Skip to content

Commit

Permalink
Merge branch 'dev' into master-into-dev/2.35.4-2.36.0-dev
Browse files Browse the repository at this point in the history
  • Loading branch information
blakeaowens authored Jun 24, 2024
2 parents 324f0df + 91de2e8 commit 1b8614a
Show file tree
Hide file tree
Showing 70 changed files with 857 additions and 503 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build-docker-images-for-testing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:

- name: Build
id: docker_build
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
timeout-minutes: 10
with:
context: .
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/integration-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
"tests/tool_config.py",
"openapi-validatator",
]
profile: ["mysql-rabbitmq", "postgres-redis"]
profile: ["postgres-rabbitmq", "postgres-redis"]
os: [alpine, debian]
fail-fast: false

Expand All @@ -59,10 +59,10 @@ jobs:
- name: Set integration-test mode
run: ln -s docker-compose.override.integration_tests.yml docker-compose.override.yml

# phased startup with MySQL and RabbitMQ so we can use the exit code from integrationtest container
- name: Start Dojo MySQL + RabbitMQ
if: matrix.profile == 'mysql-rabbitmq'
run: docker compose --profile ${{ matrix.profile }} --env-file ./docker/environments/${{ matrix.profile }}.env up --no-deps -d mysql nginx celerybeat celeryworker mailhog uwsgi rabbitmq
# phased startup with PostgreSQL and RabbitMQ so we can use the exit code from integrationtest container
- name: Start Dojo PostgreSQL + RabbitMQ
if: matrix.profile == 'postgres-rabbitmq'
run: docker compose --profile ${{ matrix.profile }} --env-file ./docker/environments/${{ matrix.profile }}.env up --no-deps -d postgres nginx celerybeat celeryworker mailhog uwsgi rabbitmq
env:
DJANGO_VERSION: ${{ matrix.os }}
NGINX_VERSION: ${{ matrix.os }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release-x-manual-docker-containers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
- name: Build and push images with debian
if: ${{ matrix.os == 'debian' }}
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
env:
REPO_ORG: ${{ env.repoorg }}
docker-image: ${{ matrix.docker-image }}
Expand All @@ -77,7 +77,7 @@ jobs:

- name: Build and push images with alpine
if: ${{ matrix.os == 'alpine' }}
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
env:
REPO_ORG: ${{ env.repoorg }}
docker-image: ${{ matrix.docker-image }}
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/rest-framework-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,20 +34,20 @@ jobs:
run: docker/setEnv.sh unit_tests_cicd

# phased startup so we can use the exit code from unit test container
- name: Start MySQL
run: docker compose --env-file ./docker/environments/mysql-redis.env up -d mysql
- name: Start Postgres
run: docker compose --env-file ./docker/environments/postgres-redis.env up -d postgres

# no celery or initializer needed for unit tests
- name: Unit tests
timeout-minutes: 10
run: docker compose --profile mysql-redis --env-file ./docker/environments/mysql-redis.env up --no-deps --exit-code-from uwsgi uwsgi
run: docker compose --profile postgres-redis --env-file ./docker/environments/postgres-redis.env up --no-deps --exit-code-from uwsgi uwsgi
env:
DJANGO_VERSION: ${{ matrix.os }}

- name: Logs
if: failure()
run: docker compose --profile mysql-redis --env-file ./docker/environments/mysql-redis.env logs --tail="2500" uwsgi
run: docker compose --profile postgres-redis --env-file ./docker/environments/postgres-redis.env logs --tail="2500" uwsgi

- name: Shutdown
if: always()
run: docker compose --profile mysql-redis --env-file ./docker/environments/mysql-redis.env down
run: docker compose --profile postgres-redis --env-file ./docker/environments/postgres-redis.env down
4 changes: 2 additions & 2 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ services:
volumes:
- defectdojo_data:/var/lib/mysql
postgres:
image: postgres:16.3-alpine@sha256:e89da2c083a5405943408b6807cd1fd25dc9010c1294e30611b841778bedc653
image: postgres:16.3-alpine@sha256:de3d7b6e4b5b3fe899e997579d6dfe95a99539d154abe03f0b6839133ed05065
profiles:
- postgres-rabbitmq
- postgres-redis
Expand All @@ -159,7 +159,7 @@ services:
volumes:
- defectdojo_rabbitmq:/var/lib/rabbitmq
redis:
image: redis:7.2.5-alpine@sha256:0389bb8416d7c6ed065c25745179bf5d358e5d9472dd30a687ab36ffbb650262
image: redis:7.2.5-alpine@sha256:de14eedfbd1fc871d0f5aa1773fd80743930e45354d035b6f3b551e7ffa44df8
profiles:
- mysql-redis
- postgres-redis
Expand Down
2 changes: 1 addition & 1 deletion docker/entrypoint-unit-tests-devDocker.sh
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ EOF

echo "Unit Tests"
echo "------------------------------------------------------------"
python3 manage.py test unittests -v 3 --keepdb --no-input
python3 manage.py test unittests -v 3 --keepdb --no-input --shuffle

