January wk 3/4 docs maintenance

[paulOsinski]

General docs maintenance / changes PR.

• excludes old 'notifications' page from search results
• Collapses OAuth and SAML config into a single page for both Pro / OS audiences
• Adds text to the front page and about-docs page to clarify the intended audiences of the docs

[sc-9274]

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on comprehensive documentation updates for DefectDojo, including improvements to SSO authentication methods, API v2 documentation, and notification features, while introducing important security considerations that need to be addressed during implementation.

Expand for full summary

Summary:

The code changes in this pull request primarily focus on updates and improvements to the documentation for the DefectDojo application. The changes cover a range of topics, including updates to the "About Our Documentation" page, homepage layout, API v2 documentation, support for Single Sign-On (SSO) authentication methods, and the notifications feature.

From an application security perspective, the key points to highlight are:

1. The SSO integration changes provide a significant security improvement by allowing organizations to centralize user authentication and leverage existing identity management systems. However, it's crucial to ensure the SSO integration is properly configured to prevent unintended user access or privilege escalation.

2. The documentation updates for the API v2 and the various authentication methods (OAuth, SAML, RemoteUser) are important, as they provide information that could be useful for both users and potential attackers to understand the application's functionality and potentially identify vulnerabilities.

3. The notifications feature, particularly the Slack and Microsoft Teams integrations, as well as the experimental webhooks support, should be reviewed carefully to ensure they are properly configured and secured to prevent potential security risks.

Overall, the changes in this pull request appear to be focused on improving the documentation and providing more flexibility and options for users, while also introducing some security-related considerations that should be addressed.

Files Changed:

1. docs/content/en/about_defectdojo/about_docs.md: This change adds a new span element to the "About Our Documentation" page, clarifying the maintenance and support of the DefectDojo documentation. There are no security concerns with this change.

2. docs/layouts/index.html: The changes to the homepage layout provide additional information about the DefectDojo documentation, and do not introduce any obvious security vulnerabilities.

3. docs/content/en/api/api-v2-docs.md: The changes to the API v2 documentation include updates to the documentation link, images, and various sections. The main security considerations are around the potential for security risks if the alternative authentication method is not implemented securely, and the possibility of security vulnerabilities in the API wrappers.

4. docs/content/en/customize_dojo/user_management/configure_sso.md: This change adds significant new functionality to allow users to authenticate using various SSO methods, including OAuth and SAML. From a security perspective, this is a positive change, but it's important to ensure the SSO integration is properly configured to prevent unintended user access or privilege escalation.

5. docs/content/en/open_source/archived_docs/integrations/social-authentication.md: This change adds support for various authentication methods, including OAuth2, SAML2, and RemoteUser authentication. The security considerations include ensuring proper configuration of the authentication providers and handling of user permissions.

6. docs/content/en/open_source/archived_docs/notifications.md: The changes to the notifications documentation provide more details on the various notification methods, including the Slack and Microsoft Teams integrations, as well as the experimental webhooks support. The security considerations are around the proper configuration and security of these integrations.

Code Analysis

We ran 9 analyzers against 13 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[mtesauro]

Approved