diff --git a/.dryrunsecurity.yaml b/.dryrunsecurity.yaml index da92963dda..ec4743108a 100644 --- a/.dryrunsecurity.yaml +++ b/.dryrunsecurity.yaml @@ -67,6 +67,7 @@ allowedAuthors: - dsever - dogboat - hblankenship + - valentijnscholten notificationList: - '@mtesauro' - '@grendel513' diff --git a/README.md b/README.md index 25d4070a63..6ca297579b 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ of DefectDojo as we begin work on v3. Please see our [contributing guidelines](r information. Check out our latest update on v3 [here](https://github.com/DefectDojo/django-DefectDojo/discussions/8974). ## Pro Edition -[Upgrade to DefectDojo Pro](https://www.defectdojo.com/pricing) today to take your DevSecOps to 11. DefectDojo Pro is +[Upgrade to DefectDojo Pro](https://www.defectdojo.com/) today to take your DevSecOps to 11. DefectDojo Pro is designed to meet you wherever you are on your security journey and help you scale, with enhanced dashboards, additional smart features, tunable deduplication, and support from DevSecOps experts. diff --git a/docs/content/en/changelog/changelog.md b/docs/content/en/changelog/changelog.md index c386bdb6c0..24d3be98c6 100644 --- a/docs/content/en/changelog/changelog.md +++ b/docs/content/en/changelog/changelog.md @@ -7,6 +7,14 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](../../open_source/upgrading/upgrading_guide). +## Jan 21, 2025: v2.42.2 + +- **(Classic UI)** Corrected link to Smart Upload form. +- **(CLI Tools)** Fixed issue with .exe extensions not getting added to Windows binaries +- **(Findings)** `Mitigated` filter now uses datetime instead of date for filtering. +- **(OAuth)** Clarified Azure AD labels to better align with Azure's language. Default value for Azure Resource is now set. (Pro) +- **(RBAC)** Request Review now applies RBAC properly with regard to User Groups. + ## Jan 13, 2025: v2.42.1 - **(API)** Pro users can now specify the fields they want to return in a given API payload. For example, this request will only return the title, severity and description fields for each Finding. (Pro) @@ -15,6 +23,10 @@ curl -X 'GET' \ 'https://localhost/api/v2/findings/?response_fields=title,severity,description' \ -H 'accept: application/json' ``` +- **(Findings)** Excel and CSV exports now include tags. +- **(Reports)** Reports now exclude unenforced SLAs from Executive Summary to avoid confusion. +- **(Risk Acceptance)** Simple Risk Acceptances now have a 'paper trail' created - when they are added or removed, a note will be added to the Finding to log the action. +- **(Tools)** ImageTags are now included with AWS SecurityHub and AWS inspector parsers. ## Jan 6, 2025: v2.42.0 diff --git a/docs/content/en/open_source/api-v2-docs.md b/docs/content/en/open_source/api-v2-docs.md index 3627d3e426..04939c9837 100644 --- a/docs/content/en/open_source/api-v2-docs.md +++ b/docs/content/en/open_source/api-v2-docs.md @@ -5,13 +5,10 @@ draft: false weight: 2 --- - - - DefectDojo\'s API is created using [Django Rest Framework](http://www.django-rest-framework.org/). The documentation of each endpoint is available within each DefectDojo installation at -[`/api/v2/doc/`](https://demo.defectdojo.org/api/v2/) and can be accessed by choosing the API v2 +[`/api/v2/oa3/swagger-ui`](https://demo.defectdojo.org/api/v2/oa3/swagger-ui/)) and can be accessed by choosing the API v2 Docs link on the user drop down menu in the header. ![image](../../images/api_v2_1.png) @@ -45,7 +42,7 @@ For example: : ### Alternative authentication method -If you use [an alternative authentication method](../social-authentication/) for users, you may want to disable DefectDojo API tokens because it could bypass your authentication concept. \ +If you use [an alternative authentication method](../archived_docs/integrations/social-authentication/) for users, you