Merge branch 'main' of https://github.com/apache/incubator-devlake into fix/qdeveloper-iam-role-auth

# Conflicts:
#	backend/plugins/q_dev/models/migrationscripts/register.go

Author: ReeceXW

backend/Dockerfile

@@ -149,7 +149,7 @@ RUN python3 -m pip install --no-cache --upgrade pip setuptools && \
     python3 -m pip install --upgrade pip
 
 # Setup Python Poetry package manager
-RUN curl -sSL https://install.python-poetry.org | python3 -
+RUN curl -sSL https://install.python-poetry.org | python3 - --version 2.2.1
 ENV PATH="$PATH:/app/.local/bin"
 
 # Build Python plugins, make sure the scripts has execute permission

backend/core/dal/identifier.go

@@ -0,0 +1,50 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dal
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/apache/incubator-devlake/core/errors"
+)
+
+// validIdentifierRegex matches valid SQL identifiers: alphanumeric, underscores, and dots (for schema.table)
+var validIdentifierRegex = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_.]*$`)
+
+// ValidateTableName checks that a table name is a safe SQL identifier to prevent SQL injection.
+func ValidateTableName(name string) errors.Error {
+	if name == "" {
+		return errors.Default.New("table name must not be empty")
+	}
+	if !validIdentifierRegex.MatchString(name) {
+		return errors.Default.New(fmt.Sprintf("invalid table name: %q", name))
+	}
+	return nil
+}
+
+// ValidateColumnName checks that a column name is a safe SQL identifier to prevent SQL injection.
+func ValidateColumnName(name string) errors.Error {
+	if name == "" {
+		return errors.Default.New("column name must not be empty")
+	}
+	if !validIdentifierRegex.MatchString(name) {
+		return errors.Default.New(fmt.Sprintf("invalid column name: %q", name))
+	}
+	return nil
+}

backend/core/models/domainlayer/codequality/cq_file_metrics.go

@@ -23,7 +23,7 @@ import (
 
 type CqFileMetrics struct {
 	domainlayer.DomainEntity
-	ProjectKey                          string `gorm:"index;type:varchar(255)"` //domain project key
+	ProjectKey                          string `gorm:"index;type:varchar(500)"` //domain project key
 	FileName                            string `gorm:"type:varchar(2000)"`
 	FilePath                            string
 	FileLanguage                        string `gorm:"type:varchar(20)"`

backend/core/models/domainlayer/codequality/cq_issues.go

@@ -27,7 +27,7 @@ type CqIssue struct {
 	Rule                     string `gorm:"type:varchar(255)"`
 	Severity                 string `gorm:"type:varchar(100)"`
 	Component                string
-	ProjectKey               string `gorm:"index;type:varchar(100)"` //domain project key
+	ProjectKey               string `gorm:"index;type:varchar(500)"` //domain project key
 	Line                     int
 	Status                   string `gorm:"type:varchar(20)"`
 	Message                  string

backend/core/models/migrationscripts/20260317_increase_cq_issues_project_key_length.go

@@ -0,0 +1,44 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package migrationscripts
+
+import (
+	"github.com/apache/incubator-devlake/core/context"
+	"github.com/apache/incubator-devlake/core/errors"
+	"github.com/apache/incubator-devlake/core/plugin"
+)
+
+var _ plugin.MigrationScript = (*increaseCqIssuesProjectKeyLength)(nil)
+
+type increaseCqIssuesProjectKeyLength struct{}
+
+func (script *increaseCqIssuesProjectKeyLength) Up(basicRes context.BasicRes) errors.Error {
+	db := basicRes.GetDal()
+	if err := db.ModifyColumnType("cq_issues", "project_key", "varchar(500)"); err != nil {
+		return err
+	}
+	return db.ModifyColumnType("cq_file_metrics", "project_key", "varchar(500)")
+}
+
+func (*increaseCqIssuesProjectKeyLength) Version() uint64 {
+	return 20260317000000
+}
+
+func (*increaseCqIssuesProjectKeyLength) Name() string {
+	return "increase cq_issues and cq_file_metrics project_key length to 500"
+}

