2.4.0 👾 (security release)
Security fix
This release fixes a High severity vulnerability GHSA-fwg9-752c-qh8w reported by Laddada Nadjet - Security Team - Eldjazaer Information Technology- Elit on HackerOne.
Changes since 2.3.0
- Release: Merge back 2.4.0 into dev from: master-into-dev/2.4.0-2.5.0-dev @github-actions (#5373)
- Add security info to upgrade notes @valentijnscholten (#5371)
- Change Anchore Grype parser to allow matcher lists @valentijnscholten (#5369)
- Fix for an issue with links @StefanFl (#5370)
- order findings last 7 days by -date @valentijnscholten (#5361)
- fix: string comparison using 'is' operator @seokjeon (#5347)
- Add support for CloudSQL Auth Proxy's IAM login and private IPs @dhozac (#4926)
- Adds third party notices @devGregA (#5320)
- Fix minor typo in k8s docs @thomdixon (#5297)
- [HELM] Mount media to permanent storage @dsever (#5213)
- integration tests: run as matrix @valentijnscholten (#5264)
- gha unit tests: keep test database between the 2 sets of tests @valentijnscholten (#5259)
- gha unit tests: use new GHA cache @valentijnscholten (#5258)
- PR labeler: add label to api changes @valentijnscholten (#5262)
- use relative/portable path for test_rest_framework test file @valentijnscholten (#5254)
- fix dependency check parser indentation @valentijnscholten (#5251)
- Add support for tolerations @mikeanth-dev (#5212)
- Release: Merge back 2.3.1 into dev from: master-into-dev/2.3.1-2.4.0-dev @github-actions (#5249)
- Release: Merge release into master from: release/2.3.1 @github-actions (#5248)
- add info about previous password hashing algorithm to upgrade notes @valentijnscholten (#5243)
- User: allow search by email @kiblik (#5226)
- Release: Merge back 2.3.0-part-2 into dev from: master-into-dev/2.3.0-part-2-2.4.0-dev after mistakes @github-actions (#5238)
- Add upgrade instructions for 2.3.0 @valentijnscholten (#5229)
- 2.3.0 Sync Merge @devGregA (#5225)
- Master into dev/2.3.0 2.4.0 dev @Maffooch (#5223)
💣 Breaking changes
🚩 Requires settings changes, database migration, hash code recomputation
- Release: Merge release into master from: release/2.4.0 @github-actions (#5372)
- Allow User Profiles to be read-only @dsever (#5275)
- Add service attribute to Findings to be used for deduplication @StefanFl (#5346)
- filter out products without configs @valentijnscholten (#5362)
- Remove safety parser and db @StefanFl (#5359)
- Deduplication settings for Semgrep and Generic Findings Import @StefanFl (#5317)
- Hadolint: set file_path and line fields @bgoareguer (#5341)
- remove X-XSS-Protection header @manuel-sommer (#5330)
- remove obselete api_v1 settings @valentijnscholten (#5323)
- Unify configuration for API based parsers @StefanFl (#5289)
- Correct database Integrity Exception @Maffooch (#5319)
- squash migrations 0001-0090 (pre-2.0.0) @valentijnscholten (#5263)
- ScoutSuite parser: refactor parser interface @damiencarol (#5268)
- Check de-duplication in initializer and fix Bandit de-duplication settings @damiencarol (#5234)
- Remove deprecated fields of Findings @StefanFl (#5261)
- Bump pytz from 2021.1 to 2021.3 @dependabot (#5211)
🚀 New importers
- Add Horusec parser @damiencarol (#5309)
- Add solar appscreener parser @zapililirad (#5288)
- Added Burp GraphQL parser @sjkubik (#4798)
🚀 General features and enhancements
- Allow User Profiles to be read-only @dsever (#5275)
- Add service attribute to Findings to be used for deduplication @StefanFl (#5346)
- improve history page layout @manuel-sommer (#5337)
- User profile in API @StefanFl (#5326)
- Enhanced exception handler @StefanFl (#5329)
- Engagement - Unified lists and CSV/Excel export @StefanFl (#5266)
- Fix package.json errors with Yarn audit @damiencarol (#5301)
- squash migrations 0001-0090 (pre-2.0.0) @valentijnscholten (#5263)
- test_rest_framework: generate openapi3 schema only once @valentijnscholten (#5255)
- Added Dependency Check Suppression parsing @emresaglam-dremio (#5082)
- Add support for context region snippets in SARIF parser @Kjeld-P (#5227)
🚀 API features and enhancements
- Add service attribute to Findings to be used for deduplication @StefanFl (#5346)
- APIv2: Allow to set the first password when the user is created through API @kiblik (#5224)
- User profile in API @StefanFl (#5326)
- Enhanced exception handler @StefanFl (#5329)
- Unify configuration for API based parsers @StefanFl (#5289)
