysql_db
+  services:
+    - name: mysql
+      command: ["--default-authentication-plugin=mysql_native_password"]
+      alias: sqlserver
+
+.db_config: &maria_db
+  services:
+    - name: mariadb
+      alias: sqlserver
+
 .retry_config: &retry_job
   retry:
     max: 0 #Max is 2, set when gitlab is flacky
@@ -49,9 +67,36 @@ include:
   timeout: 30m
 # Due to the retry this will be worst case 3*timeout before the job fails
 
+.unit_job_template: &unit_job
+  stage: unit
+  image: domjudge/gitlabci:2.1
+  # Disabled for now as it drastically speeds up running unit tests and we don't use it yet
+  # before_script:
+  #   - apt-get update -yqq
+  #   - apt-get install php-xdebug -yqq
+  variables:
+    MYSQL_ROOT_PASSWORD: password
+    MARIADB_PORT_3306_TCP_ADDR: sqlserver
+  script:
+    - ./gitlab/unit-tests.sh
+  artifacts:
+    when: always
+    paths:
+      - unit-tests.xml
+      - coverage-html
+      - deprecation.txt
+    reports:
+      junit:
+        - unit-tests.xml
+  cache:
+    key: unit-tests
+    paths:
+      - lib/vendor/
+
 webstandard_check_role:
   <<: *matrix_retry_job
   <<: *short_job
+  <<: *maria_db
   parallel:
     matrix:
       - ROLE: public
@@ -64,8 +109,6 @@ webstandard_check_role:
         TEST: [w3cval]
   stage: accessibility
   image: domjudge/gitlabci:2.1
-  services:
-    - mariadb
   variables:
     MYSQL_ROOT_PASSWORD: password
   script:
@@ -97,39 +140,21 @@ check static codecov:
 run unit tests:
   <<: *retry_job
   <<: *normal_job
-  stage: unit
-  image: domjudge/gitlabci:2.1
-  # Disabled for now as it drastically speeds up running unit tests and we don't use it yet
-  # before_script:
-  #   - apt-get update -yqq
-  #   - apt-get install php-xdebug -yqq
-  services:
-    - mariadb
-  variables:
-    MYSQL_ROOT_PASSWORD: password
-  script:
-    - ./gitlab/unit-tests.sh
-  artifacts:
-    when: always
-    paths:
-      - unit-tests.xml
-      - coverage-html
-      - deprecation.txt
-    reports:
-      junit:
-        - unit-tests.xml
-  cache:
-    key: unit-tests
-    paths:
-      - lib/vendor/
+  <<: *maria_db
+  <<: *unit_job
+
+run unit tests (MySQL):
+  <<: *retry_job
+  <<: *normal_job
+  <<: *mysql_db
+  <<: *unit_job
 
 visual_pr:
   <<: *retry_job
   <<: *long_job
+  <<: *maria_db
   stage: visual_pre
   image: domjudge/gitlabci:2.1
-  services:
-    - mariadb
   variables:
     MYSQL_ROOT_PASSWORD: password
     DOCKER_HOST: tcp://docker:2375/
@@ -159,10 +184,9 @@ visual_pr:
 visual_main:
   <<: *retry_job
   <<: *long_job
+  <<: *maria_db
   stage: visual_pre
   image: domjudge/gitlabci:2.1
-  services:
-    - mariadb
   variables:
     MYSQL_ROOT_PASSWORD: password
     DOCKER_HOST: tcp://docker:2375/
@@ -228,23 +252,18 @@ visual_compare:
 
 integration_mysql:
   <<: *job_integration
+  <<: *mysql_db
   variables:
     MYSQL_ROOT_PASSWORD: password
     MARIADB_PORT_3306_TCP_ADDR: sqlserver
     MYSQL_REQUIRE_PRIMARY_KEY: 1
-  services:
-    - name: mysql
-      command: ["--default-authentication-plugin=mysql_native_password"]
-      alias: sqlserver
 
 integration_mariadb:
   <<: *job_integration
+  <<: *maria_db
   variables:
     MYSQL_ROOT_PASSWORD: password
     MARIADB_PORT_3306_TCP_ADDR: sqlserver
-  services:
-    - name: mariadb
-      alias: sqlserver
 
