From 80264c7766a47e64f85c4b32e2465ee1a8a90904 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 23 Sep 2024 17:26:30 +0000 Subject: [PATCH 01/78] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/components/package.json b/components/package.json index 3299d3eb89..49f5862eec 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.38.3", + "version": "2.39.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 1e34a710be..1052b31209 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.38.3" +appVersion: "2.39.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.151 +version: 1.6.152-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From feae4670357cb146edb25c99c11b15630f6cafa2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 19:10:40 -0700 Subject: [PATCH 02/78] Bump uwsgi from 2.0.26 to 2.0.27 (#10954) Bumps [uwsgi](https://uwsgi-docs.readthedocs.io/en/latest/) from 2.0.26 to 2.0.27. --- updated-dependencies: - dependency-name: uwsgi dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index b0c8e28b62..045484f9df 100644 --- a/requirements.txt +++ b/requirements.txt @@ -39,7 +39,7 @@ redis==5.0.8 requests==2.32.3 sqlalchemy==2.0.35 # Required by Celery broker transport urllib3==1.26.18 -uWSGI==2.0.26 +uWSGI==2.0.27 vobject==0.9.7 whitenoise==5.2.0 titlecase==2.4.1 From 86d47d38ad7bd501418a0bea79122a5326f8efbe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 19:11:38 -0700 Subject: [PATCH 03/78] Bump boto3 from 1.35.24 to 1.35.26 (#10958) Bumps [boto3](https://github.com/boto/boto3) from 1.35.24 to 1.35.26. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.24...1.35.26) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 045484f9df..3df0570a08 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.24 # Required for Celery Broker AWS (SQS) support +boto3==1.35.26 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.1 fontawesomefree==6.6.0 From ae39ad9f43a97456f0187cf8dc0d2d11432a28b4 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Thu, 26 Sep 2024 20:09:17 +0200 Subject: [PATCH 04/78] :bug: fix AWSSecurityHub EPSS Score #10956 (#10959) * :bug: fix AWSSecurityHub EPSS Score #10956 * fix * fix --- dojo/tools/awssecurityhub/inspector.py | 5 +- .../scans/awssecurityhub/issue_10956.json | 113 ++++++++++++++++++ unittests/tools/test_awssecurityhub_parser.py | 8 ++ 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 unittests/scans/awssecurityhub/issue_10956.json diff --git a/dojo/tools/awssecurityhub/inspector.py b/dojo/tools/awssecurityhub/inspector.py index 60c27e0b60..61b18be5bf 100644 --- a/dojo/tools/awssecurityhub/inspector.py +++ b/dojo/tools/awssecurityhub/inspector.py @@ -12,7 +12,10 @@ def get_item(self, finding: dict, test): impact = [] references = [] unsaved_vulnerability_ids = [] - epss_score = None + if finding.get("EpssScore") is not None: + epss_score = finding.get("EpssScore") + else: + epss_score = None description = f"This is an Inspector Finding\n{finding.get('Description', '')}" + "\n" description += f"**AWS Finding ARN:** {finding_id}\n" description += f"**AwsAccountId:** {finding.get('AwsAccountId', '')}\n" diff --git a/unittests/scans/awssecurityhub/issue_10956.json b/unittests/scans/awssecurityhub/issue_10956.json new file mode 100644 index 0000000000..d8a73cc33a --- /dev/null +++ b/unittests/scans/awssecurityhub/issue_10956.json @@ -0,0 +1,113 @@ +{ + "findings": [ + { + "EpssScore": "0.00239", + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:us-east-1:1234567:finding/12344bc", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "us-east-1", + "GeneratorId": "AWSInspector", + "AwsAccountId": "1234567", + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "FirstObservedAt": "2024-07-30T12:17:32.646Z", + "LastObservedAt": "2024-09-18T05:16:44.106Z", + "CreatedAt": "2024-07-30T12:17:32.646Z", + "UpdatedAt": "2024-09-18T05:16:44.106Z", + "Severity": { + "Label": "MEDIUM", + "Normalized": 50 + }, + "Title": "CVE-2024-123 - fdd", + "Description": "A vulnerability was found in