prometheus support locally managed

* fix image entrypoint sigterm

* fix image entrypoint sigterm

---------

Co-authored-by: avigailo <avigailo@checkpoint.com>

build_system/docker/Dockerfile

@@ -13,8 +13,10 @@ RUN apk add --no-cache libunwind
 RUN apk add --no-cache gdb
 RUN apk add --no-cache libxml2
 RUN apk add --no-cache pcre2
+RUN apk add --no-cache ca-certificates
 RUN apk add --update coreutils
 
+
 COPY self_managed_openappsec_manifest.json /tmp/self_managed_openappsec_manifest.json
 
 COPY install*.sh /nano-service-installers/

build_system/docker/entry.sh

@@ -15,6 +15,21 @@ var_mode=
 var_token=
 var_ignore=
 init=
+active_watchdog_pid=
+
+cleanup() {
+    local signal="$1"
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Signal ${signal} was received, exiting gracefully..." >&2
+    if [ -n "${active_watchdog_pid}" ] && ps -p ${active_watchdog_pid} > /dev/null 2>&1; then
+        kill -TERM ${active_watchdog_pid} 2>/dev/null || true
+        wait ${active_watchdog_pid} 2>/dev/null || true
+    fi
+    echo "Cleanup completed. Exiting now." >&2
+    exit 0
+}
+
+trap 'cleanup SIGTERM' SIGTERM
+trap 'cleanup SIGINT' SIGINT
 
 if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then
     echo "Error: agent installation package doesn't exist."

components/security_apps/orchestration/orchestration_comp.cc

@@ -1522,6 +1522,12 @@ private:
 
         agent_data_report << make_pair("registeredServer", i_agent_details->getRegisteredServer());
 
+        const char *prometheus_env = getenv("PROMETHEUS");
+        if (prometheus_env != nullptr) {
+            auto enable_prometheus = string(prometheus_env) == "true";
+            agent_data_report << AgentReportFieldWithLabel("enablePrometheus", enable_prometheus ? "true" : "false");
+        }
+
 #if defined(gaia) || defined(smb)
         if (i_details_resolver->compareCheckpointVersion(8100, greater_equal<int>())) {
             agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionGER81", "true");
@@ -2272,4 +2278,4 @@ OrchestrationComp::preload()
     registerExpectedSetting<uint>("successUpgradeInterval");
     registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy);
     registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy);
-}
+}

components/security_apps/orchestration/update_communication/fog_authenticator.cc

@@ -227,6 +227,11 @@ FogAuthenticator::registerAgent(
 
     request << make_pair("userEdition", getUserEdition());
 
+    const char *prometheus_env = getenv("PROMETHEUS");
+    if (prometheus_env != nullptr) {
+        request << make_pair("enablePrometheus", string(prometheus_env) == "true" ? "true" : "false");
+    }
+
     if (getDeplymentType() == "Docker" || getDeplymentType() == "K8S") {
         const char *image_version_otp = getenv("IMAGE_VERSION");
         if (image_version_otp) {

components/security_apps/waap/waap_clib/CMakeLists.txt

@@ -12,6 +12,7 @@ add_library(waap_clib
     ParserJson.cc
     ParserMultipartForm.cc
     ParserRaw.cc
+    ParserGzip.cc
     ParserUrlEncode.cc
     ParserXML.cc
     ParserDelimiter.cc

components/security_apps/waap/waap_clib/DeepParser.cc

@@ -22,6 +22,7 @@
 #include "ParserXML.h"
 #include "ParserHTML.h"
 #include "ParserBinary.h"
+#include "ParserGzip.h"
 #include "ParserMultipartForm.h"
 #include "ParserPercentEncode.h"
 #include "ParserPairs.h"
@@ -1261,6 +1262,10 @@ DeepParser::createInternalParser(
         dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse an HTML file";
         m_parsersDeque.push_back(std::make_shared<BufferedParser<ParserHTML>>(*this, parser_depth + 1));
         offset = 0;
+    } else if (isBodyPayload && Waap::Util::isGzipped(cur_val)){
+        dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse a gzip file";
+        m_parsersDeque.push_back(std::make_shared<BufferedParser<ParserGzip>>(*this, parser_depth + 1));
+        offset = 0;
     } else if (cur_val.size() > 0 && signatures->php_serialize_identifier.hasMatch(cur_val)) {
         // PHP value detected
         dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse phpSerializedData";

