Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.42.2 #11605

Merged
merged 18 commits into from
Jan 21, 2025
Merged

Release: Merge release into master from: release/2.42.2 #11605

merged 18 commits into from
Jan 21, 2025

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 18 commits January 13, 2025 15:46
Update versions in application files
5049968
@rossops
Merge pull request #11559 from DefectDojo/master-into-bugfix/2.42.1-2…
965f171 
….43.0-dev

Release: Merge back 2.42.1 into bugfix from: master-into-bugfix/2.42.1-2.43.0-dev
@manuel-sommer
🎉 add ALBA to vulnid (#11487)
8f27845
@kiblik
fix(notification): Use site_url in notification contexts (#11077)
49aa41c
@LeoOMaia
including test for Finding in xml parser (#11464)
f6dfce7
@hblankenship
adding range filters for EPSS (#11469)
0a2b2a9
@dependabot @paulOsinski
Bump django from 5.1.4 to 5.1.5 (#11567)
d6d1b55 
* update Pro changelog 2.42.0 (#11518)

* update Pro changelog 2.42.0

* qa 'share your Findings'

* changelog 2.42.2

* fix typo working_with_generated_reports.md

---------

Co-authored-by: Paul Osinski <[email protected]>

* Bump django from 5.1.4 to 5.1.5

Bumps [django](https://github.com/django/django) from 5.1.4 to 5.1.5.
- [Commits](django/django@5.1.4...5.1.5)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@hblankenship
Add imageTags to AWS SecurityHub and Inspector2 parsers (#11517)
1849f9e 
* Import image tags for AWS security hub

* Also add image tags to Inspector2
@farsheedify
Handling "requires login" in "fingerprint" and "lines" fields of Semg…
cf0744a 
…rep JSON Report (issue #11480) (#11495)

* Update parser.py

* Update test_semgrep_parser.py

Unittest for handling "requires login"

* Add files via upload

Add example file for testing "requires login"

* Fingerprint Unittest

* handle requires login for "lines"

* Remove whitespaces from Blank Lines

* Fix AssertionError in unittest
@Maffooch
Async Delete: Race condition bolstering (#11549)
c09509a
@Maffooch
Verified Status Toggle: Add Granularity (#11548)
6f614ca 
* Verified Status Toggle: Add Granularity

* Fix ruff

* Restore auto fixed deletion

* ruff again?

* Update unittests/test_jira_import_and_pushing_api.py
@veneber
Adding annotations for different resources (#11467)
8722ee2
@hblankenship
Mitigated On/Before/After now use DateTimeFilter (#11472)
c829868 
* mitigated_on, before, after use DateTimeFilters

* update mitigated after to mean after 23:59:59 on the day picked if no time specified

* update mitigated on to be a range for simple date

* Life is ruff

* again, interpreters matter
@kiblik
fix(ruff_sim): Wrong handling non-file API import (#11561)
9dee44a
@kiblik
fix(doc): Fix order for upgrade notes (#11573)
140bc23
@hblankenship
Request Review does not apply RBAC in an expected way (#11545)
4789d4b 
* check for global role permissions as well

* fix too many lines, redundant backslash
Update versions in application files
c00b67d
@rossops
Merge branch 'master' into release/2.42.2
4887f1c
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 21, 2025
edited
Loading

DryRun Security Summary

The pull request introduces comprehensive updates to the DefectDojo application, focusing on improving security, reliability, and functionality through enhanced system settings, reporting metrics, JIRA integration, and documentation improvements.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates to the DefectDojo application, including documentation improvements, version updates, enhancements to the reporting and metrics functionality, and improvements to the JIRA integration and verified status enforcement.

The changes focus on improving the overall security and reliability of the application by introducing more granular control over the enforcement of verified findings, enhancing the accuracy and integrity of the reports and metrics, and strengthening the JIRA integration process. Additionally, the updates to the Helm chart and various configuration files demonstrate a commitment to maintaining a secure and well-documented deployment of the DefectDojo application.

From an application security perspective, the changes appear to be positive and address several important security considerations, such as ensuring that only verified findings are used for critical business functions, improving the visibility and traceability of the application's configuration, and enhancing the overall security posture of the DefectDojo platform.

Files Changed:

  • docs/content/en/open_source/upgrading/2.42.md: Documentation update for the DefectDojo 2.42.x upgrade instructions.
  • docs/content/en/share_your_findings/pro_reports/working_with_generated_reports.md: Documentation update for the "Working with Generated Reports" section.
  • dojo/__init__.py: Version number update from 2.42.1 to 2.42.2.
  • components/package.json: Version and dependency updates.
  • dojo/db_migrations/0219_system_settings_enforce_verified_status_jira_and_more.py: Adds new system settings to enforce verified status for various features.
  • dojo/filters.py: Adds new DateTimeFilter and PercentageRangeFilter for more granular filtering of findings.
  • dojo/api_v2/serializers.py: Defensive programming change to handle missing "file" key in input data.
  • dojo/forms.py: Ensures that findings must be active and verified to be pushed to JIRA.
  • dojo/jira_link/helper.py: Updates the can_be_pushed_to_jira() function to check the enforce_verified_status_jira system setting.
  • dojo/management/commands/jira_async_updates.py: Adds check for enforce_verified_status_jira system setting when updating JIRA issues.
  • dojo/management/commands/push_to_jira_update.py: Adds check for enforce_verified_status_jira system setting when pushing findings to JIRA.
  • dojo/metrics/views.py: Adds enforce_verified_status_metrics system setting to filter findings for metrics calculations.
  • dojo/metrics/utils.py: Updates the finding_queries function to filter by verified findings based on the enforce_verified_status_metrics system setting.
  • dojo/reports/views.py: Filters endpoints to only include those with active, verified findings based on the enforce_verified_status and enforce_verified_status_metrics system settings.
  • dojo/reports/widgets.py: Filters the endpoints queryset to only include those with verified findings based on the enforce_verified_status and enforce_verified_status_metrics system settings.
  • dojo/settings/settings.dist.py: Adds new URL templates for linking to the OSV vulnerability database.
  • dojo/templates/dojo/notifications.html: Updates the URL used in the $('#notification-scope').change() function to use a dynamic Django URL template.
  • dojo/models.py: Adds new system settings and fields related to enforcing verified status, false positive history, and asynchronous updating.
  • dojo/tools/aws_inspector2/parser.py: Adds the "Image tags" information to the impact list for AWS Inspector2 findings.
  • dojo/tools/awssecurityhub/compliance.py: Adds the "Image tags" information to the impact list for AWS Security Hub findings.
  • dojo/tools/awssecurityhub/guardduty.py: Adds the "Image tags" information to the impact list for AWS GuardDuty findings.
  • dojo/tools/openvas/xml_parser.py: Adds a new test attribute to the

Code Analysis

We ran 9 analyzers against 30 files and 3 analyzers had findings. 6 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 3 findings
IDOR Analyzer 1 finding
Sensitive Files Analyzer 1 finding

Overall Riskiness

🟡 Please give this pull request extra attention during review.

View PR in the DryRun Dashboard.

@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests ui parser helm labels Jan 21, 2025
@rossops rossops merged commit 01a86ad into master Jan 21, 2025
74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 docs helm New Migration Adding a new migration file. Take care when merging. parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@rossops @manuel-sommer @kiblik @LeoOMaia @hblankenship @farsheedify @Maffooch @veneber