Merge branch 'dev' into dev

.dryrunsecurity.yaml

@@ -0,0 +1,67 @@
+---
+sensitiveCodepaths:
+  - 'dojo/object/*.py' # FIXME
+  - 'dojo/announcement/*.py'
+  - 'dojo/api_v2/*.py'
+  - 'dojo/api_v2/**/*.py'
+  - 'dojo/authorization/*.py'
+  - 'dojo/db_migrations/*.py'
+  - 'dojo/endpoint/*.py'
+  - 'dojo/engagement/*.py'
+  - 'dojo/finding/*.py'
+  - 'dojo/finding_group/*.py'
+  - 'dojo/group/*.py'
+  - 'dojo/importers/*.py'
+  - 'dojo/importers/**/*.py'
+  - 'dojo/jira_link/*.py'
+  - 'dojo/metrics/*.py'
+  - 'dojo/note_type/*.py'
+  - 'dojo/notes/*.py'
+  - 'dojo/product/*.py'
+  - 'dojo/product_type/*.py'
+  - 'dojo/reports/*.py'
+  - 'dojo/risk_acceptance/*.py'
+  - 'dojo/search/*.py'
+  - 'dojo/templates/*.html'
+  - 'dojo/templates/**/*.html'
+  - 'dojo/templatetags/*.py'
+  - 'dojo/test/*.py'
+  - 'dojo/tool_config/*.py'
+  - 'dojo/tool_product/*.py'
+  - 'dojo/tool_type/*.py'
+  - 'dojo/user/*.py'
+  - 'dojo/apps.py'
+  - 'dojo/celery.py'
+  - 'dojo/context_processors.py'
+  - 'dojo/decorators.py'
+  - 'dojo/filters.py'
+  - 'dojo/forms.py'
+  - 'dojo/middleware.py'
+  - 'dojo/models.py'
+  - 'dojo/okta.py'
+  - 'dojo/pipeline.py'
+  - 'dojo/remote_user.py'
+  - 'dojo/tasks.py'
+  - 'dojo/urls.py'
+  - 'dojo/utils.py'
+  - 'dojo/views.py'
+  - 'dojo/wsgi.py'
+  - 'docker/environments/*.env'
+  - 'docker/extra_settings'
+  - 'docker/entrypoint-celery-beat.sh'
+  - 'docker/entrypoint-celery-worker.sh'
+  - 'docker/entrypoint-initializer.sh'
+  - 'docker/entrypoint-nginx.sh'
+  - 'docker/entrypoint-uwsgi.sh'
+  - 'docker/wait-for-it.sh'
+allowedAuthors:
+  usernames:
+    - mtesauro
+    - devGregA
+    - grendel513
+    - cneill
+    - Maffooch
+    - blakeowens
+notificationList:
+  - '@mtesauro'
+  - '@grendel513'

.flake8

@@ -1,5 +1,8 @@
 [flake8]
 # Documentation for flake8 http://flake8.pycqa.org/en/3.1.1/user/index.html
+
+# we should not ignore these mistakes !!!!!!!!
+
 ignore =
     # Suppress - line too long (> 79 characters)
     E501
@@ -25,6 +28,8 @@ ignore =
     E128
     # line break after binary operator
     W504
+    # Line break occurred before a binary operator (conflicting with black)
+    W503
     # undefined file name excpetion
     F821
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -6,6 +6,10 @@ labels: enhancement
 assignees: ''
 
 ---
+## :warning: Note on feature completeness :warning:
+
+We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
+https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
 
 **Is your feature request related to a problem? Please describe**
 A clear and concise description of what the problem is.

