Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 2.41.0: Merge Bugfix into Dev #11356

Merged
merged 3 commits into from
Dec 2, 2024
Merged

Release 2.41.0: Merge Bugfix into Dev #11356

merged 3 commits into from
Dec 2, 2024

Conversation

rossops
Copy link
Collaborator

@rossops rossops commented Dec 2, 2024

⚠️ Note on feature completeness ⚠️

We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

Description

Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is flake8 compliant.
  • Your code is python 3.11 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

  • Import Scans (for new scanners/importers)
  • enhancement
  • performance
  • feature
  • bugfix
  • maintenance (a.k.a chores)
  • dependencies
  • New Migration (when the PR introduces a DB migration)
  • settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev
  • Replace pick by fixup on the commits you want squashed out
  • Replace pick by reword on the first commit if you want to change the commit message
  • Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

DefectDojo release bot and others added 3 commits November 25, 2024 16:53
Update versions in application files
ad78c24
@rossops
Merge pull request #11324 from DefectDojo/master-into-bugfix/2.40.3-2…
4751052 
….41.0-dev

Release: Merge back 2.40.3 into bugfix from: master-into-bugfix/2.40.3-2.41.0-dev
@dmarushkin
Fix sarif parser location files processing (#11265)
06ff84f 
* Fix sarif parser locations files processing

* Fix tests

* linter fixes

* fix snippet for each file hit

* fix snippet
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Dec 2, 2024

DryRun Security Summary

The provided code changes cover updates and improvements to the DefectDojo application, including Helm chart version updates, SARIF parser enhancements, and dependency updates, which do not introduce any immediate security concerns but should be thoroughly tested before deployment.

Expand for full summary

Summary:

The provided code changes cover various updates and improvements to the DefectDojo application, a popular open-source application security management tool. The key changes include:

  1. Helm chart version updates for the upcoming 2.41.0 release.
  2. Updates to the expected number of findings in the SARIF parser unit tests, indicating improvements in the njsscan and mobsfscan tools.
  3. Dependency updates in the package.json file, including a version bump for the defectdojo package.
  4. Enhancements to the SARIF parser in the dojo/tools/sarif/parser.py file, improving the handling of multiple locations, snippet extraction, description generation, severity handling, CWE extraction, and fingerprinting.

From an application security perspective, these changes do not introduce any immediate security concerns. The Helm chart update is a routine version bump, and the SARIF parser improvements enhance the tool's ability to accurately process and integrate security scan results. However, it's essential to review the release notes and change logs for any security-related fixes or improvements, and to thoroughly test the updated components before deploying them to the production environment.

Files Changed:

  1. helm/defectdojo/Chart.yaml: The Helm chart for the DefectDojo application has been updated, with the appVersion and version fields indicating a development version of the upcoming 2.41.0 release.
  2. unittests/tools/test_sarif_parser.py: The unit tests for the SARIF parser have been updated to reflect changes in the number of findings reported by the njsscan and mobsfscan tools.
  3. components/package.json: The project's dependencies have been updated, with the defectdojo package version being bumped to a development version of the upcoming 2.41.0 release.
  4. dojo/tools/sarif/parser.py: The SARIF parser has been enhanced to handle multiple locations, improve snippet extraction, generate more detailed descriptions, and better process CWE and severity information.

Code Analysis

We ran 9 analyzers against 4 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

View PR in the DryRun Dashboard.

@rossops rossops merged commit 81e650c into dev Dec 2, 2024
74 of 75 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
helm parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rossops @dmarushkin