Merge branch 'dev' into master-into-dev/2.30.2-2.31.0-dev

DefectDojo · Jan 16, 2024 · 5f7688c · 5f7688c
2 parents 0fe316f + eb81636
commit 5f7688c
Show file tree

Hide file tree

Showing 54 changed files with 23,993 additions and 136 deletions.
diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml
@@ -78,7 +78,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Minikube
-        uses: manusa/actions-setup-minikube@v2.9.0
+        uses: manusa/actions-setup-minikube@v2.10.0
         with:
           minikube version: 'v1.24.0'
           kubernetes version: ${{ matrix.k8s }}

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -138,7 +138,7 @@ services:
     volumes:
       - defectdojo_data:/var/lib/mysql
   postgres:
-    image: postgres:16.1-alpine@sha256:a1b267d05ee39210d162185f52645687c7e63fbe25b8c58ccd7f81f0a7e2ad97
+    image: postgres:16.1-alpine@sha256:884718395ee967fc70374563f3b4d72f0c61f48f81868decb9fa452915fe070e
     profiles: 
       - postgres-rabbitmq
       - postgres-redis
@@ -149,14 +149,14 @@ services:
     volumes:
       - defectdojo_postgres:/var/lib/postgresql/data
   rabbitmq:
-    image: rabbitmq:3.12.11-alpine@sha256:382561a75b70c00e4ae0f1788a1a6b032eace5073abadb25547496879c65c7c2
+    image: rabbitmq:3.12.12-alpine@sha256:9ab2478b7f459334d0afb70fb5dfce2d3e74152cfa3c82913843798f03b40f72
     profiles: 
       - mysql-rabbitmq
       - postgres-rabbitmq
     volumes:
        - defectdojo_rabbitmq:/var/lib/rabbitmq
   redis:
-    image: redis:7.2.3-alpine@sha256:090276da2603db19b154602c374f505d94c10ea57e9749fc3e68e955284bf0fd
+    image: redis:7.2.4-alpine@sha256:995e6eaab954e92cadf1a0bb1eab71ae3baae8e02ea4354fd8aa136a61e42247
     profiles: 
       - mysql-redis
       - postgres-redis

diff --git a/docs/content/en/getting_started/upgrading/2.31.md b/docs/content/en/getting_started/upgrading/2.31.md
@@ -0,0 +1,7 @@
+---
+title: 'Upgrading to DefectDojo Version 2.31.x'
+toc_hide: true
+weight: -20240102
+description: No special instructions.
+---
+There are no special instructions for upgrading to 2.31.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.31.0) for the contents of the release.
diff --git a/docs/content/en/integrations/source-code-repositories.md b/docs/content/en/integrations/source-code-repositories.md
@@ -7,18 +7,47 @@ weight: 5
 
 Findings can have a filepath and a line number as the location of the vulnerability. This is typically set when scanning an application with a Static Application Security Test (SAST) tool. If the repository of the source code is specified in the Engagement, DefectDojo will present the filepath as a link and the user can navigate directly to the location of the vulnerability.
 
-## Setting the repository in the Engagement
+## Setting the repository in the Engagement and Test
 