.github/ISSUE_TEMPLATE/support_request.md

@@ -0,0 +1,48 @@
+---
+name: Support Request
+about: If you need support or are running into some trouble
+title: ''
+labels: support
+assignees: ''
+
+---
+**Slack us first!**
+The easiest and fastest way to help you is via Slack. There's a free and easy signup to join our #defectdojo channel in the OWASP Slack workspace: [Get Access.](https://owasp-slack.herokuapp.com/)
+If you're confident you've found a bug, or are allergic to Slack, you can submit an issue anyway.
+
+**Be informative**
+Please enter as much information as possible, otherwise we can't provide support. If possible upgrade to the latest release or dev branch and try again.
+
+**Problem description**
+A clear and concise description of what the problem is. For errors include at least the exact error message you are seeing (including traceback).
+
+**Steps to reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Deployment method** *(select with an `X`)*
+- [ ] Docker Compose
+- [ ] Kubernetes
+- [ ] GoDojo
+
+**Environment information**
+ - Operating System: [e.g. Ubuntu 18.04]
+ - DefectDojo version (see footer) or commit message: [use `git show -s --format="[%ci] %h: %s [%d]"`]
+
+**Logs** 
+Use `docker-compose logs` (or similar, depending on your deployment method) to get the logs and add the relevant sections here showing the error occurring (if applicable).
+
+**Sample scan files**
+If applicable, add sample scan files to help reproduce your problem.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context** (optional)
+Add any other context about the problem here.

.github/labeler.yml

@@ -1,28 +1,62 @@
+---
 docs:
-- docs/**/*
-- readme-docs/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - docs/**/*
+      - readme-docs/**/*
 
 docker:
-- docker/**/*
-- docker**
-- Docker*
+  - changed-files:
+    - any-glob-to-any-file:
+      - docker/**/*
+      - docker**
+      - Docker*
+
+helm:
+  - changed-files:
+    - any-glob-to-any-file:
+      - helm/defectdojo/*
+      - helm/defectdojo/**/*
 
 "New Migration":
-- dojo/db_migrations/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - dojo/db_migrations/*
 
 unittests:
-- unittests/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - unittests/**/*
 
 integration_tests:
-- tests/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - tests/**/*
 
 settings_changes:
-- dojo/settings/settings.dist.py
+  - changed-files:
+    - any-glob-to-any-file:
+      - dojo/settings/settings.dist.py
 
 apiv2:
-- dojo/api_v2/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - dojo/api_v2/**/*
 
 ui:
-  - dojo/static/**/*
-  - dojo/templates/**/*
-  - dojo/templatetags/**/*
+  - changed-files:
+    - any-glob-to-any-file:
+      - dojo/static/**/*
+      - dojo/templates/**/*
+      - dojo/templatetags/**/*
+
+parser:
+  - changed-files:
+    - any-glob-to-any-file:
+      - dojo/tools/**/*
+
+localization:
+  - changed-files:
+    - any-glob-to-any-file:
+      - dojo/locale/*
+      - dojo/locale/**/*

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md → .github/pull_request_template.md

@@ -1,7 +1,12 @@
+## :warning: Note on feature completeness :warning:
+
+We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
+https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
+
 **Description**
 
 Describe the feature / bug fix implemented by this PR.
-If this is a new parser, [the parser guide](https://defectdojo.github.io/django-DefectDojo/contributing/how-to-write-a-parser/) may be worth (re)reading.
+If this is a new parser, [the parser guide](https://documentation.defectdojo.com/contributing/how-to-write-a-parser/) may be worth (re)reading.
 
 **Test results**
 
@@ -16,12 +21,12 @@ Please update any documentation when needed in the [documentation folder](https:
 
 This checklist is for your information.
 
-- [ ] Features/Changes/Bugfixes should be submitted against the `dev` branch by default.
 - [ ] Make sure to rebase your PR against the very latest `dev`.
-- [ ] Hotfixes should be submitted against master (urgent bugfixes requiring a hotfix release).
+- [ ] Features/Changes should be submitted against the `dev`.
+- [ ] Bugfixes should be submitted against the `bugfix` branch.
 - [ ] Give a meaningful name to your PR, as it may end up being used in the release notes.
 - [ ] Your code is flake8 compliant.
-- [ ] Your code is python 3.6 compliant (specific python >3.6 syntax is currently not accepted).
+- [ ] Your code is python 3.11 compliant.
 - [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
 - [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.
 - [ ] Add applicable tests to the unit tests.

