Merge pull request #9344 from DefectDojo/master-into-dev/2.30.2-2.31.…

…0-dev

Release: Merge back 2.30.2 into dev from: master-into-dev/2.30.2-2.31.0-dev

.github/workflows/fetch-oas.yml

@@ -13,22 +13,20 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
-      # load docker images from build jobs
-      - name: Load images from artifacts
-        uses: actions/download-artifact@v3
+        with:
+          ref: ${{github.event.inputs.version}}
 
       - name: Load docker images
         run: |-
-             docker load -i nginx/nginx-alpine_img
-             docker load -i django/django-alpine_img
+             docker pull defectdojo/defectdojo-django:${{github.event.inputs.version}}-alpine
+             docker pull defectdojo/defectdojo-nginx:${{github.event.inputs.version}}-alpine
              docker images
 
       - name: Start Dojo
         run: docker-compose --profile postgres-redis --env-file ./docker/environments/postgres-redis.env up --no-deps -d postgres nginx uwsgi
         env:
-          DJANGO_VERSION: alpine
-          NGINX_VERSION: alpine
+          DJANGO_VERSION: ${{github.event.inputs.version}}-alpine
+          NGINX_VERSION: ${{github.event.inputs.version}}-alpine
 
       - name: Download OpenAPI Specifications
         run: |-

.github/workflows/release-drafter.yml

@@ -15,12 +15,7 @@ on:
       - master
 
 jobs:
-  build-docker-containers:
-    uses: ./.github/workflows/build-docker-images-for-testing.yml
-    secrets: inherit
-
   oas-fetch:
-    needs: build-docker-containers
     uses: ./.github/workflows/fetch-oas.yml
     secrets: inherit
 

docs/content/en/contributing/how-to-write-a-parser.md

@@ -325,4 +325,12 @@ If you want to take a look at previous parsers that are now part of DefectDojo,
 
 ## Update the import page documentation
 
-Please update [`docs/content/en/integrations/parsers.md`] with the details of your new parser.
+Please add a new .md file in [`docs/content/en/integrations/parsers`] with the details of your new parser.  Include the following content headings:
+
+* Acceptable File Type(s) - please include how to generate this type of file from the related tool, as some tools have multiple methods or require specific commands.
+* An example unit test block, if applicable.
+* A link to the relevant unit tests folder so that users can quickly navigate there from Documentation.
+* A link to the scanner itself - (e.g. GitHub or vendor link)
+
+Here is an example of a completed Parser documentation page: https://defectdojo.github.io/django-DefectDojo/integrations/parsers/file/awssecurityhub/
+

docs/content/en/contributing/parser-documentation-template.md

@@ -0,0 +1,20 @@
+---
+title: "Parser Documentation Template"
+toc_hide: true
+weight: 1
+---
+
+Use this template as part of writing a new parser.  
+
+* Copy this .md file and add it to docs/integrations/parsers/file in the GitHub repository
+* Update the title to match the name of your new parser
+* Fill out all sections listed below
+
+### File Types
+Specify all file types accepted by your parser.  Include a process for creating the acceptable file from the related security tool.
+
+### Sample Scan Data / Unit Tests
+Add a link to the relevant unit tests or sample scan data folder in the GitHub repository.
+
+### Link To Tool
+A link to the scanner itself - (e.g. GitHub or appropriate vendor link)

docs/content/en/integrations/parsers/file/jfrog_xray_api_summary_artifact.md

@@ -2,4 +2,12 @@
 title: "JFrog Xray API Summary Artifact Scan"
 toc_hide: true
 ---
-Import the JSON format from the Arifact Summary API call https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API#XrayRESTAPI-ArtifactSummary  
+
+### File Types
+Accepts a JSON File, generated from the JFrog Artifact Summary API Call.
+
+### Sample Scan Data / Unit Tests
+See unit test example: https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/jfrog_xray_api_summary_artifact/one_vuln.json
+
+### Link To Tool
+See JFrog Documentation: https://jfrog.com/help/r/jfrog-rest-apis/summary

dojo/models.py

@@ -1706,7 +1706,6 @@ def active_findings(self):
             mitigated__isnull=True,
             false_p=False,
             duplicate=False,
-            status_finding__mitigated=False,
             status_finding__false_positive=False,
             status_finding__out_of_scope=False,
             status_finding__risk_accepted=False
@@ -1721,7 +1720,6 @@ def active_verified_findings(self):
             mitigated__isnull=True,
             false_p=False,
             duplicate=False,
-            status_finding__mitigated=False,
             status_finding__false_positive=False,
             status_finding__out_of_scope=False,
             status_finding__risk_accepted=False
@@ -1776,7 +1774,6 @@ def host_active_findings(self):
             mitigated__isnull=True,
             false_p=False,
             duplicate=False,
-            status_finding__mitigated=False,
             status_finding__false_positive=False,
             status_finding__out_of_scope=False,
             status_finding__risk_accepted=False,
@@ -1792,7 +1789,6 @@ def host_active_verified_findings(self):
             mitigated__isnull=True,
             false_p=False,
             duplicate=False,
-            status_finding__mitigated=False,
             status_finding__false_positive=False,
             status_finding__out_of_scope=False,
             status_finding__risk_accepted=False,

dojo/templates/dojo/findings_list_snippet.html

@@ -616,10 +616,17 @@ <h3 class="has-filters">
                                             {% endif %}
                                         </td>
                                         <td>
-                                            <a target="#"
-                                            data-toggle="tooltip"
-                                            data-placement="bottom"
-                                            title="Test: {{ finding.test }}">{{ finding.found_by.all|join:", " }}</a>
+                                            {% if finding.found_by %}
+                                                <a target="#"
+                                                data-toggle="tooltip"
+                                                data-placement="bottom"
+                                                title="Test: {{ finding.test }}">{{ finding.found_by.all|join:", " }}</a>
+                                            {% else %}
+                                                <a target="#"
+                                                data-toggle="tooltip"
+                                                data-placement="bottom"
+                                                title="Test: {{ finding.test }}">{{ finding.test.test_type }}</a>
+                                            {% endif %}
                                         </td>
                                         <td class="nowrap">
                                             {{ finding|finding_display_status|safe }}&nbsp;{{ finding|import_history }}

dojo/templates/dojo/view_finding.html

@@ -421,9 +421,15 @@ <h3 class="pull-left finding-title">
                             {% endif %}
                         {% endif %}
                         </td>
-                        <td> {% for scanner in found_by %}
-                            {{ scanner }}
-                        {% endfor %}</td>
+                        <td> 
+                            {% if found_by %}
+                                {% for scanner in found_by %}
+                                    {{ scanner }}
+                                {% endfor %}
+                            {% else %}
+                                {{ finding.test.test_type }}
+                            {% endif %}
+                        </td>
                         {% endwith %}
                         {% if finding.vuln_id_from_tool %}
                             <td>{{ finding.vuln_id_from_tool }}</td>

dojo/tools/veracode/json_parser.py

@@ -43,11 +43,11 @@ class VeracodeJSONParser(object):
 
     # This mapping was found here: https://docs.veracode.com/r/c_integrated_license_agent
     license_mapping = {
+        0: ("Non OSS", "Non-OSS indicates that this file could be subject to commercial license terms. If so, you should refer to your applicable license agreement with such vendor for additional information."),
         1: ("Unrecognized", "Unrecognized indicates that no license was found for the component. However, this does not indicate that there is no risk associated with the license."),
         2: ("Low", "Low-risk licenses are typically permissive licenses that require you to preserve the copyright and license notices, but allow distribution under different terms without disclosing source code."),
         3: ("Medium", "Medium-risk licenses are typically weak copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms."),
         4: ("High", "High-risk licenses are typically strong copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms."),
-        5: ("Non OSS", "Non-OSS indicates that this file could be subject to commercial license terms. If so, you should refer to your applicable license agreement with such vendor for additional information."),
     }
 
     def get_findings(self, json_output, test):

helm/defectdojo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.31.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.105-dev
+version: 1.6.106-dev
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap

unittests/test_endpoint_model.py

@@ -328,25 +328,25 @@ def test_status_evaluation(self):
 