may want to disable DefectDojo API tokens because it could bypass your authentication concept. \ Using of DefectDojo API tokens can be disabled by specifying the environment variable `DD_API_TOKENS_ENABLED` to `False`. Or only `api/v2/api-token-auth/` endpoint can be disabled by setting `DD_API_TOKEN_AUTH_ENDPOINT_ENABLED` to `False`. @@ -128,7 +125,7 @@ The json object result is: : {{< /highlight >}} See [Django Rest Framework\'s documentation on interacting with an -API](http://www.django-rest-framework.org/topics/api-clients/) for +API](https://www.django-rest-framework.org/) for additional examples and tips. ## Manually calling the API diff --git a/docs/content/en/open_source/ldap-authentication.md b/docs/content/en/open_source/ldap-authentication.md index e97758e02e..e6ee863f9c 100644 --- a/docs/content/en/open_source/ldap-authentication.md +++ b/docs/content/en/open_source/ldap-authentication.md @@ -17,7 +17,7 @@ We will need to modify a grand total of 4-5 files, depending on how you want to - Dockerfile.django-* - Dockerfile.nginx-* - requirements.txt - - settings.dist.py + - local_settings.py - docker-compose.yml *(Optional)* @@ -36,8 +36,8 @@ ldap-utils \ Please check for the latest version of these requirements at the time of implementation on pypi.org and use those if you can. -- [https://pypi.org/project/python-ldap/](python-ldap) -- [https://pypi.org/project/django-auth-ldap/](django-auth-ldap) +- [python-ldap](https://pypi.org/project/python-ldap/) +- [django-auth-ldap](https://pypi.org/project/django-auth-ldap/) Otherwise add the following to requirements.txt: @@ -47,9 +47,9 @@ django-auth-ldap==4.1.0 ``` -#### settings.dist.py +#### local_settings.py -Find the settings file (hint: `/dojo/settings/settings.dist.py`) and add the following: +Find the settings file (hint: check in `/dojo/settings/settings.py` for instructions for how to use `/dojo/settings/local_settings.py`, if the file does not already exist) and add the following: At the top of the file: ```python @@ -116,7 +116,7 @@ Read the docs for Django Authentication with LDAP here: https://django-auth-ldap #### docker-compose.yml -In order to pass the variables to the settings.dist.py file via docker, it's a good idea to add these to the docker compose file. +In order to pass the variables to the local_settings.py file via docker, it's a good idea to add these to the docker compose file. You can do this by adding the following variables to the environment section for the uwsgi image: ```yaml diff --git a/docs/package-lock.json b/docs/package-lock.json index 01229f0d6b..ed65b8c4a7 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -18,7 +18,7 @@ }, "devDependencies": { "prettier": "^3.3.3", - "vite": "^6.0.0" + "vite": "^6.0.9" }, "engines": { "node": ">=20.11.0" @@ -4717,9 +4717,9 @@ "license": "MIT" }, "node_modules/vite": { - "version": "6.0.7", - "resolved": "https://registry.npmjs.org/vite/-/vite-6.0.7.tgz", - "integrity": "sha512-RDt8r/7qx9940f8FcOIAH9PTViRrghKaK2K1jY3RaAURrEUbm9Du1mJ72G+jlhtG3WwodnfzY8ORQZbBavZEAQ==", + "version": "6.0.9", + "resolved": "https://registry.npmjs.org/vite/-/vite-6.0.9.tgz", + "integrity": "sha512-MSgUxHcaXLtnBPktkbUSoQUANApKYuxZ6DrbVENlIorbhL2dZydTLaZ01tjUoE3szeFzlFk9ANOKk0xurh4MKA==", "dev": true, "license": "MIT", "dependencies": { diff --git a/docs/package.json b/docs/package.json index 801971d41e..af0e0b944e 100644 --- a/docs/package.json +++ b/docs/package.json @@ -21,7 +21,7 @@ }, "devDependencies": { "prettier": "^3.3.3", - "vite": "^6.0.0" + "vite": "^6.0.9" }, "engines": { "node": ">=20.11.0" diff --git a/requirements.txt b/requirements.txt index 6a7aba4800..17739b605f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ # requirements.txt for DefectDojo using Python 3.x -asteval==1.0.5 +asteval==1.0.6 bleach==6.2.0 bleach[css] celery==5.4.0