Merge branch 'dev' into master-into-dev/2.36.2-2.37.0-dev

DefectDojo · Jul 9, 2024 · e6d1071 · e6d1071
2 parents dda00cb + f8cff1b
commit e6d1071
Show file tree

Hide file tree

Showing 509 changed files with 3,238 additions and 2,895 deletions.
diff --git a/Dockerfile.integration-tests-debian b/Dockerfile.integration-tests-debian
@@ -1,7 +1,7 @@
 
 # code: language=Dockerfile
 
-FROM openapitools/openapi-generator-cli:v7.6.0@sha256:f86ca824293602b71b9b66683cc0011f8ff963858bd853621c554ff5cc7dd1d5 as openapitools
+FROM openapitools/openapi-generator-cli:v7.7.0@sha256:99924315933d49e7b33a7d2074bb2b64fc8def8f74519939036e24eb48f00336 as openapitools
 FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e as build
 WORKDIR /app
 RUN \

diff --git a/docker/entrypoint-unit-tests-devDocker.sh b/docker/entrypoint-unit-tests-devDocker.sh
@@ -53,6 +53,7 @@ EOF
 
 echo "Unit Tests"
 echo "------------------------------------------------------------"
+
 python3 manage.py test unittests -v 3 --keepdb --no-input --failfast --shuffle --parallel --exclude-tag="non-parallel"
 python3 manage.py test unittests -v 3 --keepdb --no-input --failfast --shuffle --tag="non-parallel"
 

diff --git a/docker/entrypoint-unit-tests.sh b/docker/entrypoint-unit-tests.sh
@@ -79,6 +79,6 @@ python3 manage.py migrate
 
 echo "Unit Tests"
 echo "------------------------------------------------------------"
+
 python3 manage.py test unittests -v 3 --keepdb --no-input --failfast --shuffle --parallel --exclude-tag="non-parallel"
 python3 manage.py test unittests -v 3 --keepdb --no-input --failfast --shuffle --tag="non-parallel"
-
diff --git a/docker/install_chrome_dependencies.py b/docker/install_chrome_dependencies.py
@@ -25,7 +25,7 @@ def ldd(file_path):
     # For simplicity, I'm assuming if we get an error, the code is non-zero.
     try:
         result = subprocess.run(
-            ["ldd", file_path], capture_output=True, text=True
+            ["ldd", file_path], capture_output=True, text=True,
         )
         stdout = result.stdout
         code = result.returncode