         with self.subTest('Endpoint with vulnerabilities but all of them are mitigated because of different reasons'):
             self.assertEqual(ep2.findings_count, 4, ep2.findings.all())
-            self.assertEqual(ep2.active_findings_count, 0, ep2.active_findings)
-            self.assertFalse(ep2.vulnerable, ep2.active_findings_count)
-            self.assertTrue(ep2.mitigated, ep2.active_findings_count)
+            self.assertEqual(ep2.active_findings_count, 1, ep2.active_findings)
+            self.assertTrue(ep2.vulnerable, ep2.active_findings_count)
+            self.assertFalse(ep2.mitigated, ep2.active_findings_count)
 
         with self.subTest('Host without vulnerabilities'):
             self.assertEqual(ep1.host_endpoints_count, 2, ep1.host_endpoints)
             self.assertEqual(ep2.host_endpoints_count, 2, ep2.host_endpoints)
             self.assertEqual(ep1.host_findings_count, 4, ep1.host_findings)
             self.assertEqual(ep2.host_findings_count, 4, ep2.host_findings)
-            self.assertEqual(ep1.host_active_findings_count, 0, ep1.host_active_findings)
-            self.assertEqual(ep2.host_active_findings_count, 0, ep2.host_active_findings)
+            self.assertEqual(ep1.host_active_findings_count, 1, ep1.host_active_findings)
+            self.assertEqual(ep2.host_active_findings_count, 1, ep2.host_active_findings)
             self.assertEqual(ep1.host_mitigated_endpoints_count, 1, ep1.host_mitigated_endpoints)
             self.assertEqual(ep2.host_mitigated_endpoints_count, 1, ep2.host_mitigated_endpoints)
 
         with self.subTest('Endpoint with one vulnerabilitiy but EPS is mitigated'):
             self.assertEqual(ep3.findings_count, 1, ep3.findings.all())
-            self.assertEqual(ep3.active_findings_count, 0, ep3.active_findings)
-            self.assertFalse(ep3.vulnerable, ep3.active_findings_count)
-            self.assertTrue(ep3.mitigated, ep3.active_findings_count)
+            self.assertEqual(ep3.active_findings_count, 1, ep3.active_findings)
+            self.assertTrue(ep3.vulnerable, ep3.active_findings_count)
+            self.assertFalse(ep3.mitigated, ep3.active_findings_count)
 
         with self.subTest('Endpoint with one vulnerability'):
             self.assertEqual(ep4.findings_count, 1, ep4.findings.all())
@@ -367,9 +367,9 @@ def test_status_evaluation(self):
             self.assertEqual(ep3.host_findings_count, 2, ep3.host_findings)
             self.assertEqual(ep4.host_findings_count, 2, ep4.host_findings)
             self.assertEqual(ep5.host_findings_count, 2, ep5.host_findings)
-            self.assertEqual(ep3.host_active_findings_count, 1, ep3.host_active_findings)
-            self.assertEqual(ep4.host_active_findings_count, 1, ep4.host_active_findings)
-            self.assertEqual(ep5.host_active_findings_count, 1, ep5.host_active_findings)
+            self.assertEqual(ep3.host_active_findings_count, 2, ep3.host_active_findings)
+            self.assertEqual(ep4.host_active_findings_count, 2, ep4.host_active_findings)
+            self.assertEqual(ep5.host_active_findings_count, 2, ep5.host_active_findings)
             self.assertEqual(ep3.host_mitigated_endpoints_count, 2, ep3.host_mitigated_endpoints)
             self.assertEqual(ep4.host_mitigated_endpoints_count, 2, ep4.host_mitigated_endpoints)
             self.assertEqual(ep5.host_mitigated_endpoints_count, 2, ep5.host_mitigated_endpoints)

unittests/test_parsers.py

@@ -1,5 +1,6 @@
 from .dojo_test_case import DojoTestCase, get_unit_tests_path
 import os
+import re
 
 basedir = os.path.join(get_unit_tests_path(), '..')
 
@@ -26,7 +27,15 @@ def test_file_existence(self):
                     self.assertTrue(
                         os.path.isfile(doc_file),
                         f"Documentation file '{doc_file}' is missing or using different name"
-                    )
+                                    )
+
+                    content = open(doc_file).read()
+                    self.assertTrue(re.search("title:", content),
+                                    f"Documentation file '{doc_file}' does not contain a title"
+                                    )
+                    self.assertTrue(re.search("toc_hide: true", content),
+                                    f"Documentation file '{doc_file}' does not contain toc_hide: true"
+                                    )
 
             if parser_dir.name not in [
                 # there is not exception for now