Skip to content

Release: Merge release into master from: release/2.36.3#10571

Merged
Maffooch merged 13 commits intomasterfrom
release/2.36.3
Jul 15, 2024
Merged

Release: Merge release into master from: release/2.36.3#10571
Maffooch merged 13 commits intomasterfrom
release/2.36.3

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jul 15, 2024

Release triggered by Maffooch

DefectDojo release bot and others added 13 commits July 9, 2024 17:23
Update versions in application files
a4575f2
@Maffooch
Merge pull request #10549 from DefectDojo/master-into-bugfix/2.36.2-2…
96e1d92 
….37.0-dev

Release: Merge back 2.36.2 into bugfix from: master-into-bugfix/2.36.2-2.37.0-dev
@kiblik
fix(api-notif): Fix order of validators (#10533)
60ddc18
@kiblik
fix(flake8): remove leftover (#10539)
19aa13b
@tmablunar @hoeg @cneill
Allow setting --max-fd argument to uwsgi to stop it from getting OOMK…
f71dd87 
…illed in Kubernetes (#10384)

* added max fd argument

* added max fd config

* quote

* make max-fd arg optional

* omit if not set

* use sh valid notation

* Preserve single quotes for UWSGI_LOGFORMAT

* Add max-fd as extra argument to avoid unwrapping logformat string

* Fix indentation

* Add option with explanation to values.yaml

* Update helm/defectdojo/values.yaml

Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com>

---------

Co-authored-by: Peter Hoeg Steffensen <peter.steffensen@gmail.com>
Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com>
@Maffooch
Bulk Edit: Add note when pushing finding to jira (#10545)
4f9e636 
* Jira Finding Group Templates: Correct object links

* Bulk Edit: Add note when pushing finding to jira
@Maffooch
Import: leverage the minimum severity flag (#10550)
17a1bf8
@Maffooch
Endpoint get or create: Do not raise warning when there is an existin…
ae47698 
…g endpoint (#10555)

When a single endpoints is found in the endpoint get or create helper method, we do not want to raise a warning
@manuel-sommer
🐛 fix typo in settings.disty.py, #10529 (#10534)
820f3f7
@dogboat
Some Reporting Updates (#10563)
4c68154 
* reports-fixes Update cover page widget to have page break after entry, use heading attribute for heading

* reports-fixes Add classes for widgets; add css for dealing with page breaks on print

* reports-fixes some addtional classes to help distinguish reporting sections

* reports-fixes additional classes on findings/endpoints for reports

* reports-fixes update report widgets to specify a widget_class instead of generating one based on title; fix wysiwyg issue, add delete button for in-use widgets

* reports-fixes for reports widgets, use "header" field for header on rendered reports, instead of "title" (excepting findings/endpoints lists, which do not accept a custom heading)

* reports-fixes add back a newline

* reports-fixes remove extra space

* report-fixes add dojo css for availability in reports

* reports-fixes undo some template/css changes, move report break stuff to report_base

* reports-fixes newline on end of file, remove changed css

* reports-fixes remove unused css from custom_html_report

* reports-fixes change "WYSIWYG Content" to "Custom Content"

* reports-fixes on finding/endpoint filter/clear, run selectpicker on returned selects so the ui (select) elements do not change suddenly

* reports-fixes work on page break changes

* reports-fixes typo in style names

* reports-fixes remove margins on page break widget

* reports-fixes add optional page break after custom content

* reports-fixes optional follwoing page break for wysiwyg

* reports-fixes first pass at removing asciidoc support

* reports-fixes more asciidoc removal updates

* reports-fixes fix wysiwyg widget options loading

* reports-fixes page break after toc

* reports-fixes linter fixes

* trigger GitHub actions
@Maffooch
Test Types: Return support for disabling test types via the active
da1610e 
…flag (#10562)

* Simplify checks for inactive test types

* Accommodate fixtures
@Maffooch
Delete Preview: Expand on missed objects (#10564)
9d03c60
Update versions in application files
8dadfbc
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Jul 15, 2024
edited
Loading

DryRun Security Summary

The pull request covers a wide range of updates to the DefectDojo application, including improvements to report generation, Jira integration, finding management, and survey/questionnaire management, with a focus on enhancing the application's functionality and security.