components/security_apps/waap/waap_clib/ParserGzip.cc

@@ -0,0 +1,115 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "ParserGzip.h"
+#include "debug.h"
+
+USE_DEBUG_FLAG(D_WAAP_PARSER_GZIP);
+
+const std::string ParserGzip::m_parserName = "ParserGzip";
+
+ParserGzip::ParserGzip(IParserStreamReceiver &receiver, size_t parser_depth)
+:m_receiver(receiver), m_key("gzip"), m_state(s_start), m_stream(nullptr) {
+}
+
+ParserGzip::~ParserGzip() {
+    if (m_stream != nullptr) {
+        finiCompressionStream(m_stream);
+        m_stream = nullptr;
+    }
+}
+
+size_t ParserGzip::push(const char *buf, size_t len) {
+    dbgTrace(D_WAAP_PARSER_GZIP) << "len=" << (unsigned long int)len << ")";
+
+    if (len == 0) {
+        dbgTrace(D_WAAP_PARSER_GZIP) << "end of data signal! m_state=" << m_state;
+
+        // flush
+        if (m_state != s_start) { // only emit if at least something was pushed
+            if (m_receiver.onKvDone() != 0) {
+                m_state = s_error;
+            }
+        }
+
+        return 0;
+    }
+    DecompressionResult res;
+    switch (m_state) {
+    case s_start:
+        dbgTrace(D_WAAP_PARSER_GZIP) << "s_start";
+        if (m_receiver.onKey(m_key.data(), m_key.size()) != 0) {
+            m_state = s_error;
+            return 0;
+        }
+        m_stream = initCompressionStream();
+        m_state = s_forward;
+        // fallthrough //
+        CP_FALL_THROUGH;
+    case s_forward:
+        dbgTrace(D_WAAP_PARSER_GZIP) << "s_forward";
+        res = decompressData(
+            m_stream,
+            len,
+            reinterpret_cast<const unsigned char *>(buf));
+        dbgTrace(D_WAAP_PARSER_GZIP) << "res: " << res.ok
+            << ", size: " << res.num_output_bytes
+            << ", is last: " << res.is_last_chunk;
+
+        if (!res.ok) {
+            m_state = s_error;
+            break;
+        }
+
+        if (res.num_output_bytes != 0 &&
+                m_receiver.onValue(reinterpret_cast<const char *>(res.output), res.num_output_bytes) != 0) {
+            m_state = s_error;
+            break;
+        }
+
+        if (res.is_last_chunk) {
+            m_state = s_done;
+            break;
+        }
+        break;
+    case s_done:
+        if (len > 0) {
+            dbgTrace(D_WAAP_PARSER_GZIP) << " unexpected data after completion, len=" << len;
+            m_state = s_error;
+            return 0; // Return 0 to indicate error
+        }
+        break;
+    case s_error:
+        dbgTrace(D_WAAP_PARSER_GZIP) << "s_error";
+        return 0;
+    }
+
+    return len;
+}
+
+void ParserGzip::finish() {
+    push(NULL, 0);
+    if (m_state != s_done) {
+        m_state = s_error;
+        return;
+    }
+}
+
+const std::string &
+ParserGzip::name() const {
+    return m_parserName;
+}
+
+bool ParserGzip::error() const {
+    return m_state == s_error;
+}

components/security_apps/waap/waap_clib/ParserGzip.h

@@ -0,0 +1,46 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __PARSER_GZIP_H_
+#define __PARSER_GZIP_H_
+
+#include "ParserBase.h"
+#include <string.h>
+#include "compression_utils.h"
+
+class ParserGzip : public ParserBase {
+public:
+    ParserGzip(IParserStreamReceiver &receiver, size_t parser_depth);
+    virtual ~ParserGzip();
+    size_t push(const char *data, size_t data_len);
+    void finish();
+    virtual const std::string &name() const;
+    bool error() const;
+    virtual size_t depth() { return 1; }
+private:
+    enum state {
+        s_start,
+        s_forward,
+        s_done,
+        s_error
+    };
+
+    IParserStreamReceiver &m_receiver;
+    std::string m_key;
+    state m_state;
+    CompressionStream * m_stream;
+
+    static const std::string m_parserName;
+};
+
+#endif // __PARSER_GZIP_H_

