Release: Merge release into master from: release/2.35.4

[github-actions]

Release triggered by blakeaowens

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	❌	1 finding
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	6 findings
Secrets Analyzer	✅	0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover a range of updates and improvements to the DefectDojo application, a popular open-source tool for managing software vulnerabilities and security issues. The changes span multiple components of the application, including the package.json file, the dojo/init.py file, the API views, the filtering functionality, the report generation, the JIRA integration, and the Acunetix parser.

Overall, the changes appear to be focused on enhancing the application's security-related features, improving performance, and addressing potential security concerns. The changes include updates to version numbers, the introduction of new filtering classes, improvements to the report generation process, and enhancements to the JIRA integration and Acunetix parser functionality.

While there are no obvious security vulnerabilities introduced by these changes, it is essential to thoroughly review the changes and their potential impact on the application's security posture. This includes ensuring that user input is properly sanitized, that sensitive information is not exposed, and that any new functionality or dependencies are secure and up-to-date.

Files Changed:

1. components/package.json: The version of the DefectDojo application has been updated from 2.35.3 to 2.35.4, which is a minor version update.
2. dojo/__init__.py: The version number of the dojo/__init__.py file has been updated from 2.35.3 to 2.35.4.
3. dojo/api_v2/views.py: Changes include the addition of a new filter class ReportFindingFilterWithoutObjectLookups and updates to the report_generate function and the FindingViewSet class.
4. dojo/filters.py: The changes introduce new filter classes, such as ReportFindingFilterWithoutObjectLookups and SimilarFindingFilter, to improve performance and functionality.
5. dojo/reports/views.py: The changes focus on enhancing the report generation functionality, including the addition of new filter options and export options.
6. dojo/tools/qualys_webapp/parser.py: The changes ensure that the full request, including the request body, is captured and included in the findings.
7. dojo/jira_link/views.py: The changes improve the JIRA integration functionality, including webhook authentication and processing of JIRA comments and issue updates.
8. dojo/reports/widgets.py: The changes introduce the use of the ReportFindingFilterWithoutObjectLookups filter to potentially improve the performance of the report generation process.
9. helm/defectdojo/Chart.yaml: The Helm chart for the DefectDojo application has been updated to version 1.6.136, with the application version updated to 2.35.4.
10. dojo/templates/dojo/report_filter_snippet.html: The changes improve the handling of form fields in the report filter snippet, separating hidden and visible fields for better accessibility.
11. dojo/tools/acunetix/parse_acunetix360_json.py: The changes focus on improving the robustness of the Acunetix parser, including handling null values and tracking duplicate findings.
12. unittests/tools/test_acunetix_parser.py: The changes add new test cases to ensure the Acunetix parser can correctly handle specific issues.
13. unittests/scans/qualys_webapp/discussion_10239.xml: This file appears to be a scan report generated by a web application security scanner, highlighting potential vulnerabilities and security misconfigurations.
14. unittests/tools/test_qualys_webapp_parser.py: The changes add a new test case to validate the parser's ability to correctly identify and extract details of a potentially malicious HTTP request.
15. unittests/scans/acunetix/issue_10435.json: This file contains an Acunetix vulnerability report, which identifies a missing X-Frame-Options header vulnerability that has been removed or expired.

Powered by DryRun Security