sdd.", + "Remediation": { + "Recommendation": { + "Text": "None Provided" + } + }, + "ProductFields": { + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "5.1", + "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "AMAZON_LINUX_2023", + "aws/inspector/ProductVersion": "1", + "aws/inspector/instanceId": "i-1234xxyy", + "aws/securityhub/FindingId": "arn:aws:inspector2:us-east-1:1234567:finding/addfss", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEc2Instance", + "Id": "i-1234xxyy", + "Partition": "aws", + "Region": "us-east-1", + "Tags": { + "Name": "Name:xx-123-yy" + }, + "Details": { + "AwsEc2Instance": { + "Type": "tt", + "ImageId": "ami-1234", + "IpV4Addresses": [ + "0.0.0.0" + ], + "IamInstanceProfileArn": "arn:aws:iam::1234567:instance-profile/something", + "VpcId": "vpc-1234", + "SubnetId": "subnet-xxxxxxx", + "LaunchedAt": "2024-09-18T05:16:44.106Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2024-1234", + "VulnerablePackages": [ + { + "Name": "aa", + "Version": "1.2.0", + "Architecture": "X86_64]", + "PackageManager": "OS", + "FixedInVersion": "abc[2.0]" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": "7.5", + "BaseVector": "CVSS:9.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "AMAZON_CVE", + "Url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-1234.json", + "VendorSeverity": "Medium", + "VendorCreatedAt": "2024-01-16T00:00:00Z", + "VendorUpdatedAt": "2024-09-18T05:16:44.106Z" + }, + "ReferenceUrls": [ + "https://alas.aws.amazon.com" + ], + "FixAvailable": "YES" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM" + }, + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ] + } + } + ] + } \ No newline at end of file diff --git a/unittests/tools/test_awssecurityhub_parser.py b/unittests/tools/test_awssecurityhub_parser.py index 14e53d3cce..9d05083eaf 100644 --- a/unittests/tools/test_awssecurityhub_parser.py +++ b/unittests/tools/test_awssecurityhub_parser.py @@ -126,3 +126,11 @@ def test_guardduty(self): endpoint = findings[0].unsaved_endpoints[0] self.assertEqual("AwsEc2Instance arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890", endpoint.host) self.assertEqual("This is a GuardDuty Finding\nAPIs commonly used in Discovery tactics were invoked by user AssumedRole : 123123123, under anomalous circumstances. Such activity is not typically seen from this user.\n**AWS Finding ARN:** arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/2123123123123\n**SourceURL:** [https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=2123123123123](https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=2123123123123)\n**AwsAccountId:** 123456789012\n**Region:** us-east-1\n**Generator ID:** arn:aws:guardduty:us-east-1:123456789012:detector/123456789\n", finding.description) + + def test_issue_10956(self): + with open(get_unit_tests_path() + sample_path("issue_10956.json"), encoding="utf-8") as test_file: + parser = AwsSecurityHubParser() + findings = parser.get_findings(test_file, Test()) + self.assertEqual(1, len(findings)) + finding = findings[0] + self.assertEqual("0.00239", finding.epss_score) From aa872c808a142bef8c80528a74e35d1a0f42c93d Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 26 Sep 2024 13:56:41 -0500 Subject: [PATCH 05/78] Prefetch: Disable on some viewsets due to payload size (#10961) --- dojo/api_v2/views.py | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index 76521f5e00..a2672e8726 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -298,6 +298,7 @@ def get_queryset(self): # Authorization: object-based # @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class EndPointViewSet( PrefetchDojoModelViewSet, ): @@ -353,7 +354,8 @@ def generate_report(self, request, pk=None): # Authorization: object-based -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class EndpointStatusViewSet( PrefetchDojoModelViewSet, ): @@ -382,7 +384,8 @@ def get_queryset(self): # Authorization: object-based -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class