 phpcs_compatibility:
   <<: *tiny_job

Makefile

@@ -212,6 +212,7 @@ maintainer-install: build domserver-create-dirs judgehost-create-dirs webapp/.en
 	ln -sf $(CURDIR)/judge/judgedaemon $(judgehost_bindir)
 	ln -sf $(CURDIR)/judge/runguard $(judgehost_bindir)
 	ln -sf $(CURDIR)/judge/runpipe  $(judgehost_bindir)
+	ln -sf $(CURDIR)/judge/create_cgroups  $(judgehost_bindir)
 	ln -sf $(CURDIR)/sql/dj_setup_database $(domserver_bindir)
 	$(MAKE) -C misc-tools maintainer-install
 	$(MAKE) -C doc/manual maintainer-install

misc-tools/dj_make_chroot.in

@@ -181,14 +181,10 @@ DEBOOTDEB="debootstrap_1.0.118ubuntu1_all.deb"
 if [ -z "$DEBMIRROR" ]; then
 	# x86_64 can use the main Ubuntu repo's, other
 	# architectures need to use a mirror from ubuntu-ports.
-	# Besides the main mirror (ports.ubuntu.com) currently
-	# only the one from kumi.systems seems to have most ports
-	# and it is faster than ports.ubuntu.com so we use that as
-	# default.
 	if [ "$(uname -m)" = "x86_64" ]; then
 		DEBMIRROR="http://us.archive.ubuntu.com./ubuntu/"
 	else
-		DEBMIRROR="http://mirror.kumi.systems/ubuntu-ports/"
+		DEBMIRROR="http://ports.ubuntu.com/ubuntu-ports/"
 	fi
 fi
 

webapp/public/style_domjudge.css

@@ -261,9 +261,9 @@ img.affiliation-logo {
 .score_pending   { background: #6666FF; }
 .score_incorrect { background: #e87272; }
 
-.gold-award   { background-color: #EEC710 }
-.silver-award { background-color: #AAA }
-.bronze-award { background-color: #C08E55 }
+.gold-medal   { background-color: #EEC710 }
+.silver-medal { background-color: #AAA }
+.bronze-medal { background-color: #C08E55 }
 
 #scoresolv,#scoretotal { width: 2.5em; }
 .scorenc,.scorett,.scorepl { text-align: center; width: 2ex; }

webapp/src/Controller/API/AwardsController.php

@@ -155,12 +155,12 @@ protected function getAwardsData(Request $request, string $requestedType = null)
             if ($rank === 1) {
                 $overall_winners[] = $teamid;
             }
-            if ($contest->getProcessAwards() && $contest->getAwardsCategories()->contains($teamScore->team->getCategory())) {
-                if ($rank <= $contest->getGoldAwards()) {
+            if ($contest->getMedalsEnabled() && $contest->getMedalCategories()->contains($teamScore->team->getCategory())) {
+                if ($rank <= $contest->getGoldMedals()) {
                     $medal_winners['gold'][] = $teamid;
-                } elseif ($rank <= $contest->getGoldAwards() + $contest->getSilverAwards()) {
+                } elseif ($rank <= $contest->getGoldMedals() + $contest->getSilverMedals()) {
                     $medal_winners['silver'][] = $teamid;
-                } elseif ($rank <= $contest->getGoldAwards() + $contest->getSilverAwards() + $contest->getBronzeAwards() + $additionalBronzeMedals) {
+                } elseif ($rank <= $contest->getGoldMedals() + $contest->getSilverMedals() + $contest->getBronzeMedals() + $additionalBronzeMedals) {
                     $medal_winners['bronze'][] = $teamid;
                 }
             }

webapp/src/Controller/Jury/ClarificationController.php

@@ -110,7 +110,7 @@ public function indexAction(Request $request): Response
         $wheres            = [
             'new' => 'clar.sender IS NOT NULL AND clar.answered = 0',
             'old' => 'clar.sender IS NOT NULL AND clar.answered != 0',
-            'general' => 'clar.sender IS NULL AND clar.recipient IS NULL',
+            'general' => 'clar.sender IS NULL AND clar.in_reply_to IS NULL',
         ];
         foreach ($wheres as $type => $where) {
             $clarifications = (clone $queryBuilder)

webapp/src/Controller/Jury/ContestController.php

@@ -253,7 +253,7 @@ public function indexAction(Request $request, KernelInterface $kernel): Response
 