# you can select a single file to "test" unit tests
# python3 manage.py test unittests.tools.test_npm_audit_scan_parser.TestNpmAuditParser --keepdb -v 3
Expand Down
2 changes: 1 addition & 1 deletion docker/entrypoint-unit-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -79,4 +79,4 @@ python3 manage.py migrate

echo "Unit Tests"
echo "------------------------------------------------------------"
python3 manage.py test unittests -v 3 --keepdb --no-input
python3 manage.py test unittests -v 3 --keepdb --no-input --shuffle
1 change: 1 addition & 0 deletions docker/install_chrome_dependencies.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# noqa: INP001
"""
This solution is largely based on the Playwright's browser dependencies script at
https://github.com/microsoft/playwright/blob/main/utils/linux-browser-dependencies/inside_docker/list_dependencies.js
Expand Down
7 changes: 7 additions & 0 deletions docs/content/en/getting_started/upgrading/2.36.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
title: 'Upgrading to DefectDojo Version 2.36.x'
toc_hide: true
weight: -20240603
description: No special instructions.
---
There are no special instructions for upgrading to 2.36.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.36.0) for the contents of the release.
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
title: "Deepfence Threatmapper"
toc_hide: true
---
Import compliance, malware, secret, vulnerability reports from [Deepfence Threatmapper](https://github.com/deepfence/ThreatMapper) in XLSX file format.

### Sample Scan Data
Sample Threatmapper scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/deepfence_threatmapper). In this link are both .xlsx and .csv listed. They contain the same content, but csv can be read in the Browser, but only xlsx is supported by the parser.
2 changes: 2 additions & 0 deletions dojo/api_v2/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -559,6 +559,8 @@ def validate(self, data):


class UserContactInfoSerializer(serializers.ModelSerializer):
user_profile = UserSerializer(many=False, source="user", read_only=True)

class Meta:
model = UserContactInfo
fields = "__all__"
Expand Down
2 changes: 1 addition & 1 deletion dojo/api_v2/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -2967,7 +2967,7 @@ def report_generate(request, obj, options):
report_name = "Finding"

else:
raise Http404()
raise Http404

result = {
"product_type": product_type,
Expand Down
6 changes: 3 additions & 3 deletions dojo/authorization/authorization.py
Original file line number Diff line number Diff line change
Expand Up @@ -243,17 +243,17 @@ def user_has_global_permission(user, permission):

def user_has_configuration_permission_or_403(user, permission):
if not user_has_configuration_permission(user, permission):
raise PermissionDenied()
raise PermissionDenied


def user_has_permission_or_403(user, obj, permission):
if not user_has_permission(user, obj, permission):
raise PermissionDenied()
raise PermissionDenied


def user_has_global_permission_or_403(user, permission):
if not user_has_global_permission(user, permission):
raise PermissionDenied()
raise PermissionDenied


def get_roles_for_permission(permission):
Expand Down
2 changes: 1 addition & 1 deletion dojo/decorators.py
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ def _wrapped(request, *args, **kw):
dojo_user = Dojo_User.objects.filter(username=username).first()
if dojo_user:
Dojo_User.enable_force_password_reset(dojo_user)
raise Ratelimited()
raise Ratelimited
return fn(request, *args, **kw)
return _wrapped
return decorator
8 changes: 4 additions & 4 deletions dojo/engagement/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@
def engagement_calendar(request):

if not get_system_setting('enable_calendar'):
raise Resolver404()
raise Resolver404

if 'lead' not in request.GET or '0' in request.GET.getlist('lead'):
engagements = get_authorized_engagements(Permissions.Engagement_View)
Expand Down Expand Up @@ -1205,7 +1205,7 @@ def add_risk_acceptance(request, eid, fid=None):
finding = get_object_or_404(Finding, id=fid)