-While editing the Engagement, users can set the URL of the repo. It needs to be the URL including the branch, e.g. https://github.com/DefectDojo/django-DefectDojo/tree/dev (GitHub) or https://gitlab.com/gitlab-org/gitlab/-/tree/master (GitLab).
+### Engagement
+While editing the Engagement, users can set the URL of the specific SCM repo. 
+For Interactive Engagement it needs to be the URL including the branch:
+- for GitHub - like https://github.com/DefectDojo/django-DefectDojo/tree/dev
+![Edit Engagement (GitHub)](../../../static/images/source-code-repositories_1.png)
+- for GitLab - like https://gitlab.com/gitlab-org/gitlab/-/tree/master
+![Edit Engagement (Gitlab)](../../../static/images/source-code-repositories-gitlab_1.png)
+- for public BitBucket - like    (like git clone url)
+![Edit Engagement (Bitbucket public)](../../../static/images/source-code-repositories-bitbucket_1.png)
+- for standalone/onpremise BitBucket https://bb.example.com/scm/some-project/some-repo.git or https://bb.example.com/scm/some-user-name/some-repo.git for user public repo (like git clone url)
+![Edit Engagement (Bitbucket standalone)](../../../static/images/source-code-repositories-bitbucket-onpremise_1.png)
+
+For CI/CD Engagement, where user could set commit hash, branch/tag and code line it should look like examples below:
+- for GitHub - like https://github.com/DefectDojo/django-DefectDojo 
+- for GitLab - like https://gitlab.com/gitlab-org/gitlab
+- for public BitBucket - like https://bitbucket.org/some-user/some-project.git (like git clone url)
+- for standalone/onpremise BitBucket https://bb.example.com/scm/some-project.git or https://bb.example.com/scm/some-user-name/some-repo.git for user public repo (like git clone url)
+
+If user does not set commit hash or branch/tag in appropriate fields of CI/CD Engagement edit form, the URL should look like in Interactive Engagement edit form.
+
+SCM navigation URL is composed from Repo URL using SCM Type. Github/Gitlab SCM type is default, but user could set certain SCM type in Product custom field "scm-type".
+
+Product custom fields:
+
+![Product custom fields](../../../static/images/product-custom-fields_1.png)
+
+Product SCM type add:
+
+![Product scm type](../../../static/images/product-scm-type_1.png)
+
+Possible SCM types could be 'github', 'gitlab', 'bitbucket', 'bitbucket-standalone' or nothing (for default github).
 
-![Edit Engagement](../../images/source-code-repositories_1.png)
 
 ## Link in Finding
 
 When viewing a finding, the location will be presented as a link, if the repository of the source code has been set in the Engagement:
 
-![Link to location](../../images/source-code-repositories_2.png)
+![Link to location](../../../static/images/source-code-repositories_2.png)
 
 Clicking on this link will open a new tab in the browser, with the source file of the vulnerability at the corresponding line number:
 
-![View in repository](../../images/source-code-repositories_3.png)
+![View in repository](../../../static/images/source-code-repositories_3.png)
diff --git a/docs/package-lock.json b/docs/package-lock.json
diff --git a/docs/package.json b/docs/package.json
@@ -1,6 +1,6 @@
 {
   "devDependencies": {
-    "postcss": "8.4.32",
+    "postcss": "8.4.33",
     "autoprefixer": "10.4.16",
     "postcss-cli": "10.1.0"
   }

diff --git a/docs/static/images/product-custom-fields_1.png b/docs/static/images/product-custom-fields_1.png
diff --git a/docs/static/images/product-scm-type_1.png b/docs/static/images/product-scm-type_1.png
diff --git a/docs/static/images/source-code-repositories-bitbucket-onpremise_1.png b/docs/static/images/source-code-repositories-bitbucket-onpremise_1.png
diff --git a/docs/static/images/source-code-repositories-bitbucket_1.png b/docs/static/images/source-code-repositories-bitbucket_1.png
diff --git a/docs/static/images/source-code-repositories-gitlab_1.png b/docs/static/images/source-code-repositories-gitlab_1.png
diff --git a/dojo/announcement/signals.py b/dojo/announcement/signals.py
@@ -22,3 +22,16 @@ def add_announcement_to_new_user(sender, instance, **kwargs):
                 UserAnnouncement.objects.get_or_create(
                     user=dojo_user, announcement=announcement
                 )
+
+
+@receiver(post_save, sender=Announcement)
+def announcement_post_save(sender, instance, created, **kwargs):
+    if created:
+        UserAnnouncement.objects.bulk_create(
+            [
+                UserAnnouncement(
+                    user=user_id, announcement=instance
+                )
+                for user_id in Dojo_User.objects.all()
+            ]
+        )
diff --git a/dojo/announcement/views.py b/dojo/announcement/views.py
@@ -9,7 +9,7 @@
 from dojo.utils import add_breadcrumb
 