components/security_apps/waap/waap_clib/Serializator.cc

@@ -44,14 +44,6 @@ static const string defaultSharedStorageHost = "appsec-shared-storage-svc";
 #define SHARED_STORAGE_HOST_ENV_NAME "SHARED_STORAGE_HOST"
 #define LEARNING_HOST_ENV_NAME "LEARNING_HOST"
 
-static bool
-isGZipped(const string &stream)
-{
-    if (stream.size() < 2) return false;
-    auto unsinged_stream = reinterpret_cast<const u_char *>(stream.data());
-    return unsinged_stream[0] == 0x1f && unsinged_stream[1] == 0x8b;
-}
-
 void yieldIfPossible(const string& func, int line)
 {
     // Check if we are in the main loop
@@ -73,7 +65,7 @@ bool RestGetFile::loadJson(const string& json)
     string json_str;
 
     json_str = json;
-    if (!isGZipped(json_str))
+    if (!Waap::Util::isGzipped(json_str))
     {
         return ClientRest::loadJson(json_str);
     }
@@ -343,7 +335,7 @@ void SerializeToFileBase::saveData()
 }
 
 string decompress(string fileContent) {
-    if (!isGZipped(fileContent)) {
+    if (!Waap::Util::isGzipped(fileContent)) {
         dbgTrace(D_WAAP_SERIALIZE) << "file note zipped";
         return fileContent;
     }

components/security_apps/waap/waap_clib/WaapValueStatsAnalyzer.cc

@@ -103,7 +103,7 @@ ValueStatsAnalyzer::ValueStatsAnalyzer(const std::string &cur_val)
     bool lastNul = false; // whether last processed character was ASCII NUL
     size_t curValLength = cur_val.length();
 
-    if (curValLength == 0) {
+    if (curValLength == 0 || Waap::Util::isGzipped(cur_val)) {
         canSplitSemicolon = false;
         canSplitPipe = false;
         return;

components/security_apps/waap/waap_clib/Waf2Util.cc

@@ -1912,6 +1912,17 @@ base64Decode(const string &input)
     return out;
 }
 
+bool
+isGzipped(const string &stream)
+{
+    if (stream.size() < 2) return false;
+    auto unsinged_stream = reinterpret_cast<const u_char *>(stream.data());
+    dbgTrace(D_WAAP) << "isGzipped: first two bytes: "
+        << std::hex << static_cast<int>(unsinged_stream[0]) << " "
+        << std::hex << static_cast<int>(unsinged_stream[1]);
+    return unsinged_stream[0] == 0x1f && unsinged_stream[1] == 0x8b;
+}
+
 bool
 containsInvalidUtf8(const string &payload)
 {

components/security_apps/waap/waap_clib/Waf2Util.h

@@ -1135,6 +1135,7 @@ namespace Util {
     std::string obfuscateXor(const std::string& toEncrypt);
     std::string obfuscateXorBase64(const std::string& toEncrypt);
 
+    bool isGzipped(const std::string &stream);
     bool containsInvalidUtf8(const std::string &payload);
 
     bool containsPercentEncoding(const std::string &payload);

config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml

@@ -40,7 +40,7 @@ spec:
         stdout:
             format: json
         cef-service: []
---
+---
 apiVersion: openappsec.io/v1beta1
 kind: Practice
 metadata:
@@ -56,7 +56,7 @@ spec:
   web-attacks:
     minimum-confidence: high
     override-mode: detect-learn
---
+---
 apiVersion: openappsec.io/v1beta1
 kind: CustomResponse
 metadata:

config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml

@@ -40,7 +40,7 @@ spec:
         stdout:
             format: json
         cef-service: []
---
+---
 apiVersion: openappsec.io/v1beta1
 kind: Practice
 metadata:
@@ -56,7 +56,7 @@ spec:
   web-attacks:
     minimum-confidence: high
     override-mode: prevent-learn
---
+---
 apiVersion: openappsec.io/v1beta1
 kind: CustomResponse
 metadata:

