Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.36.6 #10647

Merged
merged 14 commits into from
Jul 29, 2024
Merged

Release: Merge release into master from: release/2.36.6 #10647

merged 14 commits into from
Jul 29, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by Maffooch

github-actions bot and others added 13 commits July 24, 2024 16:54
@github-actions @Maffooch
Release: Merge back 2.36.5 into bugfix from: master-into-bugfix/2.36.…
5a5d188 
…5-2.37.0-dev (#10627)

* Update versions in application files

* Update versions in application files

---------

Co-authored-by: DefectDojo release bot <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
@Maffooch
Listing Tables: Add toggle switch in system settings (#10617)
9b991c6 
* Listing Tables: Add toggle switch in system settings

* Fixing ruff

* Update help text

* Remove missed italics
@manuel-sommer
🐛 extend aqua format issue #10611 (#10616)
711705f 
* 🐛 extend aqua format issue #10611

* 🐛 fix according to comment

* ruff
@Maffooch
Update Qualys WebApp parser to use DefusedXML (#10637)
04f5e08 
* Update Qualys WebApp parser to use DefusedXML

* Correct ruff errors
@Maffooch
Uploaded File Management: Centralize file serving and bolster error h…
3e36b71 
…andling (#10638)

* Uploaded File Management: Centralize file serving and embolster error handling

* Correct ruff errors
@Maffooch
Engagement: Add missing permission check to view an Engagement (#10639)
bb4bb10
@dogboat
Finding notes cascading deletes (#10636)
a780a8f 
* finding-notes-cascading-deletes first pass at cascading deletes for notes/notehistory

* finding-notes-cascading-deletes remove unused code

* finding-notes-cascading-deletes linter cleanup

* finding-notes-cascading-deletes retrigger actions
@Maffooch
Benchmarks: Add additional permissions for AJAX calls (#10640)
18e1837
@Maffooch
Refresh Helm Cart Lock File: The removal (#10641)
e342639 
The refresh helm chart lock file action uses the `pull_request_target` trigger, which can lead to leaking secret. Because the helm chart lock file is updated on each modification to the chart.yml file by renovate/dependabot, the easiest solution is to remove this action.
@dogboat
creds-notes-fixes Some updates to creds/cred-related notes: Show "Add…
bb24b6f 
… Note" button on cred notes page; show delete note button for note creator and fix note deletion; fix "Associated Products" header to have less spacing around it; fix credential deletion (#10644)
@Maffooch
Importer: Correct logic bug for empty scan reports (#10645)
c9abc65 
* Importer: Correct logic bug for empty scan reports

When importing an empty scan report through the import endpoint, it is possible for two tests to be created during a single request

* Separate logic based on import vs reimport
@Maffooch
Report ToC: Expand on whitespace escaping (#10646)
2bc434b
Update versions in application files
2728024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 29, 2024
edited
Loading

DryRun Security Summary

This pull request covers a wide range of updates to the DefectDojo application, including improvements to finding management, engagement handling, and various other modules, with a focus on enhancing the functionality, performance, and security of the application.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates to the DefectDojo application, including improvements to the finding management, engagement handling, and various other modules. The changes demonstrate a focus on enhancing the functionality, performance, and security of the application.

Key security-related improvements include:

  1. Proper handling of note and history deletion to maintain data integrity.
  2. Enhancements to the finding deduplication and merging functionality.
  3. Improvements to the import and reimport processes to handle different types of scan reports.
  4. Strengthening of the authorization and access control mechanisms.
  5. Logging and monitoring improvements for better security visibility.

While the changes do not introduce any obvious security vulnerabilities, it's important to continue reviewing the entire codebase and the application's security posture to identify and address any potential issues. Ongoing security testing, dependency management, and security-focused code reviews are crucial to maintaining the overall security of the DefectDojo application.

Files Changed:

  1. components/package.json: Update to the defectdojo package version from 2.36.5 to 2.36.6.
  2. dojo/__init__.py: Update to the __version__ attribute to '2.36.6'.
  3. dojo/benchmark/signals.py: Addition of a benchmark_product_pre_delete signal handler to delete associated notes when a Benchmark_Product is deleted.
  4. dojo/api_v2/views.py: Refactoring of the download_file action to use a new generate_file_response utility function.
  5. dojo/apps.py: Addition of new signal imports and setup of the Watson search engine integration.
  6. dojo/components/views.py: Addition of a new "enable_table_filtering" context variable.
  7. dojo/benchmark/views.py: Various updates to the benchmark-related functionality, including authorization checks and scoring calculations.
  8. dojo/cred/signals.py: Addition of a cred_user_pre_delete signal handler to delete associated notes when a Cred_User is deleted.
  9. dojo/db_migrations/0213_system_settings_enable_ui_table_based_searching.py: Addition of a new enable_ui_table_based_searching system setting.
  10. dojo/cred/views.py: Updates to the credential management functionality, including the deletion of credentials.
  11. dojo/engagement/signals.py: Addition of an engagement_pre_delete signal handler to delete associated notes.
  12. dojo/engagement/views.py: Updates to the engagement-related functionality, including filtering and risk acceptance download.
  13. dojo/finding/helper.py: Improvements to the finding deletion and duplicate management processes.
  14. dojo/finding/views.py: Updates to the finding-related functionality, including JIRA integration, CWE template application, and bulk actions.
  15. dojo/importers/default_importer.py and dojo/importers/base_importer.py: Enhancements to the import and reimport processes, including support for dynamic test types and asynchronous processing.
  16. dojo/notes/signals.py: Addition of a note_pre_delete signal handler to delete associated note history.
  17. dojo/notes/helper.py: Addition of a delete_related_notes function to handle the deletion of notes associated with an object.
  18. dojo/risk_acceptance/helper.py: Removal of the code that deletes notes associated with a risk_acceptance object.
  19. dojo/notes/views.py: Updates to the note management functionality, including the handling of Cred_User associated notes.
  20. dojo/product/views.py: Addition of the "enable_table_filtering" context variable to various product-related views.
  21. dojo/risk_acceptance/signals.py: Addition of a risk_acceptance_pre_delete signal handler to delete associated notes.
  22. dojo/templates/dojo/engagement_pdf_report.html, dojo/templates/dojo/endpoint_pdf_report.html, and dojo/templates/dojo/custom_html_toc.html: Minor updates to the anchor generation logic in the PDF report templates.

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 13 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. apiv2 unittests ui parser helm labels Jul 29, 2024
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.5% Duplication on New Code

See analysis details on SonarCloud

@Maffooch Maffooch merged commit 73dddf6 into master Jul 29, 2024
127 checks passed
@Maffooch Maffooch deleted the release/2.36.6 branch September 9, 2024 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 helm New Migration Adding a new migration file. Take care when merging. parser ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Maffooch @manuel-sommer @dogboat