Expand for full summary

Summary:

The changes in this pull request cover a wide range of updates across the DefectDojo application, including improvements to the report generation functionality, the Jira integration, the finding management, and the survey/questionnaire management. The key security-related changes are:

  1. Report Generation: The application is moving away from supporting the AsciiDoc report format and focusing solely on the HTML report format. This change helps to simplify the codebase and reduce the potential attack surface related to the report generation functionality.

  2. Jira Integration: The code introduces a webhook handler for processing incoming Jira webhook events, which allows DefectDojo to automatically update findings and create notes based on changes made in Jira. The code includes security checks, such as webhook authentication and permission validation, to ensure the integrity and security of the Jira integration.

  3. Finding Management: The changes in the finding management functionality focus on improving the reliability and consistency of the import process, ensuring that findings are processed and saved correctly, while also providing options to override certain attributes as needed.

  4. Survey/Questionnaire Management: The changes introduce a new configuration setting called DELETE_PREVIEW, which controls whether the application displays the relationships that will be deleted along with a survey or questionnaire. This setting could have security implications and should be carefully reviewed.

Overall, the changes in this pull request appear to be focused on improving the functionality and security of the DefectDojo application. The code includes several security-related enhancements, such as input validation, error handling, and access control, which help to maintain the application's security posture.

Files Changed:

  1. docs/content/en/usage/features.md: This file has been updated to remove the ability to generate reports in AsciiDoc format, focusing solely on the HTML report format.
  2. dojo/__init__.py: The version number has been updated from 2.36.2 to 2.36.3, which is a minor version update.
  3. components/package.json: The application version and dependencies have been updated to newer versions.
  4. docker/entrypoint-uwsgi.sh: The script has been updated to add additional configuration options for the uWSGI server, including the ability to set the maximum number of open file descriptors.
  5. dojo/endpoint/utils.py: The endpoint_get_or_create function has been updated to handle the case where multiple endpoints match the provided parameters and to log a warning message.
  6. dojo/endpoint/views.py: The delete_endpoint function has been updated to handle the display of relationship previews based on the value of the DELETE_PREVIEW setting.
  7. dojo/api_v2/serializers.py: The Notifications model serializer has been updated to include a validation check for the notification template.
  8. dojo/finding_group/views.py: The code has been updated to handle the deletion of finding groups, including the ability to disable the relationship preview.
  9. dojo/group/views.py: The code has been updated to improve the group management functionality, including authorization checks and handling of related objects.
  10. dojo/importers/default_reimporter.py: The process_findings method has been updated to use the self.minimum_severity attribute instead of the kwargs.get("minimum_severity") approach.
  11. dojo/importers/default_importer.py: The process_findings method has been updated to improve the handling of finding severity, mitigation, and service association.
  12. dojo/product/views.py: The code has been updated to enforce proper access control and provide additional safeguards for critical operations.
  13. dojo/reports/views.py: The report generation functionality has been updated to remove the AsciiDoc report format and focus solely on the HTML report format.
  14. dojo/reports/widgets.py: The report builder feature has been updated to include a new field for adding page breaks.
  15. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash of the settings.dist.py file has been updated, indicating a change to the configuration file.
  16. dojo/static/dojo/js/index.js: The asciidocDownload() function has been removed.
  17. dojo/jira_link/views.py: The Jira integration functionality has been updated to include webhook handling, Jira instance management, and security-related enhancements

Code Analysis

We ran 7 analyzers against 30 files and 3 analyzers had findings. 4 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 1 finding
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 5 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@Maffooch Maffooch closed this Jul 15, 2024
@Maffooch Maffooch reopened this Jul 15, 2024
@github-actions github-actions Bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm labels Jul 15, 2024
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jul 15, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.5% Duplication on New Code

See analysis details on SonarCloud

@Maffooch Maffooch merged commit 828d1e7 into master Jul 15, 2024
@Maffooch Maffooch deleted the release/2.36.3 branch September 9, 2024 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

apiv2 docker docs helm integration_tests parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Maffooch @kiblik @tmablunar @manuel-sommer @dogboat