core/include/services_sdk/resources/debug_flags.h

@@ -106,6 +106,7 @@ DEFINE_FLAG(D_COMPONENT, D_ALL)
             DEFINE_FLAG(D_WAAP_PARSER_GQL, D_WAAP_PARSER)
             DEFINE_FLAG(D_WAAP_PARSER_MULTIPART_FORM, D_WAAP_PARSER)
             DEFINE_FLAG(D_WAAP_PARSER_RAW, D_WAAP_PARSER)
+            DEFINE_FLAG(D_WAAP_PARSER_GZIP, D_WAAP_PARSER)
             DEFINE_FLAG(D_WAAP_PARSER_URLENCODE, D_WAAP_PARSER)
             DEFINE_FLAG(D_WAAP_PARSER_PHPSERIALIZE, D_WAAP_PARSER)
             DEFINE_FLAG(D_WAAP_PARSER_PERCENT, D_WAAP_PARSER)

core/messaging/connection/connection.cc

@@ -262,6 +262,29 @@ public:
     }
 
 private:
+    string
+    getCertificateDirectory()
+    {
+        auto details_ssl_dir = Singleton::Consume<I_AgentDetails>::by<Messaging>()->getOpenSSLDir();
+
+        if (details_ssl_dir.ok()) {
+            return *details_ssl_dir;
+        }
+
+        // Use detail_resolver to determine platform-specific certificate directory
+#if defined(alpine)
+       string platform = "alpine";
+#else
+       string platform = "linux";
+#endif
+
+        if (platform == "alpine") {
+            return "/etc/ssl/certs/";
+        }
+
+        return "/usr/lib/ssl/certs/";
+    }
+
     Maybe<void>
     setSSLContext()
     {
@@ -296,10 +319,11 @@ private:
         }
 
         dbgTrace(D_CONNECTION) << "Setting CA authentication";
-        auto details_ssl_dir = Singleton::Consume<I_AgentDetails>::by<Messaging>()->getOpenSSLDir();
-        auto openssl_dir = details_ssl_dir.ok() ? *details_ssl_dir : "/usr/lib/ssl/certs/";
-        auto configured_ssl_dir = getConfigurationWithDefault(openssl_dir, "message", "Trusted CA directory");
-        const char *ca_dir = configured_ssl_dir.empty() ? nullptr : configured_ssl_dir.c_str();
+
+        auto default_ssl_dir = getCertificateDirectory();
+        auto configured_ssl_dir =
+            getProfileAgentSettingWithDefault<string>(default_ssl_dir, "agent.config.message.capath");
+        const char *ca_dir = configured_ssl_dir.empty() ? "/usr/lib/ssl/certs/" : configured_ssl_dir.c_str();
 
         if (SSL_CTX_load_verify_locations(ssl_ctx.get(), ca_path.c_str(), ca_dir) != 1) {
             return genError("Failed to load certificate locations");

deployment/docker-compose/apisix/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid apisix configuration for APISIX in standalone mode in the following file:
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/apisix/docker-compose.yaml

@@ -103,14 +103,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: always
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/envoy/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid envoy.yaml Envoy configuration file present in the path below.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/envoy/docker-compose.yaml

@@ -109,14 +109,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/kong-lua-plugin/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/kong-lua-plugin/docker-compose.yaml

@@ -106,14 +106,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/kong/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/kong/docker-compose.yaml

@@ -106,14 +106,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/nginx-proxy-manager-centrally-managed/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 # Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file 
 NPM_DATA=./data

deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml

@@ -103,14 +103,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/nginx-proxy-manager/.env

@@ -21,6 +21,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 # Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file 
 NPM_DATA=./data

deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml

@@ -106,14 +106,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/nginx-unified/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/nginx-unified/docker-compose.yaml

@@ -96,14 +96,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/nginx/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
 ## For deployment of a simple lab testing environment, you can deploy the example configuration provided

deployment/docker-compose/nginx/docker-compose.yaml

@@ -108,14 +108,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/docker-compose/swag/.env