 from dojo.forms import AnnouncementCreateForm, AnnouncementRemoveForm
-from dojo.models import Announcement, UserAnnouncement, Dojo_User
+from dojo.models import Announcement, UserAnnouncement
 from dojo.authorization.authorization_decorators import (
     user_is_configuration_authorized,
 )
@@ -50,15 +50,6 @@ def configure_announcement(request):
             announcement.style = form.cleaned_data["style"]
             announcement.dismissable = form.cleaned_data["dismissable"]
             announcement.save()
-            if created:
-                UserAnnouncement.objects.bulk_create(
-                    [
-                        UserAnnouncement(
-                            user=user_id, announcement=announcement
-                        )
-                        for user_id in Dojo_User.objects.all()
-                    ]
-                )
             messages.add_message(
                 request,
                 messages.SUCCESS,

diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -86,6 +86,7 @@
     Answered_Survey,
     General_Survey,
     Check_List,
+    Announcement,
 )
 
 from dojo.tools.factory import (
@@ -2130,6 +2131,10 @@ class ImportScanSerializer(serializers.Serializer):
     product_type_id = serializers.IntegerField(read_only=True)
 
     statistics = ImportStatisticsSerializer(read_only=True, required=False)
+    apply_tags_to_findings = serializers.BooleanField(
+        help_text="If set to True, the tags will be applied to the findings",
+        required=False,
+    )
 
     def save(self, push_to_jira=False):
         data = self.validated_data
@@ -2148,6 +2153,7 @@ def save(self, push_to_jira=False):
         commit_hash = data.get("commit_hash", None)
         api_scan_configuration = data.get("api_scan_configuration", None)
         service = data.get("service", None)
+        apply_tags_to_findings = data.get("apply_tags_to_findings", False)
         source_code_management_uri = data.get(
             "source_code_management_uri", None
         )
@@ -2240,6 +2246,7 @@ def save(self, push_to_jira=False):
                 service=service,
                 title=test_title,
                 create_finding_groups_for_all_findings=create_finding_groups_for_all_findings,
+                apply_tags_to_findings=apply_tags_to_findings,
             )
 
             if test:
@@ -2408,6 +2415,10 @@ class ReImportScanSerializer(TaggitSerializer, serializers.Serializer):
     product_type_id = serializers.IntegerField(read_only=True)
 
     statistics = ImportStatisticsSerializer(read_only=True, required=False)
+    apply_tags_to_findings = serializers.BooleanField(
+        help_text="If set to True, the tags will be applied to the findings",
+        required=False
+    )
 
     def save(self, push_to_jira=False):
         logger.debug("push_to_jira: %s", push_to_jira)
@@ -2420,6 +2431,7 @@ def save(self, push_to_jira=False):
         close_old_findings_product_scope = data.get(
             "close_old_findings_product_scope"
         )
+        apply_tags_to_findings = data.get("apply_tags_to_findings", False)
         do_not_reactivate = data.get("do_not_reactivate", False)
         version = data.get("version", None)
         build_id = data.get("build_id", None)
@@ -2520,6 +2532,7 @@ def save(self, push_to_jira=False):
                     service=service,
                     do_not_reactivate=do_not_reactivate,
                     create_finding_groups_for_all_findings=create_finding_groups_for_all_findings,
+                    apply_tags_to_findings=apply_tags_to_findings,
                 )
 
