Release: Merge release into master from: release/2.38.4

[github-actions]

Release triggered by Maffooch

[dryrunsecurity]

DryRun Security Summary

This pull request includes security-related updates and improvements to the DefectDojo application, such as version updates, password handling, notification settings, AWS Security Hub integration, and unit tests.

Expand for full summary

Summary:

This pull request includes several changes across multiple files in the DefectDojo application, primarily focused on security-related updates and improvements. The key changes include:

1. Version Updates: The application and its associated Helm chart have been updated to newer versions, which may include security fixes or enhancements. It's important to review the release notes to understand the changes and their potential impact on the application's security posture.

2. Password Handling: The changes introduce new settings to control password requirements for user creation and updates, allowing the application to be configured to either require or not require passwords. This introduces a trade-off between usability and security that should be carefully evaluated.

3. Notification Settings: A new setting has been added to allow system-level notification settings to override user-level preferences for certain security-related events, ensuring that important notifications are always delivered.

4. AWS Security Hub Integration: The changes include updates to the AWS Security Hub parser, which is responsible for processing and creating findings from the AWS Inspector service. This includes improvements to the handling of the EPSS (Exploitability Prediction Score) and the extraction of vulnerability information.

5. Unit Tests: The pull request includes updates to the unit tests for the AWS Security Hub parser, which helps ensure the robustness and accuracy of this important security component.

Files Changed:

• components/package.json: Version update for the defectdojo project from 2.38.3 to 2.38.4.
• dojo/__init__.py: Version update from 2.38.3 to 2.38.4.
• dojo/api_v2/serializers.py: Changes to the UserSerializer class to prevent password updates through the API and require passwords for new users.
• dojo/settings/.settings.dist.py.sha256sum: Checksum update for the .settings.dist.py file.
• dojo/forms.py: Changes to the AddDojoUserForm to make the password field required only when the REQUIRE_PASSWORD_ON_USER setting is enabled.
• dojo/settings/settings.dist.py: Addition of new settings DD_REQUIRE_PASSWORD_ON_USER and DD_NOTIFICATIONS_SYSTEM_LEVEL_TRUMP.
• dojo/tools/awssecurityhub/inspector.py: Improvements to the handling of the EPSS score and the processing of vulnerability information.
• helm/defectdojo/Chart.yaml: Version update for the DefectDojo Helm chart and the underlying application.
• unittests/scans/awssecurityhub/issue_10956.json: Addition of a new JSON file containing a security finding from the AWS Inspector service.
• dojo/api_v2/views.py: Changes to various view sets that handle different functionalities of the application, with a focus on security-related aspects.
• unittests/tools/test_awssecurityhub_parser.py: Updates to the unit tests for the AwsSecurityHubParser class, including a new test case for the EPSS score.

Code Analysis

We ran 9 analyzers against 11 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	12 findings
Sensitive Files Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.