Release: Merge release into master from: release/2.37.0 #10678

github-actions · 2024-08-05T15:54:21Z

Release triggered by Maffooch

Signed-off-by: DefectDojo <[email protected]>

….0-dev Release: Merge back 2.36.0 into dev from: master-into-dev/2.36.0-2.37.0-dev

…rt.yaml) (#10461) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 4.6.0 to 4.7.0. - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](python-gitlab/python-gitlab@v4.6.0...v4.7.0) --- updated-dependencies: - dependency-name: python-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…10466) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps [boto3](https://github.com/boto/boto3) from 1.34.135 to 1.34.136. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.34.135...1.34.136) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [django-test-migrations](https://github.com/wemake-services/django-test-migrations) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/wemake-services/django-test-migrations/releases) - [Changelog](https://github.com/wemake-services/django-test-migrations/blob/master/CHANGELOG.md) - [Commits](wemake-services/django-test-migrations@1.3.0...1.4.0) --- updated-dependencies: - dependency-name: django-test-migrations dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [openpyxl](https://openpyxl.readthedocs.io) from 3.1.4 to 3.1.5. --- updated-dependencies: - dependency-name: openpyxl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

This reverts commit c8e1b09.

…10476) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.3.0 to 10.4.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@10.3.0...10.4.0) --- updated-dependencies: - dependency-name: pillow dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2024.6.1 to 2024.7.1. - [Commits](tfranzel/drf-spectacular-sidecar@2024.6.1...2024.7.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [asteval](https://github.com/lmfit/asteval) from 0.9.33 to 1.0.0. - [Release notes](https://github.com/lmfit/asteval/releases) - [Commits](lmfit/asteval@0.9.33...1.0.0) --- updated-dependencies: - dependency-name: asteval dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [boto3](https://github.com/boto/boto3) from 1.34.136 to 1.34.137. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.34.136...1.34.137) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ruff: add Q001 * Ruff: fix Q001 * Ruff: add Q002 * Ruff: fix Q002 * Ruff: add Q003 * Ruff: fix Q003 * Ruff: add Q004 * Ruff: fix Q004

Co-authored-by: Matt Tesauro <[email protected]>

* add prowler v4 parser * remove line * fix typo * add settings.dist.py although it's written that one should not touch it but use env vars * add modified .settings.dist.py.sha256sum * extend prowler v3 parser to parse also prowler v4 reports in oscf-json format * update aws_prowler_v3.md * revert settings * add modified .settings.dist.py.sha256sum * revert docker-compose.yml * make ruff happy * separate prowler v3 and v4 parsers * renaming * add prowler v4 parser * remove line * fix typo * add settings.dist.py although it's written that one should not touch it but use env vars * add modified .settings.dist.py.sha256sum * extend prowler v3 parser to parse also prowler v4 reports in oscf-json format * update aws_prowler_v3.md * revert settings * add modified .settings.dist.py.sha256sum * make ruff happy * separate prowler v3 and v4 parsers * renaming * Update helm lock file Signed-off-by: DefectDojo <[email protected]> * make ruff happy --------- Signed-off-by: DefectDojo <[email protected]> Co-authored-by: DefectDojo <[email protected]>