if not eng.product.enable_full_risk_acceptance:
raise PermissionDenied()
raise PermissionDenied

if request.method == 'POST':
form = RiskAcceptanceForm(request.POST, request.FILES)
Expand Down Expand Up @@ -1283,7 +1283,7 @@ def view_edit_risk_acceptance(request, eid, raid, edit_mode=False):
eng = get_object_or_404(Engagement, pk=eid)

if edit_mode and not eng.product.enable_full_risk_acceptance:
raise PermissionDenied()
raise PermissionDenied

risk_acceptance_form = None
errors = False
Expand Down Expand Up @@ -1455,7 +1455,7 @@ def reinstate_risk_acceptance(request, eid, raid):
eng = get_object_or_404(Engagement, pk=eid)

if not eng.product.enable_full_risk_acceptance:
raise PermissionDenied()
raise PermissionDenied

ra_helper.reinstate(risk_acceptance, risk_acceptance.expiration_date)

Expand Down
12 changes: 6 additions & 6 deletions dojo/finding/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -1212,7 +1212,7 @@ def post(self, request: HttpRequest, finding_id):
# Handle the case of a successful form
if success:
return redirect_to_return_url_or_else(request, reverse("view_test", args=(finding.test.id,)))
raise PermissionDenied()
raise PermissionDenied


@user_is_authorized(Finding, Permissions.Finding_Edit, "fid")
Expand Down Expand Up @@ -1500,7 +1500,7 @@ def apply_template_cwe(request, fid):
extra_tags="alert-danger",
)
else:
raise PermissionDenied()
raise PermissionDenied


@user_is_authorized(Finding, Permissions.Finding_Edit, "fid")
Expand Down Expand Up @@ -1614,7 +1614,7 @@ def simple_risk_accept(request, fid):
finding = get_object_or_404(Finding, id=fid)

if not finding.test.engagement.product.enable_simple_risk_acceptance:
raise PermissionDenied()
raise PermissionDenied

ra_helper.simple_risk_accept(finding)

Expand Down Expand Up @@ -1741,7 +1741,7 @@ def clear_finding_review(request, fid):
# the review or one of the users requested to provide the review, then
# do not allow the user to clear the review.
if user != finding.review_requested_by and user not in finding.reviewers.all():
raise PermissionDenied()
raise PermissionDenied

# in order to clear a review for a finding, we need to capture why and how it was reviewed
# we can do this with a Note
Expand Down Expand Up @@ -2058,7 +2058,7 @@ def delete_stub_finding(request, fid):
extra_tags="alert-danger",
)
else:
raise PermissionDenied()
raise PermissionDenied


@user_is_authorized(Stub_Finding, Permissions.Finding_Edit, "fid")
Expand Down Expand Up @@ -2442,7 +2442,7 @@ def delete_template(request, tid):
extra_tags="alert-danger",
)
else:
raise PermissionDenied()
raise PermissionDenied


def download_finding_pic(request, token):
Expand Down
Empty file added dojo/importers/__init__.py
Empty file.
2 changes: 1 addition & 1 deletion dojo/metrics/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -903,7 +903,7 @@ def view_engineer(request, eid):
user = get_object_or_404(Dojo_User, pk=eid)
if not (request.user.is_superuser
or request.user.username == user.username):
raise PermissionDenied()
raise PermissionDenied
now = timezone.now()

findings = Finding.objects.filter(reporter=user, verified=True)
Expand Down
26 changes: 13 additions & 13 deletions dojo/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -3614,22 +3614,22 @@ class Risk_Acceptance(models.Model):
TREATMENT_FIX = 'F'
TREATMENT_TRANSFER = 'T'

TREATMENT_CHOICES = [
(TREATMENT_ACCEPT, 'Accept (The risk is acknowledged, yet remains)'),
(TREATMENT_AVOID, 'Avoid (Do not engage with whatever creates the risk)'),
(TREATMENT_MITIGATE, 'Mitigate (The risk still exists, yet compensating controls make it less of a threat)'),
(TREATMENT_FIX, 'Fix (The risk is eradicated)'),
(TREATMENT_TRANSFER, 'Transfer (The risk is transferred to a 3rd party)'),
]

