Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.41.0 #11357

Merged
merged 96 commits into from
Dec 2, 2024
Merged

Release: Merge release into master from: release/2.41.0 #11357

merged 96 commits into from
Dec 2, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Dec 2, 2024

Release triggered by rossops

DefectDojo release bot and others added 30 commits November 4, 2024 18:06
Update versions in application files
6479fea
@rossops
Merge pull request #11190 from DefectDojo/master-into-dev/2.40.0-2.41…
acb9eaf 
….0-dev

Release: Merge back 2.40.0 into dev from: master-into-dev/2.40.0-2.41.0-dev
@dependabot
Bump boto3 from 1.35.53 to 1.35.54 (#11183)
174b022 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.53 to 1.35.54.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.53...1.35.54)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump ruff from 0.7.1 to 0.7.2 (#11184)
cb60da0 
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.7.1 to 0.7.2.
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.7.1...0.7.2)

---
updated-dependencies:
- dependency-name: ruff
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump pdfmake from 0.2.14 to 0.2.15 in /components (#11185)
5439fca 
Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.2.14 to 0.2.15.
- [Release notes](https://github.com/bpampuch/pdfmake/releases)
- [Changelog](https://github.com/bpampuch/pdfmake/blob/0.2.15/CHANGELOG.md)
- [Commits](bpampuch/pdfmake@0.2.14...0.2.15)

---
updated-dependencies:
- dependency-name: pdfmake
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@kiblik
Ruff: Add and "fix" S104 (#11067)
ecf08a5
@kiblik
Ruff: Add and fix D411 (#11064)
08cbfda
@manuel-sommer
Ruff: Add and fix multiple flake8-use-pathlib (#11099)
e6447df
@kiblik @mtesauro
Ruff: Add and fix D413 (#11065)
eae8bad 
Co-authored-by: Matt Tesauro <[email protected]>
@kiblik @mtesauro
Ruff: Add and fix S105 (#11068)
1659350 
Co-authored-by: Matt Tesauro <[email protected]>
@dependabot
Bump django from 5.1.2 to 5.1.3 (#11197)
3f5ee0b 
Bumps [django](https://github.com/django/django) from 5.1.2 to 5.1.3.
- [Commits](django/django@5.1.2...5.1.3)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump boto3 from 1.35.54 to 1.35.55 (#11214)
e7f57ae 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.54 to 1.35.55.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.54...1.35.55)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump boto3 from 1.35.55 to 1.35.56 (#11223)
aa57ac6 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.55 to 1.35.56.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.55...1.35.56)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@hblankenship
add engagement closed MS teams, Email, Alert, and Slack template (#11204
3598412 
)

* add engagement closed template

* add templates for mail, slack, and alerts
@leofvo
fix(helm): add missing env config on job (#11016)
912386b 
* fix(helm): add missing env config on job

The job isn't working well when using external database because the init container checking if the database is accessible isn't taking the same env values as the container that is initializing the database config

* fix(helm): remove unused env

* chore(helm): prefer using with over if
Update versions in application files
30a9aca
@rossops
Merge branch 'dev' into master-into-dev/2.40.1-2.41.0-dev
a99b428
@rossops
Merge pull request #11249 from DefectDojo/master-into-dev/2.40.1-2.41…
a881460 
….0-dev

Release: Merge back 2.40.1 into dev from: master-into-dev/2.40.1-2.41.0-dev
@kiblik
Ruff: Add and fix S108 (#11192)
46ef075
@manuel-sommer
Ruff: Add and fix PTH112 (#11195)
6ec33d0
@pedrohdjs
Added reviewers displayed on findings pages (#11165)
ab2a2c0 
Co-authored-by: Pedro Souza <[email protected]>
@raouf-haddada
API: Engagement update jira epic (#11234)
ee77ea4 
Co-authored-by: Raouf HADDADA <[email protected]>
@kiblik
Ruff: Add and "fix" S106 (#11193)
f87201b
@manuel-sommer @cneill
🐛 fix Bump ruff from 0.7.2 to 0.7.3 (#11224)
43bc980 
* 🐛 fix renovate ruff update

* ruff

* Update dojo/api_v2/serializers.py

Co-authored-by: Charles Neill <[email protected]>

---------

Co-authored-by: Charles Neill <[email protected]>
@kiblik @cneill @mtesauro
Ruff: Add and fix S113 (#11198)
fbbcef0 
* Ruff: Add and fix S113

* Update dojo/settings/settings.dist.py

Co-authored-by: Charles Neill <[email protected]>

---------

Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Matt Tesauro <[email protected]>
@manuel-sommer
Ruff: Add and fix PTH113 (#11194)
d489339 
* Ruff: Add and fix PTH113

* sha sum

* sha sum
@dependabot
Bump boto3 from 1.35.56 to 1.35.58 (#11242)
1e992eb 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.56 to 1.35.58.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.56...1.35.58)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
Update postgres:17.0-alpine Docker digest from 17.0 to 17.0-alpine (d…
3609b3b 
…ocker-compose.yml) (#11239)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@manuel-sommer
Ruff: Add and fix PTH120 (#11201)
9b71a37 
* Ruff: Add and fix PTH120

