Skip to content

Commit

Permalink
Merge pull request DefectDojo#11189 from DefectDojo/release/2.40.0
Browse files Browse the repository at this point in the history
Release: Merge release into master from: release/2.40.0
  • Loading branch information
rossops authored Nov 4, 2024
2 parents fb442d2 + 0668466 commit fafe5c3
Show file tree
Hide file tree
Showing 130 changed files with 5,230 additions and 876 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/k8s-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v4

- name: Setup Minikube
uses: manusa/actions-setup-minikube@v2.12.0
uses: manusa/actions-setup-minikube@v2.13.0
with:
minikube version: 'v1.33.1'
kubernetes version: ${{ matrix.k8s }}
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.integration-tests-debian
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@

# code: language=Dockerfile

FROM openapitools/openapi-generator-cli:v7.8.0@sha256:c409bfa9b276faf27726d2884b859d18269bf980cb63546e80b72f3b2648c492 AS openapitools
FROM openapitools/openapi-generator-cli:v7.9.0@sha256:bb32f5f0c9f5bdbb7b00959e8009de0230aedc200662701f05fc244c36f967ba AS openapitools
FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS build
WORKDIR /app
RUN \
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.nginx-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ COPY manage.py ./
COPY dojo/ ./dojo/
RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true

FROM nginx:1.27.0-alpine@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9
FROM nginx:1.27.2-alpine@sha256:2140dad235c130ac861018a4e13a6bc8aea3a35f3a40e20c1b060d51a7efd250
ARG uid=1001
ARG appuser=defectdojo
COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.nginx-debian
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ COPY dojo/ ./dojo/

RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true

FROM nginx:1.27.0-alpine@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9
FROM nginx:1.27.2-alpine@sha256:2140dad235c130ac861018a4e13a6bc8aea3a35f3a40e20c1b060d51a7efd250
ARG uid=1001
ARG appuser=defectdojo
COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/
Expand Down
6 changes: 3 additions & 3 deletions components/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "defectdojo",
"version": "2.39.4",
"version": "2.40.0",
"license" : "BSD-3-Clause",
"private": true,
"dependencies": {
Expand All @@ -26,7 +26,7 @@
"google-code-prettify": "^1.0.0",
"jquery": "^3.7.1",
"jquery-highlight": "3.5.0",
"jquery-ui": "1.14.0",
"jquery-ui": "1.14.1",
"jquery.cookie": "1.4.1",
"jquery.flot.tooltip": "^0.9.0",
"jquery.hotkeys": "jeresig/jquery.hotkeys#master",
Expand All @@ -35,7 +35,7 @@
"metismenu": "~3.0.7",
"moment": "^2.30.1",
"morris.js": "morrisjs/morris.js",
"pdfmake": "^0.2.13",
"pdfmake": "^0.2.14",
"startbootstrap-sb-admin-2": "1.0.7"
},
"engines": {
Expand Down
16 changes: 8 additions & 8 deletions components/yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -678,10 +678,10 @@ [email protected]:
dependencies:
jquery ">= 1.0.0"

[email protected].0:
version "1.14.0"
resolved "https://registry.yarnpkg.com/jquery-ui/-/jquery-ui-1.14.0.tgz#b75d417826f0bab38125f907356d2e3313a9c6d5"
integrity sha512-mPfYKBoRCf0MzaT2cyW5i3IuZ7PfTITaasO5OFLAQxrHuI+ZxruPa+4/K1OMNT8oElLWGtIxc9aRbyw20BKr8g==
[email protected].1:
version "1.14.1"
resolved "https://registry.yarnpkg.com/jquery-ui/-/jquery-ui-1.14.1.tgz#ba342ea3ffff662b787595391f607d923313e040"
integrity sha512-DhzsYH8VeIvOaxwi+B/2BCsFFT5EGjShdzOcm5DssWjtcpGWIMsn66rJciDA6jBruzNiLf1q0KvwMoX1uGNvnQ==
dependencies:
jquery ">=1.12.0 <5.0.0"

Expand Down Expand Up @@ -824,10 +824,10 @@ path-parse@^1.0.7:
resolved "https://registry.yarnpkg.com/path-parse/-/path-parse-1.0.7.tgz#fbc114b60ca42b30d9daf5858e4bd68bbedb6735"
integrity sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==

pdfmake@^0.2.13:
version "0.2.13"
resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.2.13.tgz#ea43fe9f0c8de1e5ec7b08486d6f4f8bbb8619e4"
integrity sha512-qeVE9Bzjm0oPCitH4/HYM/XCGTwoeOAOVAXPnV3s0kpPvTLkTF/bAF4jzorjkaIhXGQhzYk6Xclt0hMDYLY93w==
pdfmake@^0.2.14:
version "0.2.14"
resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.2.14.tgz#a257a393b54917218add829bff8e490be21e8077"
integrity sha512-x9gXFAY37/CAC/WaZB/683E4Pi0cVW/RMTTNxMpe4I2kRsKv8AE3Pz6+n7iTfn+84/GtSg99BjZkYh7oGFCKmg==
dependencies:
"@foliojs-fork/linebreak" "^1.1.1"
"@foliojs-fork/pdfkit" "^0.14.0"
Expand Down
259 changes: 15 additions & 244 deletions docs/assets/icons/logo.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 6 additions & 0 deletions docs/config.dev.toml
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,12 @@ weight = 1
pre = "<i class='fab fa-github'></i>"
url = "https://github.com/DefectDojo/django-DefectDojo"

[[menu.main]]
name = "Knowledge Base"
weight = 50
pre = "<i class='fas fa-atlas'></i>"
url = "https://support.defectdojo.com"

[markup]
[markup.goldmark]
[markup.goldmark.renderer]
Expand Down
6 changes: 6 additions & 0 deletions docs/config.master.toml
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,12 @@ weight = 1
pre = "<i class='fab fa-github'></i>"
url = "https://github.com/DefectDojo/django-DefectDojo"

[[menu.main]]
name = "Knowledge Base"
weight = 50
pre = "<i class='fas fa-atlas'></i>"
url = "https://support.defectdojo.com"

[markup]
[markup.goldmark]
[markup.goldmark.renderer]
Expand Down
16 changes: 14 additions & 2 deletions docs/content/en/contributing/how-to-write-a-parser.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ All commands assume that you're located at the root of the django-DefectDojo clo
- It's advised that you create a dedicated branch for your development, such as `git checkout -b parser-name`.

It is easiest to use the docker compose deployment as it has hot-reload capbility for uWSGI.
Set up your environment to use the debug environment:
Set up your environment to use the dev environment:

`$ docker/setEnv.sh debug`
`$ docker/setEnv.sh dev`

Please have a look at [DOCKER.md](https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/DOCKER.md) for more details.

Expand Down Expand Up @@ -294,12 +294,24 @@ This local command will launch the unit test for your new parser
$ docker compose exec uwsgi bash -c 'python manage.py test unittests.tools.<your_unittest_py_file>.<main_class_name> -v2'
{{< /highlight >}}

or like this:

{{< highlight bash >}}
$ ./dc-unittest.sh --test-case unittests.tools.<your_unittest_py_file>.<main_class_name>
{{< /highlight >}}

Example for the blackduck hub parser:

{{< highlight bash >}}
$ docker compose exec uwsgi bash -c 'python manage.py test unittests.tools.test_blackduck_csv_parser.TestBlackduckHubParser -v2'
{{< /highlight >}}

or like this:

{{< highlight bash >}}
$ ./dc-unittest.sh --test-case unittests.tools.test_blackduck_csv_parser.TestBlackduckHubParser
{{< /highlight >}}

{{% alert title="Information" color="info" %}}
If you want to run all unit tests, simply run `$ docker compose exec uwsgi bash -c 'python manage.py test unittests -v2'`
{{% /alert %}}
Expand Down
4 changes: 2 additions & 2 deletions docs/content/en/getting_started/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ See instructions in [DOCKER.md](<https://github.com/DefectDojo/django-DefectDojo

### SaaS (Includes Support & Supports the Project)

[SaaS link](https://www.defectdojo.com/pricing)
[SaaS link](https://defectdojo.com/platform)

### AWS AMI (Supports the Project)

[Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-m2a25gr67xbzk), and complete [walkthrough](https://www.10security.com/defectdojo-aws-launch-guide)
[Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-m2a25gr67xbzk), and complete [walkthrough](https://defectdojo.com/defectdojo-aws-launch-guide)

