fix(exit in bash): Fix handling exit in initializer

[kiblik]

The original exit (e.g. from #9002) worked correctly in sh.
However, by adding shellcheck, #9147 changed sh to bash which handles these situations differently.
Linter introduced an error that nobody noticed.
Issue discovered during investigation of #10490

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes are part of the entrypoint-initializer.sh script used in a Docker environment for the DefectDojo application. This script is responsible for initializing and configuring the application during the startup process. The key changes include setting the set -e flag to handle errors effectively, loading external scripts for sensitive operations, initializing test types and permissions, creating an announcement banner, loading additional settings, managing audit log settings, creating an admin user with a random password, generating a JIRA webhook secret, and loading fixtures and installing the Watson search index.

From a security perspective, these changes appear to be focused on ensuring the application is properly configured and secured. The script handles several security-related tasks, such as managing permissions, audit logging, and user credentials. However, it's important to review the external scripts and additional settings files to ensure that they do not introduce any security vulnerabilities, such as improper handling of sensitive information or the introduction of potential attack vectors.

Files Changed:

• docker/entrypoint-initializer.sh: This script is responsible for initializing and configuring the DefectDojo application in a Docker environment. The key changes include:
  • Setting the set -e flag to handle errors effectively
  • Loading external scripts for sensitive operations
  • Initializing test types and permissions
  • Creating an announcement banner
  • Loading additional settings
  • Checking and setting audit log settings
  • Creating an admin user with a random password
  • Generating a JIRA webhook secret
  • Loading fixtures and installing the Watson search index

Powered by DryRun Security

[dryrunsecurity]

DryRun Security Summary

The code changes made to the docker/entrypoint-initializer.sh script enhance the security and reliability of the DefectDojo application's initialization process by improving error handling, auditlog checking, admin user management, JIRA webhook secret generation, and various data fixture loading tasks.

Expand for full summary

Summary:

The code changes made to the docker/entrypoint-initializer.sh script appear to be a positive update that enhances the security and reliability of the DefectDojo application's initialization process. The key improvements include better error handling, auditlog checking, admin user management, JIRA webhook secret generation, and various data fixture loading tasks. These changes help ensure that the application is properly configured, secure, and ready for use upon startup.

From an application security perspective, the improvements to error handling, auditlog checking, admin user management, and JIRA webhook secret generation are particularly noteworthy. These changes help improve the overall security posture of the DefectDojo application and reduce the risk of potential vulnerabilities or misconfigurations.

Files Changed:

• docker/entrypoint-initializer.sh: This script is responsible for initializing the DefectDojo application during the startup process. The changes include:
  1. Improved error handling by exiting the script immediately if any command returns a non-zero exit status.
  2. Checking the status of the ENABLE_AUDITLOG setting and warning the user if it has been disabled.
  3. Running database migration commands to ensure the schema is up-to-date.
  4. Handling the admin user, including creating a new superuser with a randomly generated password if the admin user doesn't exist.
  5. Generating a new UUID for the DD_JIRA_WEBHOOK_SECRET environment variable if it is not set.
  6. Loading various fixtures, including system settings, banners, product types, test types, and other data.
  7. Installing the Watson search index for full-text search functionality.
  8. Running a custom migration to handle the modification of text questions in the surveys.

These changes help improve the security, reliability, and maintainability of the DefectDojo application's initialization process.

Code Analysis

We ran 7 analyzers against 1 file and 0 analyzers had findings. 7 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.