.github/release-drafter.yml

@@ -1,7 +1,9 @@
-name-template: '$NEXT_MINOR_VERSION 🌈'
-tag-template: '$NEXT_MINOR_VERSION'
+name-template: '$RESOLVED_VERSION 🌈'
+tag-template: '$RESOLVED_VERSION'
+
 branches:
   - master
+
 categories:
   - title: '💣 Breaking changes'
     labels:
@@ -35,17 +37,33 @@ categories:
       - 'bug'
   - title: 📝 Documentation updates
     label: 'documentation'
+  - title: '🖌 Updates in UI'
+    label: 'ui'
+  - title: '🗣 Updates in localization'
+    label: 'localization'
   - title: '🧰 Maintenance'
+    collapse-after: 3
     labels:
       - 'dependencies'
       - 'maintenance'
-  - title: '🖌 Updates in UI'
-    label: 'ui'
 exclude-labels:
-  - 'skip-changelog'      
+  - 'skip-changelog'
+
 change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
 template: |
-  Please consult the [Upgrade notes in the documentation ](https://defectdojo.github.io/django-DefectDojo/getting_started/upgrading/) for specific instructions for this release, and general upgrade instructions. Below is an automatically generated list of all PRs merged since the previous release.
-  
+  Please consult the [Upgrade notes in the documentation ](https://documentation.defectdojo.com/getting_started/upgrading/) for specific instructions for this release, and general upgrade instructions. Below is an automatically generated list of all PRs merged since the previous release.
+
   ## Changes since $PREVIOUS_TAG
   $CHANGES
+
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch

.github/workflows/build-docker-images-for-testing.yml

@@ -0,0 +1,54 @@
+name: "Build Docker Images For Testing"
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  build:
+    # build with docker so we can use layer caching
+    name: Build Docker Images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        docker-image: [django, nginx, integration-tests]
+        os: [alpine, debian]
+        exclude:
+          - docker-image: integration-tests
+            os: alpine
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Read Docker Image Identifiers
+        id: read-docker-image-identifiers
+        run: echo "IMAGE_REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          buildkitd-flags: --debug
+          driver-opts: image=moby/buildkit:master # needed to get the fix for https://github.com/moby/buildkit/issues/2426
+
+      - name: Build
+        id: docker_build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: defectdojo/defectdojo-${{ matrix.docker-image }}:${{ matrix.os }}
+          file: Dockerfile.${{ matrix.docker-image }}-${{ matrix.os }}
+          outputs: type=docker,dest=${{ matrix.docker-image }}-${{ matrix.os }}_img
+          cache-from: type=gha,scope=${{ matrix.docker-image }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.docker-image }}
+
+      # export docker images to be used in next jobs below
+      - name: Upload image ${{ matrix.docker-image }} as artifact
+        uses:  actions/upload-artifact@v3
+        with:
+          name: ${{ matrix.docker-image }}
+          path: ${{ matrix.docker-image }}-${{ matrix.os }}_img
+          retention-days: 1

.github/workflows/cancel-outdated-workflow-runs.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 3
     steps:
-      - uses: styfle/cancel-workflow-action@0.9.1
+      - uses: styfle/cancel-workflow-action@0.12.1
         with:
           workflow_id: 'integration-tests.yml,k8s-testing.yml,unit-tests.yml'
           access_token: ${{ github.token }}

.github/workflows/detect-merge-conflicts.yaml

@@ -1,10 +1,11 @@
 name: "Detect Merge Conflicts"
 on:
   workflow_dispatch:
-  push:
-    branch:
+  pull_request:
+    branches:
       - dev
       - master
+      - bugfix
       - release/*
 
   pull_request_target: