2.4.0 👾 (security release)

Security fix

This release fixes a High severity vulnerability GHSA-fwg9-752c-qh8w reported by Laddada Nadjet - Security Team - Eldjazaer Information Technology- Elit on HackerOne.

Changes since 2.3.0

• Release: Merge back 2.4.0 into dev from: master-into-dev/2.4.0-2.5.0-dev @github-actions (#5373)
• Add security info to upgrade notes @valentijnscholten (#5371)
• Change Anchore Grype parser to allow matcher lists @valentijnscholten (#5369)
• Fix for an issue with links @StefanFl (#5370)
• order findings last 7 days by -date @valentijnscholten (#5361)
• fix: string comparison using 'is' operator @seokjeon (#5347)
• Add support for CloudSQL Auth Proxy's IAM login and private IPs @dhozac (#4926)
• Adds third party notices @devGregA (#5320)
• Fix minor typo in k8s docs @thomdixon (#5297)
• [HELM] Mount media to permanent storage @dsever (#5213)
• integration tests: run as matrix @valentijnscholten (#5264)
• gha unit tests: keep test database between the 2 sets of tests @valentijnscholten (#5259)
• gha unit tests: use new GHA cache @valentijnscholten (#5258)
• PR labeler: add label to api changes @valentijnscholten (#5262)
• use relative/portable path for test_rest_framework test file @valentijnscholten (#5254)
• fix dependency check parser indentation @valentijnscholten (#5251)
• Add support for tolerations @mikeanth-dev (#5212)
• Release: Merge back 2.3.1 into dev from: master-into-dev/2.3.1-2.4.0-dev @github-actions (#5249)
• Release: Merge release into master from: release/2.3.1 @github-actions (#5248)
• add info about previous password hashing algorithm to upgrade notes @valentijnscholten (#5243)
• User: allow search by email @kiblik (#5226)
• Release: Merge back 2.3.0-part-2 into dev from: master-into-dev/2.3.0-part-2-2.4.0-dev after mistakes @github-actions (#5238)
• Add upgrade instructions for 2.3.0 @valentijnscholten (#5229)
• 2.3.0 Sync Merge @devGregA (#5225)
• Master into dev/2.3.0 2.4.0 dev @Maffooch (#5223)

💣 Breaking changes

• Remove safety parser and db @StefanFl (#5359)

🚩 Requires settings changes, database migration, hash code recomputation

• Release: Merge release into master from: release/2.4.0 @github-actions (#5372)
• Allow User Profiles to be read-only @dsever (#5275)
• Add service attribute to Findings to be used for deduplication @StefanFl (#5346)
• filter out products without configs @valentijnscholten (#5362)
• Remove safety parser and db @StefanFl (#5359)
• Deduplication settings for Semgrep and Generic Findings Import @StefanFl (#5317)
• Hadolint: set file_path and line fields @bgoareguer (#5341)
• remove X-XSS-Protection header @manuel-sommer (#5330)
• remove obselete api_v1 settings @valentijnscholten (#5323)
• Unify configuration for API based parsers @StefanFl (#5289)
• Correct database Integrity Exception @Maffooch (#5319)
• squash migrations 0001-0090 (pre-2.0.0) @valentijnscholten (#5263)
• ScoutSuite parser: refactor parser interface @damiencarol (#5268)
• Check de-duplication in initializer and fix Bandit de-duplication settings @damiencarol (#5234)
• Remove deprecated fields of Findings @StefanFl (#5261)
• Bump pytz from 2021.1 to 2021.3 @dependabot (#5211)

🚀 New importers

• Add Horusec parser @damiencarol (#5309)
• Add solar appscreener parser @zapililirad (#5288)
• Added Burp GraphQL parser @sjkubik (#4798)

🚀 General features and enhancements

• Allow User Profiles to be read-only @dsever (#5275)
• Add service attribute to Findings to be used for deduplication @StefanFl (#5346)
• improve history page layout @manuel-sommer (#5337)
• User profile in API @StefanFl (#5326)
• Enhanced exception handler @StefanFl (#5329)
• Engagement - Unified lists and CSV/Excel export @StefanFl (#5266)
• Fix package.json errors with Yarn audit @damiencarol (#5301)
• squash migrations 0001-0090 (pre-2.0.0) @valentijnscholten (#5263)
• test_rest_framework: generate openapi3 schema only once @valentijnscholten (#5255)
• Added Dependency Check Suppression parsing @emresaglam-dremio (#5082)
• Add support for context region snippets in SARIF parser @Kjeld-P (#5227)

🚀 API features and enhancements

• Add service attribute to Findings to be used for deduplication @StefanFl (#5346)
• APIv2: Allow to set the first password when the user is created through API @kiblik (#5224)
• User profile in API @StefanFl (#5326)
• Enhanced exception handler @StefanFl (#5329)
• Unify configuration for API based parsers @StefanFl (#5289)
• APIv2: allow create/list/view/delete User Contact Info @kiblik (#5221)

🐛 Bug Fixes

• Fix problem with duplicate projects in GitLab pipeline @StefanFl (#5364)
• filter out products without configs @valentijnscholten (#5362)
• Enhanced endpoint selection and creation @StefanFl (#5327)
• Use endpoint status to determine vulnerable endpoints @StefanFl (#5336)
• Deduplication settings for Semgrep and Generic Findings Import @StefanFl (#5317)
• Hadolint: set file_path and line fields @bgoareguer (#5341)
• Bugfix: JIRA attachment upload @valentijnscholten (#5344)
• Correct database Integrity Exception @Maffooch (#5319)
• SSLlabs: fix endpoints @kiblik (#5296)
• Permissions for Stub_Finding @StefanFl (#5287)
• fix duplicate if #5256 @manuel-sommer (#5276)
• Check de-duplication in initializer and fix Bandit de-duplication settings @damiencarol (#5234)
• Correct Javascript introduced #5207. Fixes #5236 @Maffooch (#5247)

🧰 Maintenance

• Remove safety parser and db @StefanFl (#5359)
• Bump coverage from 6.0.2 to 6.1.1 @dependabot (#5358)
• Update dependency autoprefixer from 10.3.7 to v10.4.0 (docs/package.json) @renovate (#5355)
• Update gcr.io/cloudsql-docker/gce-proxy Docker tag from 1.23.1 to v1.26.0 (helm/defectdojo/values.yaml) @renovate (#5343)
• Update busybox Docker tag from 1.34.0 to v1.34.1 (docker-compose.override.unit_tests_cicd.yml) @renovate (#5353)
• Update rabbitmq:3.9.8 Docker digest from 3.9.8 to 3.9.8 (docker-compose.yml) @renovate (#5354)
• Bump google-api-python-client from 2.27.0 to 2.28.0 @dependabot (#5350)
• Bump google-auth from 2.3.1 to 2.3.2 @dependabot (#5351)
• Bump google-auth from 2.3.0 to 2.3.1 @dependabot (#5340)
• Bump datatables.net-colreorder from 1.5.4 to 1.5.5 in /components @dependabot (#5333)
• Allow API importer to edit Tests and Engagements @valentijnscholten (#5324)
• Update sample data @Maffooch (#5280)
• Bump numpy from 1.21.2 to 1.21.3 @dependabot (#5313)
• Bump django-environ from 0.8.0 to 0.8.1 @dependabot (#5314)
• Update dependency postcss from 8.3.10 to v8.3.11 (docs/package.json) @renovate (#5315)
• Update dependency postcss from 8.3.9 to v8.3.10 (docs/package.json) @renovate (#5311)
• Bump debugpy from 1.5.0 to 1.5.1 @dependabot (#5299)
• Update rabbitmq Docker tag from 3.9.7 to v3.9.8 (docker-compose.yml) @renovate (#5305)
• Bump sqlalchemy from 1.4.25 to 1.4.26 @dependabot (#5308)
• Bump django-debug-toolbar-request-history from 0.1.3 to 0.1.4 @dependabot (#5300)
• Bump google-api-python-client from 2.26.1 to 2.27.0 @dependabot (#5298)
• Update rabbitmq:3.9.7 Docker digest from 3.9.7 to v3.9.7 (docker-compose.yml) @renovate (#5303)
• Update mysql Docker tag from 5.7.35 to v5.7.36 (docker-compose.yml) @renovate (#5304)
• Bump django-environ from 0.7.0 to 0.8.0 @dependabot (#5293)
• Bump pyjwt from 2.2.0 to 2.3.0 @dependabot (#5294)
• Fix ssl_labs and nsp parsers, correct occurences of self.items, add ssl_labs and nsp parser unit test. @JOT85 (#5103)
• Bump drf-spectacular from 0.20.1 to 0.20.2 @dependabot (#5285)
• Bump pillow from 8.3.2 to 8.4.0 @dependabot (#5286)
• test(integration): Install Chromedriver during dockerbuild @alles-klar (#5283)
• ScoutSuite parser: refactor parser interface @damiencarol (#5268)
• Bump google-api-python-client from 2.24.0 to 2.26.1 @dependabot (#5274)
• Bump coverage from 6.0.1 to 6.0.2 @dependabot (#5270)
• Remove deprecated fields of Findings @StefanFl (#5261)
• Update nginx/nginx-prometheus-exporter Docker tag from 0.8.0 to v0.9.0 (helm/defectdojo/values.yaml) @renovate (#5260)
• Bump pytz from 2021.1 to 2021.3 @dependabot (#5211)
• Add unit tests for Dawnscanner @damiencarol (#5244)
• Bump google-auth from 2.2.1 to 2.3.0 @dependabot (#5252)
• Bump coverage from 6.0 to 6.0.1 @dependabot (#5239)
• Bump pyjwt from 2.1.0 to 2.2.0 @dependabot (#5240)
• Bump humanize from 3.11.0 to 3.12.0 @dependabot (#5231)
• Bump uwsgi from 2.0.19.1 to 2.0.20 @dependabot (#5232)
• Bump coverage from 5.5 to 6.0 @dependabot (#5210)
• Update dependency postcss from 8.3.8 to v8.3.9 (docs/package.json) @renovate (#5215)
• Update dependency autoprefixer from 10.3.6 to v10.3.7 (docs/package.json) @renovate (#5214)
• Bump drf-spectacular from 0.19.0 to 0.20.1 @dependabot (#5209)
• Bump debugpy from 1.4.3 to 1.5.0 @dependabot (#5218)
• Bump packageurl-python from 0.9.4 to 0.9.6 @dependabot (#5219)
• Bump google-api-python-client from 2.23.0 to 2.24.0 @dependabot (#5220)