TREATMENT_TRANSLATIONS = {
'A': 'Accept (The risk is acknowledged, yet remains)',
'V': 'Avoid (Do not engage with whatever creates the risk)',
'M': 'Mitigate (The risk still exists, yet compensating controls make it less of a threat)',
'F': 'Fix (The risk is eradicated)',
'T': 'Transfer (The risk is transferred to a 3rd party)',
TREATMENT_ACCEPT: _('Accept (The risk is acknowledged, yet remains)'),
TREATMENT_AVOID: _('Avoid (Do not engage with whatever creates the risk)'),
TREATMENT_MITIGATE: _('Mitigate (The risk still exists, yet compensating controls make it less of a threat)'),
TREATMENT_FIX: _('Fix (The risk is eradicated)'),
TREATMENT_TRANSFER: _('Transfer (The risk is transferred to a 3rd party)'),
}

TREATMENT_CHOICES = [
(TREATMENT_ACCEPT, TREATMENT_TRANSLATIONS[TREATMENT_ACCEPT]),
(TREATMENT_AVOID, TREATMENT_TRANSLATIONS[TREATMENT_AVOID]),
(TREATMENT_MITIGATE, TREATMENT_TRANSLATIONS[TREATMENT_MITIGATE]),
(TREATMENT_FIX, TREATMENT_TRANSLATIONS[TREATMENT_FIX]),
(TREATMENT_TRANSFER, TREATMENT_TRANSLATIONS[TREATMENT_TRANSFER]),
]

name = models.CharField(max_length=300, null=False, blank=False, help_text=_("Descriptive name which in the future may also be used to group risk acceptances together across engagements and products"))

accepted_findings = models.ManyToManyField(Finding)
Expand Down
2 changes: 1 addition & 1 deletion dojo/notifications/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def get_notifications(self, request: HttpRequest):

def check_user_permissions(self, request: HttpRequest):
if not request.user.is_superuser:
raise PermissionDenied()
raise PermissionDenied

def get_form(self, request: HttpRequest, notifications: Notifications):
# Set up the args for the form
Expand Down
6 changes: 3 additions & 3 deletions dojo/product/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -839,7 +839,7 @@ def import_scan_results_prod(request, pid=None):

def new_product(request, ptid=None):
if get_authorized_product_types(Permissions.Product_Type_Add_Product).count() == 0:
raise PermissionDenied()
raise PermissionDenied

jira_project_form = None
error = False
Expand Down Expand Up @@ -1822,7 +1822,7 @@ def edit_api_scan_configuration(request, pid, pascid):

if product_api_scan_configuration.product.pk != int(
pid): # user is trying to edit Tool Configuration from another product (trying to by-pass auth)
raise Http404()
raise Http404

if request.method == 'POST':
form = Product_API_Scan_ConfigurationForm(request.POST, instance=product_api_scan_configuration)
Expand Down Expand Up @@ -1868,7 +1868,7 @@ def delete_api_scan_configuration(request, pid, pascid):

if product_api_scan_configuration.product.pk != int(
pid): # user is trying to delete Tool Configuration from another product (trying to by-pass auth)
raise Http404()
raise Http404

if request.method == 'POST':
form = Product_API_Scan_ConfigurationForm(request.POST)
Expand Down
10 changes: 5 additions & 5 deletions dojo/reports/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ def post(self, request: HttpRequest) -> HttpResponse:
self._set_state(request)
return render(request, self.get_template(), self.get_context())
else:
raise PermissionDenied()
raise PermissionDenied

def _set_state(self, request: HttpRequest):
self.request = request
Expand Down Expand Up @@ -157,7 +157,7 @@ def get_template(self):
elif self.report_format == 'HTML':
return 'dojo/custom_html_report.html'
else:
raise PermissionDenied()
raise PermissionDenied

def get_context(self):
return {
Expand Down Expand Up @@ -369,7 +369,7 @@ def product_endpoint_report(request, pid):
'title': 'Generate Report',
})
else:
raise Http404()
raise Http404

product_tab = Product_Tab(product, "Product Endpoint Report", tab="endpoints")
return render(request,
Expand Down Expand Up @@ -609,7 +609,7 @@ def generate_report(request, obj, host_view=False):
'host': report_url_resolver(request),
'user_id': request.user.id}
else:
raise Http404()
raise Http404

report_form = ReportOptionsForm()

Expand Down Expand Up @@ -665,7 +665,7 @@ def generate_report(request, obj, host_view=False):
})

else:
raise Http404()
raise Http404
paged_findings = get_page_items(request, findings.qs.distinct().order_by('numerical_severity'), 25)

product_tab = None
Expand Down
Loading

0 comments on commit 1b8614a

Please sign in to comment.