                 if test_import:
@@ -2957,6 +2970,9 @@ class NotificationsSerializer(serializers.ModelSerializer):
     sla_breach = MultipleChoiceField(
         choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION
     )
+    sla_breach_combined = MultipleChoiceField(
+        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION
+    )
     risk_acceptance_expiration = MultipleChoiceField(
         choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION
     )
@@ -3147,3 +3163,20 @@ class QuestionnaireGeneralSurveySerializer(serializers.ModelSerializer):
     class Meta:
         model = General_Survey
         fields = "__all__"
+
+
+class AnnouncementSerializer(serializers.ModelSerializer):
+
+    class Meta:
+        model = Announcement
+        fields = "__all__"
+
+    def create(self, validated_data):
+        validated_data["id"] = 1
+        try:
+            return super().create(validated_data)
+        except IntegrityError as e:
+            if 'duplicate key value violates unique constraint "dojo_announcement_pkey"' in str(e):
+                raise serializers.ValidationError("No more than one Announcement is allowed")
+            else:
+                raise
diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py
@@ -82,6 +82,7 @@
     Answered_Survey,
     General_Survey,
     Check_List,
+    Announcement,
 )
 from dojo.endpoint.views import get_endpoint_ids
 from dojo.reports.views import (
@@ -3777,3 +3778,14 @@ class QuestionnaireAnsweredSurveyViewSet(
         ],
         serializers.QuestionnaireAnsweredSurveySerializer,
     ).to_schema()
+
+
+# Authorization: configuration
+class AnnouncementViewSet(
+    DojoModelViewSet
+):
+    serializer_class = serializers.AnnouncementSerializer
+    queryset = Announcement.objects.all()
+    filter_backends = (DjangoFilterBackend,)
+    filterset_fields = "__all__"
+    permission_classes = (permissions.UserHasConfigurationPermissionStaff,)
diff --git a/dojo/db_migrations/0195_alter_announcement_dismissable.py b/dojo/db_migrations/0195_alter_announcement_dismissable.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.1.13 on 2023-12-05 12:53
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0194_alter_finding_component_name'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='announcement',
+            name='dismissable',
+            field=models.BooleanField(blank=True, default=False, help_text='Ticking this box allows users to dismiss the current announcement', verbose_name='Dismissable?'),
+        ),
+    ]
diff --git a/dojo/db_migrations/0196_notifications_sla_breach_combined.py b/dojo/db_migrations/0196_notifications_sla_breach_combined.py
@@ -0,0 +1,19 @@
+# Generated by Django 4.1.10 on 2023-09-12 11:29
+
+from django.db import migrations
+import multiselectfield.db.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0195_alter_announcement_dismissable'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='notifications',
+            name='sla_breach_combined',
+            field=multiselectfield.db.fields.MultiSelectField(blank=True, choices=[('slack', 'slack'), ('msteams', 'msteams'), ('mail', 'mail'), ('alert', 'alert')], default=('alert', 'alert'), help_text='Get notified of (upcoming) SLA breaches (a message per project)', max_length=24, verbose_name='SLA breach (combined)'),
+        ),
+    ]
diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py
@@ -670,6 +670,7 @@ def post(self, request, eid=None, pid=None):
             api_scan_configuration = form.cleaned_data.get('api_scan_configuration', None)
             service = form.cleaned_data.get('service', None)
             close_old_findings = form.cleaned_data.get('close_old_findings', None)
+            apply_tags_to_findings = form.cleaned_data.get('apply_tags_to_findings', False)
             # close_old_findings_prodct_scope is a modifier of close_old_findings.
             # If it is selected, close_old_findings should also be selected.
             close_old_findings_product_scope = form.cleaned_data.get('close_old_findings_product_scope', None)
@@ -736,7 +737,7 @@ def post(self, request, eid=None, pid=None):
                             minimum_severity=minimum_severity, endpoints_to_add=list(form.cleaned_data['endpoints']) + added_endpoints, scan_date=scan_date,
                             version=version, branch_tag=branch_tag, build_id=build_id, commit_hash=commit_hash, push_to_jira=push_to_jira,
                             close_old_findings=close_old_findings, close_old_findings_product_scope=close_old_findings_product_scope, group_by=group_by, api_scan_configuration=api_scan_configuration, service=service,
-                            create_finding_groups_for_all_findings=create_finding_groups_for_all_findings)
+                            create_finding_groups_for_all_findings=create_finding_groups_for_all_findings, apply_tags_to_findings=apply_tags_to_findings)
 
                 message = f'{scan_type} processed a total of {finding_count} findings'