Bumps [boto3](https://github.com/boto/boto3) from 1.34.137 to 1.34.138. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.34.137...1.34.138) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [packageurl-python](https://github.com/package-url/packageurl-python) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/package-url/packageurl-python/releases) - [Changelog](https://github.com/package-url/packageurl-python/blob/main/CHANGELOG.rst) - [Commits](package-url/packageurl-python@v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: packageurl-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [psycopg[binary]](https://github.com/psycopg/psycopg) from 3.1.19 to 3.2.1. - [Changelog](https://github.com/psycopg/psycopg/blob/master/docs/news.rst) - [Commits](psycopg/psycopg@3.1.19...3.2.1) --- updated-dependencies: - dependency-name: psycopg[binary] dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [boto3](https://github.com/boto/boto3) from 1.34.138 to 1.34.139. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.34.138...1.34.139) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) from 4.4.2 to 4.4.4. - [Release notes](https://github.com/jazzband/django-debug-toolbar/releases) - [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/main/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@4.4.2...4.4.4) --- updated-dependencies: - dependency-name: django-debug-toolbar dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…10521) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps [humanize](https://github.com/python-humanize/humanize) from 4.9.0 to 4.10.0. - [Release notes](https://github.com/python-humanize/humanize/releases) - [Commits](python-humanize/humanize@4.9.0...4.10.0) --- updated-dependencies: - dependency-name: humanize dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [django-split-settings](https://github.com/sponsors/wemake-services) from 1.3.1 to 1.3.2. - [Commits](https://github.com/sponsors/wemake-services/commits) --- updated-dependencies: - dependency-name: django-split-settings dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [boto3](https://github.com/boto/boto3) from 1.34.139 to 1.34.140. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.34.139...1.34.140) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#10613) Co-authored-by: E_JKRASO <[email protected]>

Bumps [boto3](https://github.com/boto/boto3) from 1.34.151 to 1.34.152. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.34.151...1.34.152) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.8.0 to 2.9.0. - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](jpadilla/pyjwt@2.8.0...2.9.0) --- updated-dependencies: - dependency-name: pyjwt dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [asteval](https://github.com/lmfit/asteval) from 1.0.1 to 1.0.2. - [Release notes](https://github.com/lmfit/asteval/releases) - [Commits](lmfit/asteval@1.0.1...1.0.2) --- updated-dependencies: - dependency-name: asteval dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…dgets (#10650) * report-builder-sort-fixes Fix report builder finding and endpoints widgets to properly handle pagination and column sorting/ordering (no longer refreshes page, losing work) * report-builder-sort-fixes consolidate handlers for finding pagination/sort * report-builder-sort-fixes fix bottom pagination on findings/endpoints widgets

@Maffooch

* Documentation for wizcli iac scanner parser * Add wizcli iac scanner test type * init file for wizcli parser * initilizing the parser * extracting iac vulns from json file parsing json to extract iac vuln from the json report and creating findings for each vuln in defectdojo * extract hardcoded secrets related finding wizcli do secret scanning on iac file to identify hard coded secrets using this block to extract vuln related to that and then creating defectdojo finding for those * fucntion to fetch all findings return all finding extracted from above steps and return them * unittest file containing multiple findings * unittest file containing one finding * unittest file with zero vulns * unittest script * removed file handling fixing exception * using read method to load file data * improved error handling Added checks to ensure rule_matches, matches, and secrets are not None before iterating, and used the .get() method with default values to handle missing fields gracefully. * added docs for wizcli dir scan * fixture for wizcli dir scan * wizcli dir scan parser * fixed data for some fields * unit test files for wizcli dir scan parser * wizcli dir scan unit test tool * fixed local variable issue * updated author details * added test type for wizcli image scan * wizcli image scan docs * updated files * wizcli image scan json result parser * unit test for wizcli image scan * hashcode based deduplication algorithm * added dedupe algo hash code * fixed ruff linter errors * rufflinter fixes * ruff linter * parser description * removed code duplication * fixed error changes in setting.dist.py * removed changes from settings.dist.py * fixed typo * ruff linter fixed all issues. * resolved @Maffooch comments

* Update kiuwan docs * Add Kiuwan SCA test files * Add Kiuwan SCA Parser Unittest * Add Kiuwan SCA parser implementation * Add more fields to the Kiuwan SCA parser * Update parser docs * Add test case for "muted" findings * Update finding title * Minor cleanupo * Update hashing logic * Remove print statement * Add optional epss support * Add epss unit test * Add custom deduplication logic as default static is not enough for SCA * Remove cve as it is not allowed for deduplication * Set finding title to component name as this makes more sense within the UI display * Fix lint warnings * Fix another lint warning * Fix lint error * fix lint errors * fix lint errors * fix lint errors * Fix lint * Fix lint * Refactor: minor cleanup * chore: add sha256sum of settings.dist.py * chore: add sha256sum of settings.dist.py