EngagementViewSet( PrefetchDojoModelViewSet, ra_api.AcceptedRisksMixin, @@ -636,7 +639,8 @@ def download_file(self, request, file_id, pk=None): return generate_file_response(file_object) -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class RiskAcceptanceViewSet( PrefetchDojoModelViewSet, ): @@ -735,7 +739,8 @@ def get_queryset(self): # Authorization: configuration -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class CredentialsMappingViewSet( PrefetchDojoModelViewSet, ): @@ -1475,7 +1480,8 @@ def get_queryset(self): # Authorization: object-based -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class JiraIssuesViewSet( PrefetchDojoModelViewSet, ): @@ -1591,7 +1597,8 @@ def get_queryset(self): # Authorization: object-based -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class DojoMetaViewSet( PrefetchDojoModelViewSet, ): @@ -1902,7 +1909,8 @@ def partial_update(self, request, pk=None): # Authorization: object-based -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class StubFindingsViewSet( PrefetchDojoModelViewSet, ): @@ -1941,7 +1949,8 @@ def get_queryset(self): # Authorization: object-based -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class TestsViewSet( PrefetchDojoModelViewSet, ra_api.AcceptedRisksMixin, @@ -2149,7 +2158,8 @@ def get_queryset(self): return Test_Type.objects.all().order_by("id") -@extend_schema_view(**schema_with_prefetch()) +# @extend_schema_view(**schema_with_prefetch()) +# Nested models with prefetch make the response schema too long for Swagger UI class TestImportViewSet( PrefetchDojoModelViewSet, ): From 8a185d963af8655cd55211bbb825b47d7229a6db Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 26 Sep 2024 13:57:05 -0500 Subject: [PATCH 06/78] User Password: Add toggle to require on creation (#10962) --- dojo/api_v2/serializers.py | 2 +- dojo/forms.py | 2 +- dojo/settings/.settings.dist.py.sha256sum | 2 +- dojo/settings/settings.dist.py | 3 +++ 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 78ea12e7ad..1cc6d35ed0 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -553,7 +553,7 @@ def validate(self, data): if self.context["request"].method in ["PATCH", "PUT"] and "password" in data: msg = "Update of password though API is not allowed" raise ValidationError(msg) - if self.context["request"].method == "POST" and "password" not in data: + if self.context["request"].method == "POST" and "password" not in data and settings.REQUIRE_PASSWORD_ON_USER: msg = "Passwords must be supplied for new users" raise ValidationError(msg) else: diff --git a/dojo/forms.py b/dojo/forms.py index fd5c55a7b6..cbeaa0a0c3 100644 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -2170,7 +2170,7 @@ def clean(self): class AddDojoUserForm(forms.ModelForm): email = forms.EmailField(required=True) password = forms.CharField(widget=forms.PasswordInput, - required=True, + required=settings.REQUIRE_PASSWORD_ON_USER, validators=[validate_password], help_text="") diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index f8adf9d7d4..69b5b66b05 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -f7e63afa0003d1992f8247f9a7a830847bd7498fa1e2d46d6ea04e3006bb9ee2 +aa4ec1520b0bc612431ecb7f80a53cca997fd415ff39d8b9c718fb3fc30b2fef diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 348596ef75..caa84d6b2b 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -304,6 +304,8 @@ DD_QUALYS_LEGACY_SEVERITY_PARSING=(bool, True), # Use System notification settings to override user's notification settings DD_NOTIFICATIONS_SYSTEM_LEVEL_TRUMP=(list, ["user_mentioned", "review_requested"]), + # When enabled, force the password field to be required for creating/updating users + DD_REQUIRE_PASSWORD_ON_USER=(bool, True), ) @@ -527,6 +529,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param CLASSIC_AUTH_ENABLED = True FORGOT_PASSWORD = env("DD_FORGOT_PASSWORD") +REQUIRE_PASSWORD_ON_USER = env("DD_REQUIRE_PASSWORD_ON_USER") FORGOT_USERNAME = env("DD_FORGOT_USERNAME") PASSWORD_RESET_TIMEOUT = env("DD_PASSWORD_RESET_TIMEOUT") # Showing login form (form