- APIv2: allow create/list/view/delete User Contact Info @kiblik (#5221)
🐛 Bug Fixes
- Fix problem with duplicate projects in GitLab pipeline @StefanFl (#5364)
- filter out products without configs @valentijnscholten (#5362)
- Enhanced endpoint selection and creation @StefanFl (#5327)
- Use endpoint status to determine vulnerable endpoints @StefanFl (#5336)
- Deduplication settings for Semgrep and Generic Findings Import @StefanFl (#5317)
- Hadolint: set file_path and line fields @bgoareguer (#5341)
- Bugfix: JIRA attachment upload @valentijnscholten (#5344)
- Correct database Integrity Exception @Maffooch (#5319)
- SSLlabs: fix endpoints @kiblik (#5296)
- Permissions for Stub_Finding @StefanFl (#5287)
- fix duplicate if #5256 @manuel-sommer (#5276)
- Check de-duplication in initializer and fix Bandit de-duplication settings @damiencarol (#5234)
- Correct Javascript introduced #5207. Fixes #5236 @Maffooch (#5247)
🧰 Maintenance
- Remove safety parser and db @StefanFl (#5359)
- Bump coverage from 6.0.2 to 6.1.1 @dependabot (#5358)
- Update dependency autoprefixer from 10.3.7 to v10.4.0 (docs/package.json) @renovate (#5355)
- Update gcr.io/cloudsql-docker/gce-proxy Docker tag from 1.23.1 to v1.26.0 (helm/defectdojo/values.yaml) @renovate (#5343)
- Update busybox Docker tag from 1.34.0 to v1.34.1 (docker-compose.override.unit_tests_cicd.yml) @renovate (#5353)
- Update rabbitmq:3.9.8 Docker digest from 3.9.8 to 3.9.8 (docker-compose.yml) @renovate (#5354)
- Bump google-api-python-client from 2.27.0 to 2.28.0 @dependabot (#5350)
- Bump google-auth from 2.3.1 to 2.3.2 @dependabot (#5351)
- Bump google-auth from 2.3.0 to 2.3.1 @dependabot (#5340)
- Bump datatables.net-colreorder from 1.5.4 to 1.5.5 in /components @dependabot (#5333)
- Allow API importer to edit Tests and Engagements @valentijnscholten (#5324)
- Update sample data @Maffooch (#5280)
- Bump numpy from 1.21.2 to 1.21.3 @dependabot (#5313)
- Bump django-environ from 0.8.0 to 0.8.1 @dependabot (#5314)
- Update dependency postcss from 8.3.10 to v8.3.11 (docs/package.json) @renovate (#5315)
- Update dependency postcss from 8.3.9 to v8.3.10 (docs/package.json) @renovate (#5311)
- Bump debugpy from 1.5.0 to 1.5.1 @dependabot (#5299)
- Update rabbitmq Docker tag from 3.9.7 to v3.9.8 (docker-compose.yml) @renovate (#5305)
- Bump sqlalchemy from 1.4.25 to 1.4.26 @dependabot (#5308)
- Bump django-debug-toolbar-request-history from 0.1.3 to 0.1.4 @dependabot (#5300)
- Bump google-api-python-client from 2.26.1 to 2.27.0 @dependabot (#5298)
- Update rabbitmq:3.9.7 Docker digest from 3.9.7 to v3.9.7 (docker-compose.yml) @renovate (#5303)
- Update mysql Docker tag from 5.7.35 to v5.7.36 (docker-compose.yml) @renovate (#5304)
- Bump django-environ from 0.7.0 to 0.8.0 @dependabot (#5293)
- Bump pyjwt from 2.2.0 to 2.3.0 @dependabot (#5294)
- Fix ssl_labs and nsp parsers, correct occurences of
self.items
, add ssl_labs and nsp parser unit test. @JOT85 (#5103) - Bump drf-spectacular from 0.20.1 to 0.20.2 @dependabot (#5285)
- Bump pillow from 8.3.2 to 8.4.0 @dependabot (#5286)
- test(integration): Install Chromedriver during dockerbuild @alles-klar (#5283)
- ScoutSuite parser: refactor parser interface @damiencarol (#5268)
- Bump google-api-python-client from 2.24.0 to 2.26.1 @dependabot (#5274)
- Bump coverage from 6.0.1 to 6.0.2 @dependabot (#5270)
- Remove deprecated fields of Findings @StefanFl (#5261)
- Update nginx/nginx-prometheus-exporter Docker tag from 0.8.0 to v0.9.0 (helm/defectdojo/values.yaml) @renovate (#5260)
- Bump pytz from 2021.1 to 2021.3 @dependabot (#5211)
- Add unit tests for Dawnscanner @damiencarol (#5244)
- Bump google-auth from 2.2.1 to 2.3.0 @dependabot (#5252)
- Bump coverage from 6.0 to 6.0.1 @dependabot (#5239)
- Bump pyjwt from 2.1.0 to 2.2.0 @dependabot (#5240)
- Bump humanize from 3.11.0 to 3.12.0 @dependabot (#5231)
- Bump uwsgi from 2.0.19.1 to 2.0.20 @dependabot (#5232)
- Bump coverage from 5.5 to 6.0 @dependabot (#5210)
- Update dependency postcss from 8.3.8 to v8.3.9 (docs/package.json) @renovate (#5215)
- Update dependency autoprefixer from 10.3.6 to v10.3.7 (docs/package.json) @renovate (#5214)
- Bump drf-spectacular from 0.19.0 to 0.20.1 @dependabot (#5209)
- Bump debugpy from 1.4.3 to 1.5.0 @dependabot (#5218)
- Bump packageurl-python from 0.9.4 to 0.9.6 @dependabot (#5219)
- Bump google-api-python-client from 2.23.0 to 2.24.0 @dependabot (#5220)