Skip to content

Bugfix -> Dev: Release 2.36.0#10483

Merged
Maffooch merged 4 commits intodevfrom
bugfix
Jul 1, 2024
Merged

Bugfix -> Dev: Release 2.36.0#10483
Maffooch merged 4 commits intodevfrom
bugfix

Conversation

@Maffooch
Copy link
Copy Markdown
Contributor

@Maffooch Maffooch commented Jul 1, 2024

No description provided.

DefectDojo release bot and others added 4 commits June 24, 2024 18:25
Update versions in application files
22f02e3
@blakeaowens
Merge pull request #10451 from DefectDojo/master-into-bugfix/2.35.4-2…
50327a7 
….36.0-dev

Release: Merge back 2.35.4 into bugfix from: master-into-bugfix/2.35.4-2.36.0-dev
@ccronca
The Jira environment is built using only existing endpoints when buil…
b8fa7a4 
…t for a group of findings (#10428)

Co-authored-by: Camilo Cota <ccota@redhat.com>
@dogboat
Metrics performance improvements (#10446)
6d4772a 
* metrics-performance wip dashboard changes

* metrics-performance wip on metrics

* metrics-performance work on metrics tables

* metrics-performance wip more tables

* metrics-performance endpoints work

* metrics-performance renaming

* metrics-performance endpoints and some cleanup

* metrics-performance endpoints metrics details table populates with finding info

* metrics-performance endpoint calcs against endpoint_status instead of related finding

* metrics-performance template var fix, calculate period ranges more in line with previous offering

* metrics-perfromance refactoring

* metrics-performance remove old code, use existing helper function rather than reimplementing

* metrics-performance fix bug age determination to handle "negative" mitigation dates

* metrics-performance Updates to rename some vars, use existing functions, comments

* metrics-performance rename age entry vars to be more descriptive

* metrics-performance changes to use existing functions

* metrics-performance comments, typing, refactoring

* metrics-performance refactoring and comments

* metrics-performance type hinting, fix dashboard

* metrics-performance move metrics methods to a util module

* metrics-performance reordering imports for linter

* metrics-performance refactor

* metrics-performance remove perf class, restore some code that didn't need changing

* metrics-performance comment cleanup

* metrics-performance work on test fixes

* metrics-performance test updates

* metrics-performance test updates

* metrics-performance attempt at handing findings age determination for mysql

* metrics-performacne fix import

* metrics-performance loosen exception for finding age determination

* metrics-performance derp querysets are lazy

* metrics-performance linter fix

* metrics-performance fixes for mysql

* metrics-performance use counts for severities instead of sums to avoid null values, use correct reverse lookup on urls in accepted/closed/open tables

* metrics-performance set appropriate links on findings tables

* trigger actions
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Jul 1, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 1 finding
IDOR Analyzer 0 findings
Sensitive Files Analyzer 1 finding
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 2 findings
Secrets Analyzer 0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this GitHub Pull Request cover various updates and improvements to the DefectDojo application, including version updates, package dependency changes, and enhancements to the metrics and analytics functionality. While the changes do not appear to introduce any immediate security vulnerabilities, there are a few areas that should be reviewed from an application security perspective:

  1. Version Updates: The changes update the application version to a new development version (2.36.0-dev) and the Helm chart version to 1.6.137-dev. It's important to review the release notes and change logs for these new versions to understand any security-related fixes or improvements that may have been included.

  2. Dependency Management: The package.json file has been updated to reflect the new version of the defectdojo package. It's crucial to review the versions and security status of all dependencies to ensure they are up-to-date and do not contain any known vulnerabilities.

  3. Metrics and Analytics: The changes to the metrics and analytics functionality, including the dojo/metrics/utils.py, dojo/metrics/views.py, and related template files, should be reviewed to ensure that user input is properly sanitized and validated to prevent potential security issues, such as SQL injection vulnerabilities.

  4. Access Control and Authorization: The code makes use of functions like user_has_permission_or_403 to enforce appropriate access control and security measures. It's important to ensure that these access control mechanisms are implemented correctly and consistently throughout the application.

  5. Caching and Performance: The addition of caching mechanisms, such as the @cache_page and @vary_on_cookie decorators, can improve the application's performance, but they should be reviewed to ensure that they do not inadvertently expose sensitive information or introduce other security risks.

Overall, the changes in this Pull Request appear to be focused on improving the functionality, performance, and maintainability of the DefectDojo application. While there are no obvious security concerns, it's crucial to thoroughly review the changes, assess the impact on the application's security posture, and ensure that any potential vulnerabilities are identified and addressed before deploying the updates to production environments.

Files Changed:

  1. dojo/__init__.py: The version number has been updated to a new development version ('2.36.0-dev'). This is a benign change and does not introduce any security vulnerabilities.

  2. components/package.json: The defectdojo package version has been updated to 2.36.0-dev. This should be reviewed to ensure that the new version does not introduce any security vulnerabilities or breaking changes.

  3. dojo/jira_link/helper.py: The changes improve the handling of environment information for JIRA issues, which is not directly related to security vulnerabilities.

  4. dojo/metrics/utils.py: The changes focus on optimizing the metrics and analytics functionality, which should be reviewed to ensure proper handling of user input and access control.

  5. helm/defectdojo/Chart.yaml: The Helm chart version has been updated to 1.6.137-dev. This should be reviewed alongside the application version update.

  6. dojo/metrics/views.py: The changes improve the metrics functionality, including caching and authorization mechanisms, which should be reviewed for security implications.

  7. dojo/templates/dojo/dashboard-metrics.html: The changes focus on improving the presentation of metrics data, with considerations for data sanitization and accessibility.

  8. dojo/templates/dojo/metrics.html: The changes enhance the metrics page, including pagination, data presentation, and accessibility improvements.

  9. unittests/test_metrics_queries.py: The changes update the test cases to reflect the refactoring of the finding_queries and endpoint_queries functions from the views module to the utils module.

Powered by DryRun Security

@Maffooch Maffooch merged commit a9b0a53 into dev Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

helm ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Maffooch @blakeaowens @ccronca @dogboat