@@ -23,6 +23,7 @@ APPSEC_DB_PASSWORD=pass
 APPSEC_DB_USER=postgres
 APPSEC_DB_HOST=appsec-db
 APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
+APPSEC_POSTGRES_VERSION=18
 
 ## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file 
 SWAG_CONFIG=./swag-config

deployment/docker-compose/swag/docker-compose.yaml

@@ -117,14 +117,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${APPSEC_POSTGRES_VERSION}
     container_name: appsec-db
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
       - POSTGRES_USER=${APPSEC_DB_USER} 
     volumes:
-      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
   juiceshop-backend:

deployment/nginx/.env

@@ -15,6 +15,7 @@ USER_EMAIL=user@email.com
 DB_PASSWORD=pass
 DB_USER=postgres
 DB_HOST=appsec-db
+POSTGRES_VERSION=18
 POSTGRES_STORAGE=./postgres-data
 NGINX_CONF_DIR=./nginx-proxy-config
 

deployment/nginx/docker-compose.yaml

@@ -81,14 +81,14 @@ services:
   appsec-db:
     profiles:
       - standalone
-    image: postgres
+    image: postgres:${POSTGRES_VERSION}
     container_name: appsec-db
     restart: always
     environment:
       - POSTGRES_PASSWORD=${DB_PASSWORD}
       - POSTGRES_USER=${DB_USER} 
     volumes:
-      - ${POSTGRES_STORAGE}:/var/lib/postgresql/data
+      - ${POSTGRES_STORAGE}:/var/lib/postgresql
 
 ## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
 ##

nodes/orchestration/package/orchestration_package.sh

@@ -209,6 +209,9 @@ save_local_policy_config()
 if [ -n "${CP_ENV_FILESYSTEM}" ] ; then
     export FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
 fi
+if [ -n "${PROMETHEUS}" ] ; then
+    export PROMETHEUS=$PROMETHEUS
+fi
 if [ -n "${CP_ENV_LOG_FILE}" ] ; then
     LOG_FILE_PATH=$CP_ENV_LOG_FILE
 fi
@@ -433,7 +436,7 @@ if command -v which &>/dev/null; then
     var_which_cmd_exists=1
 fi
 
-if [ $var_arch != "gaia" ] && [ $var_arch != "gaia_arm" ] && [ $var_which_cmd_exists -eq 1 ]; then 
+if [ $var_arch != "gaia" ] && [ $var_arch != "gaia_arm" ] && [ $var_which_cmd_exists -eq 1 ]; then
     if [ -n "$(which systemctl)" ]; then
         var_startup_service="systemd"
     else
@@ -974,7 +977,7 @@ install_orchestration()
         fi
         ${INSTALL_COMMAND} lib/*.so* ${USR_LIB_PATH}/
         ${INSTALL_COMMAND} lib/boost/*.so* ${USR_LIB_PATH}/
-        cp_print "Done successfully doing only unpacking lib64 to Path: ${USR_LIB_PATH}" ${FORCE_STDOUT}	
+        cp_print "Done successfully doing only unpacking lib64 to Path: ${USR_LIB_PATH}" ${FORCE_STDOUT}
         exit 0
     fi
 
@@ -1149,6 +1152,9 @@ install_orchestration()
 		if [ -n "${FILESYSTEM_PATH}" ]; then
 			echo "CP_ENV_FILESYSTEM=${FILESYSTEM_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
 		fi
+        if [ -n "${PROMETHEUS}" ]; then
+            echo "PROMETHEUS=${PROMETHEUS}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
+        fi
 		if [ -n "${VS_ID}" ]; then
 			echo "CP_VS_ID=${VS_ID}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
 		fi

nodes/orchestration/package/watchdog/watchdog

@@ -115,6 +115,11 @@ load_paths()
     if [ -n "${CP_ENV_LOG_FILE}" ]; then
         LOG_FILE_PATH=$CP_ENV_LOG_FILE
     fi
+
+    if [ -n "${PROMETHEUS}" ]; then
+        export PROMETHEUS=$PROMETHEUS
+    fi
+
     if [ -n "${CP_VS_ID}" ]; then
         VS_ID=${CP_VS_ID}
         VS_EVAL_PREFIX="ip netns exec CTX0000${VS_ID} env"