* fix dedupe_test

* fix dedupe_test

* fix

* sha sum

* ruff

* retrigger unittest

* sha sum
@fopina
fix nuclei parser: expect invalid CWEs (#11232)
d4959b8
renovate bot and others added 17 commits November 26, 2024 20:43
@renovate
Update dependency vite from 5.4.11 to v6 (docs/package.json) (#11333)
7643369 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
Update dependency prettier from 3.3.3 to v3.4.1 (docs/package.json) (#…
38591ec 
…11330)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@kiblik
Ruff: add and fix some SIM rules (#10926)
fe28476 
* Ruff: add SIM

* Ruff: fix some SIM
@dependabot
Bump boto3 from 1.35.69 to 1.35.70 (#11338)
f83bfbd 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.69 to 1.35.70.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.69...1.35.70)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
chore(deps): update dependency vite from 6.0.0 to v6.0.1 (docs/packag…
9cd9d14 
…e.json) (#11337)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@dmarushkin
Fix sarif parser location files processing (#11265)
06ff84f 
* Fix sarif parser locations files processing

* Fix tests

* linter fixes

* fix snippet for each file hit

* fix snippet
@dependabot
Bump python-gitlab from 5.0.0 to 5.1.0 (#11343)
87d9805 
Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 5.0.0 to 5.1.0.
- [Release notes](https://github.com/python-gitlab/python-gitlab/releases)
- [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md)
- [Commits](python-gitlab/python-gitlab@v5.0.0...v5.1.0)

---
updated-dependencies:
- dependency-name: python-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump pyjwt from 2.10.0 to 2.10.1 (#11345)
5ab0405 
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.0 to 2.10.1.
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.10.0...2.10.1)

---
updated-dependencies:
- dependency-name: pyjwt
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
Update dependency @tabler/icons from 3.22.0 to v3.23.0 (docs/package.…
3e031e9 
…json) (#11348)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@dependabot
Bump boto3 from 1.35.70 to 1.35.71 (#11344)
3367da7 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.70 to 1.35.71.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.70...1.35.71)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump cryptography from 43.0.3 to 44.0.0 (#11346)
0ead615 
Bumps [cryptography](https://github.com/pyca/cryptography) from 43.0.3 to 44.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@43.0.3...44.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@Maffooch
Update docs URL
93ccd3c
@Maffooch
Update CNAME
89af949
@Maffooch
Update page URL
a1e18a7
@Maffooch
Update docs descriptions
9b02149
@rossops
Merge pull request #11356 from DefectDojo/bugfix
81e650c 
Release 2.41.0: Merge Bugfix into Dev
Update versions in application files
06ba12a
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Dec 2, 2024
edited
Loading

DryRun Security Summary

The pull request includes various updates to the DefectDojo application's infrastructure, dependencies, and configuration, focusing on maintaining the security and stability of the application.

Expand for full summary

Summary:

The code changes in this pull request cover a variety of updates, including changes to the .gitignore file, Dockerfiles, GitHub Actions workflows, and package dependencies. Overall, these changes appear to be focused on maintaining the security and stability of the DefectDojo application's infrastructure and dependencies.

The key security-related aspects of these changes include:

  1. Dependency Updates: The updates to the OpenAPI Generator CLI, Python base image, NGINX base image, PostgreSQL Docker image, and frontend dependencies (pdfmake, pdfkit) are positive steps towards keeping the application's dependencies up-to-date and secure.

  2. Configuration and Workflow Improvements: The changes to the GitHub Actions workflow for building and deploying the documentation, as well as the updates to the Dockerfiles, demonstrate a focus on maintaining a secure and reliable infrastructure.

  3. Secure Practices: The use of specific version tags, secure base images (e.g., Alpine Linux), and the implementation of least-privileged permissions are all good security practices observed in the changes.

While there are no immediate security concerns raised by these changes, it is important to continue monitoring the application's dependencies and infrastructure for any potential vulnerabilities that may arise in the future. Additionally, thorough testing of the application after these changes is recommended to ensure that there are no regressions or unintended consequences.

Files Changed:

  1. .gitignore: Updates to exclude various documentation-related files and directories from the Git repository.
  2. Dockerfile.integration-tests-debian: Updates to the OpenAPI Generator CLI and Python base image versions, as well as the installation of additional testing-related packages.
  3. .github/workflows/gh-pages.yml: Updates to the Hugo and Node.js versions used in the GitHub Pages deployment workflow, as well as simplifications to the build and deployment process.
  4. Dockerfile.nginx-debian: Update to the NGINX base image version.
  5. components/package.json: Update to the application version and the pdfmake dependency version.
  6. docker-compose.yml: Update to the PostgreSQL Docker image version.
  7. Dockerfile.nginx-alpine: Update to the NGINX base image version and configuration changes.
  8. components/yarn.lock: Updates to the pdfmake and @foliojs-fork/pdfkit dependencies.

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

View PR in the DryRun Dashboard.

@rossops rossops closed this Dec 2, 2024
@rossops rossops reopened this Dec 2, 2024
@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm labels Dec 2, 2024
@rossops rossops merged commit 14929cb into master Dec 2, 2024
71 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 docker docs helm integration_tests parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.