* Added Rapplex parser files * Ruff checks were made. Warnings fixed. * Ruff checks were made on unittest parser. Warnings fixed. * Changed file loading process to use json.load instead of json.loads * Dedupe_algo changed to hash_code. Performance improvements and fixes in parser. * Corrections were made in accordance with DRY principles. * html2text import fix * Added settings hash * Checksum changed * Correct ruff errors --------- Co-authored-by: Cody Maffucci <[email protected]>

….json) (#10672) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Remove MySQL and RabbitMQ * Add release notes for breaking change * Update other tests that use `--profile` * Update settings sha * Fix db name mistake * Allow tests to fail * Update some tests * Try adding NOSONARE rule * Remove NoSonar rules * Update docs/content/en/getting_started/upgrading/2.37.md Co-authored-by: Charles Neill <[email protected]> * Update helm/defectdojo/values.yaml Co-authored-by: Charles Neill <[email protected]> * Update dc-up.sh Co-authored-by: Charles Neill <[email protected]> * Update dc-unittest.sh Co-authored-by: Charles Neill <[email protected]> * Update dc-up-d.sh Co-authored-by: Charles Neill <[email protected]> * Update docs/content/en/getting_started/architecture.md Co-authored-by: Charles Neill <[email protected]> * Further removals * Update notice * Found some other maria's * Correct some tests * Further corrections * Correct ruff errors --------- Co-authored-by: Charles Neill <[email protected]>

Bugfix -> Dev for 2.37.0

dryrunsecurity · 2024-08-05T15:54:37Z

DryRun Security Summary

The pull request includes a wide range of updates to the DefectDojo application, focusing on improving the security, setup, and deployment processes, as well as updating dependencies and enhancing the overall security posture of the application.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates to the DefectDojo application, including improvements to the GitHub Actions workflows, Docker Compose configuration, and various scripts. The changes are primarily focused on simplifying the setup and deployment process, updating dependencies, and enhancing the overall security posture of the application.

Key security-related changes include:

Improvements to the integration test workflow, such as the use of Docker Compose V2, simplified database and message broker configurations, and better handling of environment variables.
Updates to the release management workflow, including version number updates, branch management, and the creation of upgrade notes.
Enhancements to the Docker image build process, including the use of secure base images, dependency updates, and improved environment variable management.
Simplification of the development and testing environment configurations, with a focus on separating test and production environments and properly securing sensitive information.
Improvements to the error handling and logging in various scripts, which can help with the early detection and investigation of potential security issues.

Overall, the changes in this pull request appear to be well-considered and aimed at improving the security and maintainability of the DefectDojo application. As an application security engineer, I would recommend thoroughly reviewing the changes and their impact on the application's security posture, and then approving the pull request.

Files Changed:

.github/workflows/integration-tests.yml: Updates the integration test workflow to use Docker Compose V2 and simplify the setup process.
.github/workflows/k8s-tests.yml: Modifies the Kubernetes deployment test workflow, including the use of a single database and message broker configuration.
.github/renovate.json: Updates the Renovate bot configuration, including changes to dependency management and commit message formatting.
.github/workflows/fetch-oas.yml: Enhances the workflow for fetching OpenAPI specifications, including improved artifact management and validation.
.github/workflows/release-1-create-pr.yml: Improves the release management workflow, including version number updates and branch handling.
.github/workflows/release-3-master-into-dev.yml: Adds a workflow to merge the master branch into the dev and bugfix branches after a release.
.github/workflows/rest-framework-tests.yml: Updates the unit test workflow for the Django REST Framework project.
Dockerfile.django-alpine: Optimizes the Docker image build process for the Django-based application running on Alpine Linux.
Dockerfile.nginx-debian: Updates the Docker image build process for the Nginx web server component.
Dockerfile.django-debian: Enhances the Docker image build process for the Django-based application running on Debian.
Dockerfile.integration-tests-debian: Improves the Docker image build process for running integration tests on a Debian-based environment.
Dockerfile.nginx-alpine: Updates the Docker image build process for the Nginx web server component running on Alpine Linux.
components/package.json and components/yarn.lock: Updates a dependency (justgage) to a newer version.
Various script files (e.g., dc-build.sh, dc-down.sh, dc-stop.sh, dc-integration-tests.sh, dc-unittest.sh, dc-up.sh, dc-up-d.sh) related to the Docker Compose setup and management.
docker-compose.override.debug.yml, docker-compose.override.integration_tests.yml, docker-compose.override.dev.yml, docker-compose.override.unit_tests.yml, docker-compose.override.unit_tests_cicd.yml, and docker-compose.yml: Updates to the Docker Compose configuration files for different environments and use cases.
NOTICE: Updates the licensing information for the DefectDojo application and its dependencies.
docker/entrypoint-unit-tests-devDocker.sh and docker/entrypoint-unit-tests.sh: Improvements to the unit test execution scripts.