         $table_fields = array_merge($table_fields, [
             'process_balloons' => ['title' => 'process balloons?', 'sort' => true],
-            'process_awards'   => ['title' => 'process awards?', 'sort' => true],
+            'medals_enabled'   => ['title' => 'medals?', 'sort' => true],
             'public'           => ['title' => 'public?', 'sort' => true],
             'num_teams'        => ['title' => '# teams', 'sort' => true],
             'num_problems'     => ['title' => '# problems', 'sort' => true],
@@ -299,8 +299,8 @@ public function indexAction(Request $request, KernelInterface $kernel): Response
             $contestdata['process_balloons'] = [
                 'value' => $contest->getProcessBalloons() ? 'yes' : 'no'
             ];
-            $contestdata['process_awards'] = [
-                'value' => $contest->getProcessAwards() ? 'yes' : 'no'
+            $contestdata['medals_enabled'] = [
+                'value' => $contest->getMedalsEnabled() ? 'yes' : 'no'
             ];
             $contestdata['public'] = ['value' => $contest->getPublic() ? 'yes' : 'no'];
             if ($contest->isOpenToAllTeams()) {

webapp/src/DataFixtures/ExampleData/ContestFixture.php

@@ -35,7 +35,7 @@ public function load(ObjectManager $manager)
             ->setPublic(false)
             ->setOpenToAllTeams(false)
             ->addTeam($this->getReference(TeamFixture::TEAM_REFERENCE))
-            ->addAwardsCategory($this->getReference(TeamCategoryFixture::PARTICIPANTS_REFERENCE));
+            ->addMedalCategory($this->getReference(TeamCategoryFixture::PARTICIPANTS_REFERENCE));
 
         $demoContest = new Contest();
         $demoContest
@@ -73,7 +73,7 @@ public function load(ObjectManager $manager)
                     date('Y') + 2
                 )
             )
-            ->addAwardsCategory($this->getReference(TeamCategoryFixture::PARTICIPANTS_REFERENCE));
+            ->addMedalCategory($this->getReference(TeamCategoryFixture::PARTICIPANTS_REFERENCE));
 
         $manager->persist($demoPracticeContest);
         $manager->persist($demoContest);

webapp/src/DataFixtures/Test/ClarificationFixture.php

@@ -0,0 +1,57 @@
+<?php declare(strict_types=1);
+
+namespace App\DataFixtures\Test;
+
+use App\Entity\Contest;
+use App\Entity\Clarification;
+use App\Entity\Problem;
+use App\Entity\Team;
+use Doctrine\Persistence\ObjectManager;
+
+class ClarificationFixture extends AbstractTestDataFixture
+{
+    /**
+     * @inheritDoc
+     */
+    public function load(ObjectManager $manager)
+    {
+        /** @var Contest $contest */
+        $contest = $manager->getRepository(Contest::class)->findOneBy(['shortname' => 'demo']);
+        /** @var Team $team */
+        $team = $manager->getRepository(Team::class)->findOneBy(['name' => 'Example teamname']);
+        /** @var Problem $problem */
+        $problem = $manager->getRepository(Problem::class)->findOneBy(['externalid' => 'hello']);
+
+        $unhandledClarification = new Clarification();
+        $unhandledClarification
+            ->setContest($contest)
+            ->setSubmittime(1518385738.901348000)
+            ->setSender($team)
+            ->setProblem($problem)
+            ->setBody('Is it necessary to read the problem statement carefully?')
+            ->setAnswered(false);
+
+        $juryGeneral = new Clarification();
+        $juryGeneral
+            ->setContest($contest)
+            ->setSubmittime(1518386000)
+            ->setJuryMember('admin')
+            ->setBody("Lunch is served")
+            ->setAnswered(true);
+
+        $juryGeneralToTeam = new Clarification();
+        $juryGeneralToTeam
+            ->setContest($contest)
+            ->setSubmittime(15183856633.689197000)
+            ->setRecipient($team)
+            ->setJuryMember('admin')
+            ->setProblem($problem)
+            ->setBody("There was a mistake in judging this problem. Please try again")
+            ->setAnswered(true);
+
+        $manager->persist($unhandledClarification);
+        $manager->persist($juryGeneral);
+        $manager->persist($juryGeneralToTeam);
+        $manager->flush();
+    }
+}

webapp/src/DataFixtures/Test/RejudgingStatesFixture.php

@@ -51,7 +51,7 @@ public function load(ObjectManager $manager): void
                 /** @var Contest $contest */
                 $contest = $manager->getRepository(Contest::class)->findOneBy(['shortname' => $contestName]);
                 /** @var Team $team */
-                $team = $manager->getRepository(Team::class)->findOneBy(['name' => 'demo']);
+                $team = $manager->getRepository(Team::class)->findOneBy(['name' => 'Example teamname']);
                 /** @var Language $language */
                 $language = $manager->getRepository(Language::class)->find('java');
                 // A rejudging has both judgings todo and finished