Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix -> Dev for 2.37.0 #10677

Merged
merged 9 commits into from
Aug 5, 2024
Merged

Bugfix -> Dev for 2.37.0 #10677

merged 9 commits into from
Aug 5, 2024

Conversation

Maffooch
Copy link
Contributor

@Maffooch Maffooch commented Aug 5, 2024

No description provided.

DefectDojo release bot and others added 6 commits July 29, 2024 18:53
Update versions in application files
8695edb
@Maffooch
Merge pull request #10649 from DefectDojo/master-into-bugfix/2.36.6-2…
8404763 
….37.0-dev

Release: Merge back 2.36.6 into bugfix from: master-into-bugfix/2.36.6-2.37.0-dev
@manuel-sommer
🐛 fix Bearer CLI missing Scan Type (#10654)
1fb5e9e
@dogboat
Groups/users labels text (#10663)
22937ba 
* groups-users-label-text Update text labels for entries on groups and users view pages

* retrigger actions
@dogboat
report-builder-sort-fixes Fix report builder finding and endpoints wi…
a004bea 
…dgets (#10650)

* report-builder-sort-fixes Fix report builder finding and endpoints widgets to properly handle pagination and column sorting/ordering (no longer refreshes page, losing work)

* report-builder-sort-fixes consolidate handlers for finding pagination/sort

* report-builder-sort-fixes fix bottom pagination on findings/endpoints widgets
@cneill
Adding test to check for invalid parser names (#10656)
42dabca
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 5, 2024
edited
Loading

DryRun Security Summary

The pull request includes various changes to the OWASP DefectDojo application, such as improvements to the report functionality, user interface, and unit testing, but also raises some security concerns related to potential sensitive information exposure, input sanitization, and the effectiveness of the reporting functionality.

Expand for full summary

Summary:

The code changes in this pull request cover various aspects of the OWASP DefectDojo application, including improvements to the report functionality, user interface, and unit testing. While the changes do not introduce any obvious security vulnerabilities, there are a few areas that warrant further review and consideration from an application security perspective.

  1. Pagination and Sensitive Information Exposure: The changes to the report_endpoints.html template introduce pagination functionality, which could potentially expose sensitive information about the endpoints and associated findings if not properly secured.

  2. Input Sanitization and CSRF Protection: The changes to the report_builder.html template include the use of jQuery's serializeArray() method to serialize form data, which helps with input sanitization. The inclusion of a CSRF token is also a positive security practice.

  3. Sorting and Reporting Effectiveness: The changes to the report_findings.py file remove the sorting of findings by numerical severity, which could impact the effectiveness of the reporting functionality in highlighting the most critical vulnerabilities.

  4. Filtering and Sorting Functionality: The changes to the filters.py file introduce new filtering and sorting capabilities, which should be thoroughly reviewed to ensure that the user input is properly sanitized and validated to prevent potential security issues.

  5. Cosmetic Changes and Security Implications: The changes to the view_group.html, view_user.html, and bearer_cli_parser.py files are primarily cosmetic in nature and do not appear to introduce any immediate security concerns. However, it's important to ensure that these changes do not have any unintended consequences or impact the overall security of the application.

Files Changed:

  1. dojo/templates/dojo/report_endpoints.html: This file has been updated to modify the pagination functionality for the list of endpoints. The changes should be reviewed to ensure that sensitive information is not exposed.

  2. dojo/templates/dojo/report_builder.html: The changes in this file focus on improving the user interface and functionality of the report builder, including the use of CSRF protection and input sanitization.

  3. dojo/reports/views.py: The changes in this file remove the sorting of findings by numerical severity, which could impact the effectiveness of the reporting functionality.

  4. dojo/filters.py: The changes in this file introduce new filtering and sorting capabilities, which should be reviewed for potential security implications.

  5. dojo/templates/dojo/report_findings.html: The changes in this file are minor and focused on UI improvements, without any apparent security concerns.

  6. dojo/templates/dojo/view_group.html and dojo/templates/dojo/view_user.html: The changes in these files are primarily cosmetic and do not introduce any obvious security risks.

  7. unittests/tools/test_bearer_cli_parser.py and dojo/tools/bearer_cli/parser.py: The changes in these files focus on improving the consistency and maintainability of the parser implementation, which is a positive step towards enhancing the overall security of the application.

Code Analysis

We ran 9 analyzers against 10 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions github-actions bot removed the helm label Aug 5, 2024
@Maffooch Maffooch merged commit 3a25728 into dev Aug 5, 2024
76 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
parser ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Maffooch @manuel-sommer @dogboat @cneill