---
## **Options for the brave (not officially supported)**
Expand Down
9 changes: 9 additions & 0 deletions docs/content/en/getting_started/upgrading/2.40.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
title: 'Upgrading to DefectDojo Version 2.40.x'
toc_hide: true
weight: -20241007
description: Breaking Change for Postgres 12.
---
With the upgrade to Django 5.1.x, Posgres 12 will no longer be supported. Please make plans to upgrade to a later version of Postrges before upgrading to version 2.40.0 of DefectDojo. To determine which version of Postgres to target, please refer to the [end of life version schedule](https://endoflife.date/postgresql)

Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.40.0) for the contents of the release.
16 changes: 8 additions & 8 deletions docs/content/en/integrations/notification_webhooks/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ weight: 7
chapter: true
---

Webhooks are HTTP requests coming from the DefectDojo instance towards user-defined webserver which expects this kind of incoming traffic.
Webhooks are HTTP requests coming from the DefectDojo instance towards a user-defined webserver which expects this kind of incoming traffic.

## Transition graph:

It is not unusual that in some cases webhook can not be performed. It is usually connected to network issues, server misconfiguration, or running upgrades on the server. DefectDojo needs to react to these outages. It might temporarily or permanently disable related endpoints. The following graph shows how it might change the status of the webhook definition based on HTTP responses (or manual user interaction).
It is not unusual that in some cases a webhook can not be delivered. It is usually connected to network issues, server misconfiguration, or running upgrades on the server. DefectDojo needs to react to these outages. It might temporarily or permanently disable related endpoints. The following graph shows how it might change the status of the webhook definition based on HTTP responses (or manual user interaction).

```mermaid
flowchart TD
Expand Down Expand Up @@ -53,7 +53,7 @@ Notes:
The body of each request is JSON which contains data about related events like names and IDs of affected elements.
Examples of bodies are on pages related to each event (see below).

Each request contains the following headers. They might be useful for better handling of events by server this process events.
Each request contains the following headers. They might be useful for better handling of events by the server receiving them.

```yaml
User-Agent: DefectDojo-<version of DD>
Expand All @@ -62,18 +62,18 @@ X-DefectDojo-Instance: <Base URL for DD instance>
```
## Disclaimer
This functionality is new and in experimental mode. This means Functionality might generate breaking changes in following DefectDojo releases and might not be considered final.
This functionality is new and in experimental mode. This means functionality might generate breaking changes in following DefectDojo releases and might not be considered final.
However, the community is open to feedback to make this functionality better and transform it stable as soon as possible.
However, the community is open to feedback to make this functionality better and get it stable as soon as possible.
## Roadmap
There are a couple of known issues that are expected to be implemented as soon as core functionality is considered ready.
There are a couple of known issues that are expected to be resolved as soon as core functionality is considered ready.
- Support events - Not only adding products, product types, engagements, tests, or upload of new scans but also events around SLA
- User webhook - right now only admins can define webhooks; in the future also users will be able to define their own
- User webhook - right now only admins can define webhooks; in the future, users will also be able to define their own
- Improvement in UI - add filtering and pagination of webhook endpoints
## Events
<!-- Hugo automatically renders list of subpages here -->
<!-- Hugo automatically renders list of subpages here -->
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ X-DefectDojo-Event: engagement_added
## Event HTTP body
```json
{
"description": null,
"description": "",
"title": "",
"engagement": {
"id": 7,
"name": "notif eng",
Expand All @@ -35,4 +36,4 @@ X-DefectDojo-Event: engagement_added
"url_ui": "http://localhost:8080/engagement/7",
"user": null
}
```
```
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ X-DefectDojo-Event: product_added
## Event HTTP body
```json
{
"description": null,
"description": "",
"title": "",
"product": {
"id": 4,
"name": "notif prod",
Expand All @@ -29,4 +30,4 @@ X-DefectDojo-Event: product_added
"url_ui": "http://localhost:8080/product/4",
"user": null
}
```
```
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ X-DefectDojo-Event: product_type_added
## Event HTTP body
```json
{
"description": null,
"description": "",
"title": "",
"product_type": {
"id": 4,
"name": "notif prod type",
Expand All @@ -23,4 +24,4 @@ X-DefectDojo-Event: product_type_added
"url_ui": "http://localhost:8080/product/type/4",
"user": null
}
```
```
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ X-DefectDojo-Event: scan_added_empty
## Event HTTP body
```json
{
"description": null,
"description": "",
"title": "",
"engagement": {
"id": 7,
"name": "notif eng",
Expand Down Expand Up @@ -87,4 +88,4 @@ X-DefectDojo-Event: scan_added_empty
"url_ui": "http://localhost:8080/test/90",
"user": null
}
```
```
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ X-DefectDojo-Event: test_added
## Event HTTP body
```json
{
"description": null,
"description": "",
"title": "",
"engagement": {
"id": 7,
"name": "notif eng",
Expand Down Expand Up @@ -41,4 +42,4 @@ X-DefectDojo-Event: test_added
"url_ui": "http://localhost:8080/test/90",
"user": null
}
```
```
24 changes: 24 additions & 0 deletions docs/content/en/integrations/parsers/file/aws_inspector2.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
title: "AWS Inspector2 Scanner"
toc_hide: true
---

