Release: Merge back 2.49.2 into dev from: master-into-dev/2.49.2-2.50.0-dev

[github-actions]

Release triggered by rossops

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request contains sensitive edits to multiple files in the dojo directory, including forms.py, endpoint/signals.py, and views.py, and raises concerns about potential unintended data modification through CLI flags that could allow closing findings without proper safeguards, as well as a missing audit trail issue in the endpoint deletion signal handler.

🔴 Configured Codepaths Edit in dojo/forms.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/endpoint/signals.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/forms.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/views.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

Unintended Data Modification via CLI Flags in docs/content/en/connecting_your_tools/external_tools.md

Vulnerability

Unintended Data Modification via CLI Flags

Description

The --close-old-findings and --close-old-findings-product-scope CLI flags allow users to automatically close findings that are not present in a newly imported scan report. Without sufficient warnings, permission checks, or clear audit trails, this feature can be misused by any user with import permissions to hide active vulnerabilities by importing partial or incomplete scan reports, leading to an inaccurate representation of the system's security posture.

django-DefectDojo/docs/content/en/connecting_your_tools/external_tools.md

Lines 216 to 227 in 4c0830d

	`--auto-create-context, --acc`
	* If set to true, the importer automatically creates Engagements, Products, and Product_Types (default: false) `[$DD_CLI_AUTO_CREATE_CONTEXT]`
	`--close-old-findings, --cof`
	* If True, old Findings no longer present in the report will be Closed as Mitigated when importing. If Service has been set, only the Findings for this Service will be closed. [$DD_CLI_CLOSE_OLD_FINDINGS]
	`--close-old-findings-product-scope, --cofps`
	* Select if --close-old-findings applies to **all** Findings of the same type in the Product. By default, this is set to false, meaning that only old Findings of the same type in the Engagement are in scope (and will be closed by Close Old Findings). [$DD_CLI_CLOSE_OLD_FINDINGS_PRODUCT_SCOPE]
	`--deduplication-on-engagement, --doe`
	* If set to true, the importer restricts deduplication for imported findings to the newly created Engagement. (default: false) `[$DD_CLI_DEDUPLICATION_ON_ENGAGEMENT]`

Potential for Unintended Data Modification in docs/content/en/connecting_your_tools/external_tools.md

Vulnerability

Potential for Unintended Data Modification

Description

The --close-old-findings and --close-old-findings-product-scope CLI options in the universal importer allow for automated bulk closure of findings. While designed to reflect the current state of vulnerabilities based on new scan reports, misuse could lead to the premature closure of active vulnerabilities if an incomplete or malformed scan report is intentionally imported. This could result in an inaccurate representation of the system's security posture, potentially concealing vulnerabilities from auditors or management.

django-DefectDojo/docs/content/en/connecting_your_tools/external_tools.md

Lines 714 to 725 in 4c0830d

	`--auto-create-context, --acc`
	* If set to true, the importer automatically creates Engagements, Products, and Product_Types (default: false) `[$DD_IMPORTER_AUTO_CREATE_CONTEXT]`
	`--close-old-findings, --cof`
	* If True, old Findings no longer present in the report will be Closed as Mitigated when importing. If Service has been set, only the findings for this Service will be closed. [$DD_IMPORTER_CLOSE_OLD_FINDINGS]
	`--close-old-findings-product-scope, --cofps`
	* Select if --close-old-findings applies to **all** Findings of the same type in the Product. By default, this is set to false, meaning that only old Findings of the same type in the Engagement are in scope (and will be closed by Close Old Findings). [$DD_IMPORTER_CLOSE_OLD_FINDINGS_PRODUCT_SCOPE]
	`--deduplication-on-engagement, --doe`
	* If set to true, the importer restricts deduplication for imported findings to the newly created Engagement. (default: false) `[$DD_IMPORTER_DEDUPLICATION_ON_ENGAGEMENT]`

Unintended Data Modification via CLI Flags in docs/content/en/connecting_your_tools/external_tools.md

Vulnerability

Unintended Data Modification via CLI Flags

Description

The new --close-old-findings and --close-old-findings-product-scope CLI options in the universal re-importer allow for automated bulk closure of findings. There are no explicit permission checks or strong warnings within the re-importer's code to prevent a user with re-import privileges from misusing these flags. This could lead to the closure of valid findings if an incomplete scan report is re-imported, resulting in an inaccurate representation of the system's security posture.

django-DefectDojo/docs/content/en/connecting_your_tools/external_tools.md

Lines 838 to 849 in 4c0830d

	`--auto-create-context, --acc`
	* If set to true, the importer automatically creates Engagements, Products, and Product_Types (default: false) `[$DD_IMPORTER_AUTO_CREATE_CONTEXT]`
	`--close-old-findings, --cof`
	* If True, old Findings no longer present in the report will be Closed as Mitigated when importing. If Service has been set, only the Findings for this Service will be closed. [$DD_IMPORTER_CLOSE_OLD_FINDINGS]
	`--close-old-findings-product-scope, --cofps`
	* Select if --close-old-findings applies to **all** Findings of the same type in the Product. By default, this is set to false, meaning that only old Findings of the same type in the Engagement are in scope (and will be closed by Close Old Findings). [$DD_IMPORTER_CLOSE_OLD_FINDINGS_PRODUCT_SCOPE]
	`--deduplication-on-engagement, --doe`
	* If set to true, the importer restricts deduplication for imported findings to the newly created Engagement. (default: false) `[$DD_IMPORTER_DEDUPLICATION_ON_ENGAGEMENT]`

Missing Audit Trail due to Suppressed Exception in dojo/endpoint/signals.py

Vulnerability

Missing Audit Trail due to Suppressed Exception

Description

The post_delete signal handler for Endpoint objects uses contextlib.suppress(sender.DoesNotExist). While intended to handle race conditions during async deletions, this construct will silently ignore any DoesNotExist exception that occurs within the with block. If such an exception is raised for reasons other than the intended race condition (e.g., a bug in LogEntry.objects.filter or ContentType.objects.get), the subsequent audit logging and notification creation for the endpoint deletion will be skipped without any error being reported. This leads to an incomplete and unreliable audit trail for endpoint deletions.

django-DefectDojo/dojo/endpoint/signals.py

Lines 14 to 33 in 4c0830d

	@receiver(post_delete, sender=Endpoint)
	def endpoint_post_delete(sender, instance, using, origin, **kwargs):
	# Catch instances in async delete where a single object is deleted more than once
	with contextlib.suppress(sender.DoesNotExist):
	if instance == origin:
	description = _('The endpoint "%(name)s" was deleted') % {"name": str(instance)}
	if settings.ENABLE_AUDITLOG:
	if le := LogEntry.objects.filter(
	action=LogEntry.Action.DELETE,
	content_type=ContentType.objects.get(app_label="dojo", model="endpoint"),
	object_id=instance.id,
	).order_by("-id").first():
	description = _('The endpoint "%(name)s" was deleted by %(user)s') % {
	"name": str(instance), "user": le.actor}
	create_notification(event="endpoint_deleted", # template does not exists, it will default to "other" but this event name needs to stay because of unit testing
	title=_("Deletion of %(name)s") % {"name": str(instance)},
	description=description,
	url=reverse("endpoint"),
	icon="exclamation-triangle")

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.