diff --git a/docs/content/en/getting_started/upgrading/2.37.md b/docs/content/en/getting_started/upgrading/2.37.md
@@ -0,0 +1,7 @@
+---
+title: 'Upgrading to DefectDojo Version 2.37.x'
+toc_hide: true
+weight: -20240701
+description: No special instructions.
+---
+There are no special instructions for upgrading to 2.37.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.37.0) for the contents of the release.
diff --git a/docs/content/en/integrations/parsers/file/aws_prowler_v3.md b/docs/content/en/integrations/parsers/file/aws_prowler_v3.md
diff --git a/docs/content/en/integrations/parsers/file/aws_prowler_v3plus.md b/docs/content/en/integrations/parsers/file/aws_prowler_v3plus.md
@@ -0,0 +1,163 @@
+---
+title: "AWS Prowler V3"
+toc_hide: true
+---
+
+### File Types
+DefectDojo parser accepts a native `json` file produced by prowler v3 with file extension `.json` or a `ocsf-json` file produced by prowler v4 with file extension `.ocsf.json`. 
+Please note: earlier versions of AWS Prowler create output data in a different format. See our other [prowler parser documentation](https://documentation.defectdojo.com/integrations/parsers/file/aws_prowler/) if you are using an earlier version of AWS Prowler. 
+
+JSON reports can be created from the [AWS Prowler v3 CLI](https://docs.prowler.com/projects/prowler-open-source/en/v3/tutorials/reporting/#json) using the following command: `prowler <provider> -M json`
+
+JSON-OCSF reports can be created from the [AWS Prowler v4 CLI](https://docs.prowler.cloud/en/latest/tutorials/reporting/#json) using the following command: `prowler <provider> -M json-ocsf`
+
+
+### Acceptable Prowler v3 JSON format
+Parser expects an array of assessments. All properties are strings and are required by the parser.
+
+~~~
+
+[
+        {
+            "AssessmentStartTime": "example_timestamp",
+            "FindingUniqueId": "example_uniqueIdFromTool",
+            "Provider": "example_provider",
+            "CheckID": "acm_certificates_expiration_check",
+            "CheckTitle": "Check if ACM Certificates are about to expire in specific days or less",
+            "CheckType": [
+                "Example ASFF-Compliant Finding Type"
+            ],
+            "ServiceName": "example_awsServiceName",
+            "SubServiceName": "",
+            "Status": "FAIL",
+            "StatusExtended": "Example status description",
+            "Severity": "example_severity",
+            "ResourceType": "AwsCertificateManagerCertificate",
+            "ResourceDetails": "",
+            "Description": "Example general test description.",
+            "Risk": "Example test impact description.",
+            "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
+            "Remediation": {
+                "Code": {
+                    "NativeIaC": "",
+                    "Terraform": "",
+                    "CLI": "",
+                    "Other": ""
+                },
+                "Recommendation": {
+                    "Text": "Example recommendation.",
+                    "Url": "https://docs.aws.amazon.com/config/latest/developerguide/example_related_documentation.html"
+                }
+            },
+            "Compliance": {
+                    "GDPR": [
+                        "article_32"
+                    ],
+                ...
+            },
+            "Categories": [],
+            "DependsOn": [],
+            "RelatedTo": [],
+            "Notes": "",
+            "Profile": null,
+            "AccountId": "example_accountId",
+            "OrganizationsInfo": null,
+            "Region": "example_region",
+            "ResourceId": "example.resource.id.com",
+            "ResourceArn": "arn:aws:acm:us-east-1:999999999999:certificate/ffffffff-0000-0000-0000-000000000000",
+            "ResourceTags": {}
+        }
+    ...
+]
+
+~~~
+
+### Acceptable Prowler v4 JSON-OCSF format
+The parser expects an array of assessments. All properties are strings and are required by the parser.
+
+~~~
+[{
+    "metadata": {
+        "event_code": "iam_role_administratoraccess_policy_permissive_trust_relationship",
+        "product": {
+            "name": "Prowler",
+            "vendor_name": "Prowler",
+            "version": "4.2.1"
+        },
+        "version": "1.2.0"
+    },
+    "severity_id": 4,
+    "severity": "High",
+    "status": "Suppressed",
+    "status_code": "FAIL",
+    "status_detail": "IAM Role myAdministratorExecutionRole has AdministratorAccess policy attached that has too permissive trust relationship.",
+    "status_id": 3,
+    "unmapped": {
+        "check_type": "",
+        "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator",
+        "categories": "trustboundaries",
+        "depends_on": "",
+        "related_to": "",
+        "notes": "CAF Security Epic: IAM",
+        "compliance": {}
+    },
+    "activity_name": "Create",
+    "activity_id": 1,
+    "finding_info": {
+        "created_time": "2024-06-03T14:15:19.382075",
+        "desc": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship",
+        "product_uid": "prowler",
+        "title": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship",
+        "uid": "prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole"
+    },
+    "resources": [
+        {
+            "cloud_partition": "aws",
+            "region": "us-east-1",
+            "data": {
+                "details": ""
+            },
+            "group": {
+                "name": "iam"
+            },
+            "labels": [],
+            "name": "myAdministratorExecutionRole",
+            "type": "AwsIamRole",
+            "uid": "arn:aws:iam::123456789012:role/myAdministratorExecutionRole"
+        }
+    ],
+    "category_name": "Findings",
+    "category_uid": 2,
+    "class_name": "DetectionFinding",
+    "class_uid": 2004,
+    "cloud": {
+        "account": {
+            "name": "",
+            "type": "AWS_Account",
+            "type_id": 10,
+            "uid": "123456789012",
+            "labels": []
+        },
+        "org": {
+            "name": "",
+            "uid": ""
+        },
+        "provider": "aws",
+        "region": "us-east-1"
+    },
+    "event_time": "2024-06-03T14:15:19.382075",
+    "remediation": {
+        "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.",
+        "references": [
+            "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
+        ]
+    },
+    "risk_details": "The AWS-managed AdministratorAccess policy grants all actions for all AWS services and for all resources in the account and as such exposes the customer to a significant data leakage threat. It is therefore particularly important that the trust relationship is well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.",
+    "type_uid": 200401,
+    "type_name": "Create"
+}]
+
+~~~
+
+### Sample Scan Data
+Unit tests of AWS Prowler v3 JSON and Prowler v4 JSON-OCSF can be found at https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/aws_prowler_v3.
diff --git a/docs/package-lock.json b/docs/package-lock.json
diff --git a/docs/package.json b/docs/package.json
@@ -1,6 +1,6 @@
 {
   "devDependencies": {
-    "postcss": "8.4.38",
+    "postcss": "8.4.39",
     "autoprefixer": "10.4.19",
     "postcss-cli": "11.0.0"
   }

diff --git a/dojo/admin.py b/dojo/admin.py
@@ -49,7 +49,7 @@ class QuestionParentAdmin(PolymorphicParentModelAdmin):
     base_model = Question
     child_models = (
         TextQuestion,
-        ChoiceQuestion
+        ChoiceQuestion,
     )
 
 

diff --git a/dojo/announcement/signals.py b/dojo/announcement/signals.py
@@ -17,11 +17,11 @@ def add_announcement_to_new_user(sender, instance, **kwargs):
         )
         if not cloud_announcement or settings.CREATE_CLOUD_BANNER:
             user_announcements = UserAnnouncement.objects.filter(
-                user=dojo_user, announcement=announcement
+                user=dojo_user, announcement=announcement,
             )
             if user_announcements.count() == 0:
                 UserAnnouncement.objects.get_or_create(
-                    user=dojo_user, announcement=announcement
+                    user=dojo_user, announcement=announcement,
                 )
 
 
@@ -31,8 +31,8 @@ def announcement_post_save(sender, instance, created, **kwargs):
         UserAnnouncement.objects.bulk_create(
             [
                 UserAnnouncement(
-                    user=user_id, announcement=instance
+                    user=user_id, announcement=instance,
                 )
                 for user_id in Dojo_User.objects.all()
-            ]
+            ],
         )