### File Types
AWS Inspector2 report can be imported in json format. Inspector2 name comes from API calls to "modern" Inspector API - `aws inspector2` as opposite to Classic Inspector (previous version of the service), this is an example of how such report can be generated: `aws inspector2 list-findings --filter-criteria '{"resourceId":[{"comparison":"EQUALS","value":"i-instance_id_here"}]}' --region us-east-1 > inspector2_findings.json`


This parser can help to get findings in a delegated admin account for AWS Inspector or in a standalone AWS account. The parser is developed mostly for a scenario where findings are obtained for a specific resource like an ECR image or an instance, and uploaded to a test in a DefectDojo engagement that represents a branch from a git repository.


A minimal valid json file with no findings:

```json
{
"findings": []
}
```

Detailed API response format can be obtained [here](https://docs.aws.amazon.com/inspector/v2/APIReference/API_Finding.html)

### Sample Scan Data
Sample AWS Inspector2 findings can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/aws_inspector2).
14 changes: 14 additions & 0 deletions docs/content/en/integrations/parsers/file/ptart.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
title: "PTART Reports"
toc_hide: true
---

### What is PTART?
PTART is a Pentest and Security Auditing Reporting Tool developed by the Michelin CERT (https://github.com/certmichelin/PTART)

### Importing Reports
Reports can be exported to JSON format from the PTART web UI, and imported into DefectDojo by using the "PTART Report" importer.

### Sample Scan Data
Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/ptart).

2 changes: 1 addition & 1 deletion dojo/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,6 @@
# Django starts so that shared_task will use this app.
from .celery import app as celery_app # noqa: F401

__version__ = "2.39.4"
__version__ = "2.40.0"
__url__ = "https://github.com/DefectDojo/django-DefectDojo"
__docs__ = "https://documentation.defectdojo.com"
12 changes: 9 additions & 3 deletions dojo/api_v2/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
import os
import re
from datetime import datetime
from typing import List

import six
import tagulous
Expand Down Expand Up @@ -1517,7 +1516,7 @@ def get_engagement(self, obj):
)

def validate(self, data):
def validate_findings_have_same_engagement(finding_objects: List[Finding]):
def validate_findings_have_same_engagement(finding_objects: list[Finding]):
engagements = finding_objects.values_list("test__engagement__id", flat=True).distinct().count()
if engagements > 1:
msg = "You are not permitted to add findings from multiple engagements"
Expand Down Expand Up @@ -2043,7 +2042,7 @@ def get_findings_count(self, obj) -> int:
return obj.findings_count

# TODO: maybe extend_schema_field is needed here?
def get_findings_list(self, obj) -> List[int]:
def get_findings_list(self, obj) -> list[int]:
return obj.open_findings_list


Expand Down Expand Up @@ -2258,6 +2257,13 @@ def setup_common_context(self, data: dict) -> dict:
if context.get("scan_date")
else None
)

# engagement end date was not being used at all and so target_end would also turn into None
# in this case, do not want to change target_end unless engagement_end exists
eng_end_date = context.get("engagement_end_date", None)
if eng_end_date:
context["target_end"] = context.get("engagement_end_date")

return context


Expand Down
Loading

0 comments on commit fafe5c3

Please sign in to comment.