is not needed for external auth: OKTA, Google Auth, etc.) From 8132c330119bb689505d4be649e953e9c9e827dc Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Thu, 26 Sep 2024 18:57:41 +0000 Subject: [PATCH 07/78] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 49f5862eec..687ffe51f1 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.39.0-dev", + "version": "2.38.4", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 996b03df38..6697fae961 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.38.3" +__version__ = "2.38.4" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 1052b31209..8a34307346 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.39.0-dev" +appVersion: "2.38.4" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.152-dev +version: 1.6.152 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From bddcb67d884caad379b526c79fca0d795fe438b6 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Thu, 26 Sep 2024 19:17:37 +0000 Subject: [PATCH 08/78] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/components/package.json b/components/package.json index 687ffe51f1..49f5862eec 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.38.4", + "version": "2.39.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 8a34307346..7a0f65b844 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.38.4" +appVersion: "2.39.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.152 +version: 1.6.153-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 56fedb15ec3baed6527b1227e4068e70ca69e682 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Thu, 26 Sep 2024 19:17:39 +0000 Subject: [PATCH 09/78] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 687ffe51f1..49f5862eec 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.38.4", + "version": "2.39.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 6697fae961..82fc124150 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.38.4" +__version__ = "2.39.0-dev" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 8a34307346..7a0f65b844 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.38.4" +appVersion: "2.39.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.152 +version: 1.6.153-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 81340c6e9ddb150b682fac48f701b63d4f3cc2f6 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 26 Sep 2024 14:31:58 -0500 Subject: [PATCH 10/78] Update setting sha --- dojo/settings/.settings.dist.py.sha256sum | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index 69b5b66b05..2cd7ce83f4 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -aa4ec1520b0bc612431ecb7f80a53cca997fd415ff39d8b9c718fb3fc30b2fef +64f33a0118941e6611212f08ee283befe7e7d5f8306f35280ccb6113817136dd From 07a4a5099377aab4da492a70836311b25ad5f01d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 15:19:44 -0700 Subject: [PATCH 11/78] Bump boto3 from 1.35.26 to 1.35.28 (#10968) Bumps [boto3](https://github.com/boto/boto3) from 1.35.26 to 1.35.28. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.26...1.35.28) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3df0570a08..d56b658531 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.26 # Required for Celery Broker AWS (SQS) support +boto3==1.35.28 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.1 fontawesomefree==6.6.0 From 86e5a25ed6dc705612a4f1fcbd2258ebf96c4f51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 15:52:01 -0700 Subject: [PATCH 12/78] Bump ruff from 0.6.7 to 0.6.8 (#10967) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.7 to 0.6.8. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.6.7...0.6.8) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements-lint.