backend/core/models/migrationscripts/register.go

@@ -143,5 +143,6 @@ func All() []plugin.MigrationScript {
 		new(addPipelinePriority),
 		new(fixNullPriority),
 		new(modifyCicdDeploymentsToText),
+		new(increaseCqIssuesProjectKeyLength),
 	}
 }

backend/helpers/pluginhelper/api/scope_generic_helper.go

@@ -565,6 +565,9 @@ func (gs *GenericScopeApiHelper[Conn, Scope, ScopeConfig]) transactionalDelete(t
 	}
 	tx := gs.db.Begin()
 	for _, table := range tables {
+		if err := dal.ValidateTableName(table); err != nil {
+			return errors.Default.Wrap(err, fmt.Sprintf("unsafe table name %q when deleting scope data", table))
+		}
 		where, params := generateWhereClause(table)
 		gs.log.Info("deleting data from table %s with WHERE \"%s\" and params: \"%v\"", table, where, params)
 		sql := fmt.Sprintf("DELETE FROM %s WHERE %s", table, where)

backend/helpers/srvhelper/scope_service_helper.go

@@ -255,6 +255,9 @@ func (scopeSrv *ScopeSrvHelper[C, S, SC]) deleteScopeData(scope plugin.ToolLayer
 	}
 	tables := errors.Must1(scopeSrv.getAffectedTables())
 	for _, table := range tables {
+		if err := dal.ValidateTableName(table); err != nil {
+			panic(errors.Default.Wrap(err, fmt.Sprintf("unsafe table name %q when deleting scope data", table)))
+		}
 		where, params := generateWhereClause(table)
 		scopeSrv.log.Info("deleting data from table %s with WHERE \"%s\" and params: \"%v\"", table, where, params)
 		sql := fmt.Sprintf("DELETE FROM %s WHERE %s", table, where)

backend/plugins/argocd/models/migrationscripts/20260331_add_repo_url_to_sync_operations.go

@@ -0,0 +1,54 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package migrationscripts
+
+import (
+	"github.com/apache/incubator-devlake/core/context"
+	"github.com/apache/incubator-devlake/core/errors"
+	"github.com/apache/incubator-devlake/core/plugin"
+)
+
+var _ plugin.MigrationScript = (*addRepoURLToSyncOperations)(nil)
+
+type addRepoURLToSyncOperations struct{}
+
+// addRepoURLSyncOpArchived is a snapshot of ArgocdSyncOperation used solely
+// for this migration so the live model can evolve independently.
+type addRepoURLSyncOpArchived struct {
+	ConnectionId    uint64 `gorm:"primaryKey"`
+	ApplicationName string `gorm:"primaryKey;type:varchar(255)"`
+	DeploymentId    int64  `gorm:"primaryKey"`
+	RepoURL         string `gorm:"type:varchar(500)"`
+}
+
+func (addRepoURLSyncOpArchived) TableName() string {
+	return "_tool_argocd_sync_operations"
+}
+
+func (m *addRepoURLToSyncOperations) Up(basicRes context.BasicRes) errors.Error {
+	db := basicRes.GetDal()
+	return db.AutoMigrate(&addRepoURLSyncOpArchived{})
+}
+
+func (*addRepoURLToSyncOperations) Version() uint64 {
+	return 20260331000000
+}
+
+func (*addRepoURLToSyncOperations) Name() string {
+	return "argocd add repo_url to sync operations"
+}

backend/plugins/argocd/models/migrationscripts/register.go

@@ -25,5 +25,6 @@ func All() []plugin.MigrationScript {
 	return []plugin.MigrationScript{
 		new(addInitTables),
 		new(addImageSupportArtifacts),
+		new(addRepoURLToSyncOperations),
 	}
 }