Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.39.3 #11144

Merged
merged 10 commits into from
Oct 28, 2024
Merged

Release: Merge release into master from: release/2.39.3 #11144

merged 10 commits into from
Oct 28, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 10 commits October 21, 2024 15:28
Update versions in application files
941d7fa
@rossops
Merge pull request #11113 from DefectDojo/master-into-bugfix/2.39.2-2…
9d95977 
….40.0-dev

Release: Merge back 2.39.2 into bugfix from: master-into-bugfix/2.39.2-2.40.0-dev
@manuel-sommer
🐛 fix tenable #11102 (#11103)
a75d562 
* 🐛 fix tenable #11102

* add unittest
@optimistic5
Update link to Slack (#11130)
b1cc777 
Old link does not work
@Maffooch
JIRA Finding Groups: Accommodate status function inconsistency (#11125)
4fdd555 
* JIRA Finding Groups: Accommodate status function inconsistency

* Fix ruff
@manuel-sommer
update RedHatSatellite bug description (#11101)
e09130f
@manuel-sommer
add RXSA VULNERABILITY_URL (#11097)
0563e09
@Maffooch
OSV Parser: Robustify (#11115)
a3e3e17
@Maffooch
Threat Uploads: Server side file extension validation + force downloa…
b60eefd 
…ds (#11135)

* Threat Uploads: Server side file extension validation + force downloads

* Fix ruff
Update versions in application files
cb7a7d0
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 28, 2024
edited
Loading

DryRun Security Summary

The pull request includes a wide range of updates to the DefectDojo application, including version updates, bug fixes, security improvements, and testing enhancements across various components, with a focus on improving the overall security and reliability of the platform.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates to the DefectDojo application, including version updates, bug fixes, security improvements, and testing enhancements. The changes span across various components of the application, such as the Jira integration, file upload handling, vulnerability parsing, and Helm chart configuration.

From an application security perspective, the changes generally appear to be positive and focused on improving the overall security and reliability of the DefectDojo platform. Key security-related improvements include:

  1. Handling of unexpected behaviors and edge cases in the Jira integration to ensure robust and secure data handling.
  2. Enforcing file type validation in the UploadThreatForm to prevent the upload of potentially malicious files.
  3. Refactoring the file serving logic to centralize security checks and headers, and to prevent potential path traversal attacks.
  4. Updating dependency versions and improving the handling of vulnerability data from various sources, such as Tenable and OSV.

While the changes do not appear to introduce any immediate security vulnerabilities, it is important to thoroughly review the code, configuration, and dependencies to ensure the ongoing security and integrity of the application. Additionally, regular security audits and vulnerability assessments are recommended to identify and address any potential security issues that may arise in the future.

Files Changed:

  1. dojo/__init__.py: Updated the version number from "2.39.2" to "2.39.3".
  2. dojo/jira_link/helper.py: Improved the handling of the can_be_pushed_to_jira function to accommodate unexpected behaviors and ensure that only active, relevant findings are pushed to Jira.
  3. components/package.json: Updated the application version from "2.39.2" to "2.39.3".
  4. dojo/forms.py: Introduced a clean() method in the UploadThreatForm to enforce file type validation and prevent the upload of potentially malicious files.
  5. dojo/engagement/views.py: Removed the unused FileResponse import and replaced it with a new generate_file_response_from_file_path function.
  6. .github/ISSUE_TEMPLATE/support_request.md: Updated the link to the OWASP Slack workspace invitation.
  7. dojo/settings/settings.dist.py: Added a new mapping for the "RXSA" vulnerability type, corresponding to the Rocky Linux Security Advisory.
  8. dojo/settings/.settings.dist.py.sha256sum: Updated the SHA-256 hash value for the dojo/settings/.settings.dist.py file.
  9. dojo/tools/redhatsatellite/parser.py: Improved the formatting and presentation of the "bugs" field in the findings description.
  10. helm/defectdojo/Chart.yaml: Updated the appVersion and version fields to reflect the changes in the underlying DefectDojo application.
  11. dojo/tools/tenable/csv_format.py: Enhanced the handling of the "mitigation" field and improved the severity conversion process in the TenableCSVParser.
  12. dojo/tools/osv_scanner/parser.py: Implemented a robust parser for the OSV (Open Source Vulnerabilities) scanner output, with a focus on handling incomplete data and integrating the findings with the Defect Dojo platform.
  13. unittests/scans/tenable/issue_11102.csv: Added details about the "SSL Medium Strength Cipher Suites Supported (SWEET32)" vulnerability to the unit test suite.
  14. unittests/tools/test_tenable_parser.py: Introduced a new test case to ensure the TenableParser class can correctly handle the issue_11102.csv report file.
  15. dojo/utils.py: Refactored the generate_file_response function to improve the consistency and reliability of file serving, with a focus on security.

Code Analysis

We ran 9 analyzers against 15 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@rossops rossops closed this Oct 28, 2024
@rossops rossops reopened this Oct 28, 2024
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests parser helm labels Oct 28, 2024
@rossops rossops merged commit 9bf79c0 into master Oct 28, 2024
71 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rossops @manuel-sommer @optimistic5 @Maffooch