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

DefectDojo release bot and others added 30 commits July 1, 2024 15:39

Update versions in application files

5d0c827

Update helm lock file

cb37e7a

Signed-off-by: DefectDojo <[email protected]>

Merge pull request #10485 from DefectDojo/master-into-dev/2.36.0-2.37…

f3b6aa1

….0-dev Release: Merge back 2.36.0 into dev from: master-into-dev/2.36.0-2.37.0-dev

Update Helm release redis from 19.5.5 to ~19.6.0 (helm/defectdojo/Cha…

b43d8f0

…rt.yaml) (#10461) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Update dependency ruff from 0.4.10 to v0.5.0 (requirements-lint.txt) (#…

be7051a

…10466) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Ruff: add and fix TID (#10113)

aae8b00

Ruff: add and fix PIE (#10090)

36d6700

Revert "Shuffle tests (#10335)" (#10495)

1502a3c

This reverts commit c8e1b09.

Update dependency postcss from 8.4.38 to v8.4.39 (docs/package.json) (#…

24c989a

…10476) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Ruff: add and fix Q (except Q000) (#10094)

6fdd46d

* Ruff: add Q001 * Ruff: fix Q001 * Ruff: add Q002 * Ruff: fix Q002 * Ruff: add Q003 * Ruff: fix Q003 * Ruff: add Q004 * Ruff: fix Q004

Feat(psql): Use psycopg3 (#10348)

3b14123

Co-authored-by: Matt Tesauro <[email protected]>

Ruff: add and fix COM (#10086)

a309c71

Update dependency ruff from 0.5.0 to v0.5.1 (requirements-lint.txt) (#…

9e2f02b

…10521) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

KJana12 and others added 17 commits August 1, 2024 17:23

clickable product metrics - redirect to findings with severity filter (…

6d1bd43

…#10613) Co-authored-by: E_JKRASO <[email protected]>

Adding test to check for invalid parser names (#10656)

42dabca

fix(multiselectfield): Use original repo (#10420)

c06a180

Update dependency autoprefixer from 10.4.19 to v10.4.20 (docs/package…

d5f5e79

….json) (#10672) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Merge branch 'dev' into bugfix

dc9fc50

Correct ruff

d443d07

Update parser module test

3fd43db

Merge pull request #10677 from DefectDojo/bugfix

3a25728

Bugfix -> Dev for 2.37.0

Update versions in application files

3f20b29

Maffooch closed this Aug 5, 2024

Maffooch reopened this Aug 5, 2024

github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm labels Aug 5, 2024

Maffooch merged commit 86e2961 into master Aug 5, 2024
71 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release: Merge release into master from: release/2.37.0 #10678

Release: Merge release into master from: release/2.37.0 #10678

github-actions bot commented Aug 5, 2024

dryrunsecurity bot commented Aug 5, 2024 •

edited

Loading

Release: Merge release into master from: release/2.37.0 #10678

Release: Merge release into master from: release/2.37.0 #10678

Conversation

github-actions bot commented Aug 5, 2024

dryrunsecurity bot commented Aug 5, 2024 • edited Loading

DryRun Security Summary

Code Analysis

Riskiness

dryrunsecurity bot commented Aug 5, 2024 •

edited

Loading