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-lint.txt b/requirements-lint.txt index 7dbbaa1c41..e2fd91d90a 100644 --- a/requirements-lint.txt +++ b/requirements-lint.txt @@ -1 +1 @@ -ruff==0.6.7 \ No newline at end of file +ruff==0.6.8 \ No newline at end of file From 0d8bb0595c25265e1e1c440337aa1cff2cf63001 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 16:31:45 -0700 Subject: [PATCH 13/78] Update postgres Docker tag from 16.4 to v17 (docker-compose.yml) (#10966) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 095e69f6dc..46c8fdd2ce 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -103,7 +103,7 @@ services: source: ./docker/extra_settings target: /app/docker/extra_settings postgres: - image: postgres:16.4-alpine@sha256:d898b0b78a2627cb4ee63464a14efc9d296884f1b28c841b0ab7d7c42f1fffdf + image: postgres:17.0-alpine@sha256:c261f8fbc72905b749164ab7d7e88e5319027658c402b8c9664205a46691fcde environment: POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo} POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo} From 61f8d4f1c1dc64800f991f73ad088e3007e04a04 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 13:21:35 -0500 Subject: [PATCH 14/78] Bump boto3 from 1.35.28 to 1.35.29 (#10977) Bumps [boto3](https://github.com/boto/boto3) from 1.35.28 to 1.35.29. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.28...1.35.29) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d56b658531..cd30178871 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.28 # Required for Celery Broker AWS (SQS) support +boto3==1.35.29 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.1 fontawesomefree==6.6.0 From 950fb71764fe953531c44556374959539ff9e3c6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 13:21:56 -0500 Subject: [PATCH 15/78] Bump asteval from 1.0.4 to 1.0.5 (#10976) Bumps [asteval](https://github.com/lmfit/asteval) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/lmfit/asteval/releases) - [Commits](https://github.com/lmfit/asteval/compare/1.0.4...1.0.5) --- updated-dependencies: - dependency-name: asteval dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index cd30178871..d120d2fbb7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ # requirements.txt for DefectDojo using Python 3.x -asteval==1.0.4 +asteval==1.0.5 bleach==6.1.0 bleach[css] celery==5.4.0 From 4c51a38987220b8212ed826aafbd04521bcc60f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 13:23:28 -0500 Subject: [PATCH 16/78] Bump psycopg[c] from 3.2.2 to 3.2.3 (#10975) Bumps [psycopg[c]](https://github.com/psycopg/psycopg) from 3.2.2 to 3.2.3. - [Changelog](https://github.com/psycopg/psycopg/blob/master/docs/news.rst) - [Commits](https://github.com/psycopg/psycopg/compare/3.2.2...3.2.3) --- updated-dependencies: - dependency-name: psycopg[c] dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d120d2fbb7..541b6ee648 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,7 +31,7 @@ lxml==5.3.0 Markdown==3.7 openpyxl==3.1.5 Pillow==10.4.0 # required by django-imagekit -psycopg[c]==3.2.2 +psycopg[c]==3.2.3 cryptography==43.0.1 python-dateutil==2.9.0.post0 pytz==2024.2 From 89a73bc8cd4ee4e2c327bb99d1d69e18e5e5469b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 13:23:50 -0500 Subject: [PATCH 17/78] Bump redis from 5.0.8 to 5.1.0 (#10974) Bumps [redis](https://github.com/redis/redis-py) from 5.0.8 to 5.1.0. - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](https://github.com/redis/redis-py/compare/v5.0.8...v5.1.0) --- updated-dependencies: - dependency-name: redis dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 541b6ee648..592f74ca6c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -35,7 +35,7 @@ psycopg[c]==3.2.3 cryptography==43.0.1 python-dateutil==2.9.0.post0 pytz==2024.2 -redis==5.0.8 +redis==5.1.0 requests==2.32.3 sqlalchemy==2.0.35 # Required by Celery broker transport urllib3==1.26.18 From 331e93db7160942a69e7b7af4bda4ed248a6dc6b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 13:24:43 -0500 Subject: [PATCH 18/78] Update postgres:17.0-alpine Docker digest from 17.0 to 17.0-alpine (docker-compose.yml) (#10971) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 46c8fdd2ce..cf0e023f32 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -103,7 +103,7 @@ services: source: ./docker/extra_settings target: /app/docker/extra_settings postgres: - image: postgres:17.0-alpine@sha256:c261f8fbc72905b749164ab7d7e88e5319027658c402b8c9664205a46691fcde + image: postgres:17.0-alpine@sha256:14195b0729fce792f47ae3c3704d6fd04305826d57af3b01d5b4d004667df174 environment: POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo} POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo} From a94713576a39fe169418625b8c12c3fbff6cd4f8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 16:21:49 -0500 Subject: [PATCH 19/78] Update manusa/actions-setup-minikube action from v2.11.0 to v2.12.0 (.github/workflows/k8s-tests.yml) (#10983) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/k8s-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 837b461c15..d2da08eb7f 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v4 - name: Setup Minikube - uses: manusa/actions-setup-minikube@v2.11.0 + uses: manusa/actions-setup-minikube@v2.12.0 with: minikube version: 'v1.33.1' kubernetes version: ${{ matrix.k8s }} From 6f8d09f1ed262ffa3f9d83bde0017b3bcf813b32 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 17:06:24 -0500 Subject: [PATCH 20/78] Bump boto3 from 1.35.29 to 1.35.30 (#10980) Bumps [boto3](https://github.com/boto/boto3) from 1.35.29 to 1.35.30. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.29...1.35.30) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 592f74ca6c..e2727f4434 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.29 # Required for Celery Broker AWS (SQS) support +boto3==1.35.30 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.1 fontawesomefree==6.6.0 From 2582747b372384a0251f62b648ac0db2cd70387d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 11:36:51 -0500 Subject: [PATCH 21/78] Update busybox Docker tag from 1.36.1 to v1.37.0 (docker-compose.override.unit_tests_cicd.yml) (#10985) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.override.unit_tests.yml | 10 +++++----- docker-compose.override.unit_tests_cicd.yml | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docker-compose.override.unit_tests.yml b/docker-compose.override.unit_tests.yml index 7c32e17938..baf50d51e6 100644 --- a/docker-compose.override.unit_tests.yml +++ b/docker-compose.override.unit_tests.yml @@ -1,7 +1,7 @@ --- services: nginx: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'nginx'] volumes: - defectdojo_media_unit_tests:/usr/share/nginx/html/media @@ -30,13 +30,13 @@ services: DD_CELERY_BROKER_PATH: '/dojo.celerydb.sqlite' DD_CELERY_BROKER_PARAMS: '' celerybeat: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'celery beat'] celeryworker: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'celery worker'] initializer: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'initializer'] postgres: ports: @@ -49,7 +49,7 @@ services: volumes: - defectdojo_postgres_unit_tests:/var/lib/postgresql/data redis: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'redis'] "webhook.endpoint": image: mccutchen/go-httpbin:v2.15.0@sha256:24528cf5229d0b70065ac27e6c9e4d96f5452a84a3ce4433e56573c18d96827a diff --git a/docker-compose.override.unit_tests_cicd.yml b/docker-compose.override.unit_tests_cicd.yml index 64af8ac79a..1ca70557d4 100644 --- a/docker-compose.override.unit_tests_cicd.yml +++ b/docker-compose.override.unit_tests_cicd.yml @@ -1,7 +1,7 @@ --- services: nginx: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'nginx'] volumes: - defectdojo_media_unit_tests:/usr/share/nginx/html/media @@ -29,13 +29,13 @@ services: DD_CELERY_BROKER_PATH: '/dojo.celerydb.sqlite' DD_CELERY_BROKER_PARAMS: '' celerybeat: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'celery beat'] celeryworker: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'celery worker'] initializer: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'initializer'] postgres: ports: @@ -48,7 +48,7 @@ services: volumes: - defectdojo_postgres_unit_tests:/var/lib/postgresql/data redis: - image: busybox:1.36.1-musl + image: busybox:1.37.0-musl entrypoint: ['echo', 'skipping', 'redis'] "webhook.endpoint": image: mccutchen/go-httpbin:v2.15.0@sha256:24528cf5229d0b70065ac27e6c9e4d96f5452a84a3ce4433e56573c18d96827a From 9a206f7a5ad306b1e977dcc7e76cadfa6d64fd3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 11:37:46 -0500 Subject: [PATCH 22/78] Bump boto3 from 1.35.30 to 1.35.31 (#10986) Bumps [boto3](https://github.com/boto/boto3) from 1.35.30 to 1.35.31. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.30...1.35.31) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e2727f4434..f08968bf9a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.30 # Required for Celery Broker AWS (SQS) support +boto3==1.35.31 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.1 fontawesomefree==6.6.0 From 4815fa9cd521560749a4b4057c7267ef144cbf78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 11:39:24 -0500 Subject: [PATCH 23/78] Bump cpe from 1.3.0 to 1.3.1 (#10987) Bumps [cpe](https://github.com/nilp0inter/cpe) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/nilp0inter/cpe/releases) - [Changelog](https://github.com/nilp0inter/cpe/blob/main/NEWS.txt) - [Commits](https://github.com/nilp0inter/cpe/compare/v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: cpe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f08968bf9a..3354870cb7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -47,7 +47,7 @@ social-auth-app-django==5.4.2 social-auth-core==4.5.4 gitpython==3.1.43 python-gitlab==4.11.1 -cpe==1.3.0 +cpe==1.3.1 packageurl-python==0.15.6 django-crum==0.7.9 JSON-log-formatter==1.0 From ce45a7c615283d74e0dcdcd402fd5bcb6f8e4946 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 11:40:55 -0500 Subject: [PATCH 24/78] Bump json-log-formatter from 1.0 to 1.1 (#10988) Bumps [json-log-formatter](https://github.com/marselester/json-log-formatter) from 1.0 to 1.1. - [Release notes](https://github.com/marselester/json-log-formatter/releases) - [Commits](https://github.com/marselester/json-log-formatter/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: json-log-formatter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3354870cb7..72e9364cf8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -50,7 +50,7 @@ python-gitlab==4.11.1 cpe==1.3.1 packageurl-python==0.15.6 django-crum==0.7.9 -JSON-log-formatter==1.0 +JSON-log-formatter==1.1 django-split-settings==1.3.2 django-debug-toolbar==4.4.6 django-debug-toolbar-request-history==0.1.4 From 9ef2275bb40f13bd0d6426819f30d244bfb35c09 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 11:41:39 -0500 Subject: [PATCH 25/78] Bump vobject from 0.9.7 to 0.9.8 (#10989) Bumps [vobject](https://github.com/py-vobject/vobject) from 0.9.7 to 0.9.8. - [Release notes](https://github.com/py-vobject/vobject/releases) - [Commits](https://github.com/py-vobject/vobject/compare/v0.9.7...v0.9.8) --- updated-dependencies: - dependency-name: vobject dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 72e9364cf8..2551302a88 100644 --- a/requirements.txt +++ b/requirements.txt @@ -40,7 +40,7 @@ requests==2.32.3 sqlalchemy==2.0.35 # Required by Celery broker transport urllib3==1.26.18 uWSGI==2.0.27 -vobject==0.9.7 +vobject==0.9.8 whitenoise==5.2.0 titlecase==2.4.1 social-auth-app-django==5.4.2 From 476fe7503d6b6f21974a3c64409012d5a12a3280 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 15:55:25 -0500 Subject: [PATCH 26/78] Update Helm release postgresql from 15.5.38 to v16 (helm/defectdojo/Chart.yaml) (#10993) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- helm/defectdojo/Chart.lock | 6 +++--- helm/defectdojo/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/defectdojo/Chart.lock b/helm/defectdojo/Chart.lock index ac7bcaa633..49d15928ea 100644 --- a/helm/defectdojo/Chart.lock +++ b/helm/defectdojo/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 15.5.20 + version: 16.0.0 - name: postgresql-ha repository: https://charts.bitnami.com/bitnami version: 9.4.11 - name: redis repository: https://charts.bitnami.com/bitnami version: 19.6.4 -digest: sha256:fa3555040b5d1a3e1f5611b9d48c74ac90fc3be438db2f77143efb387aa7b202 -generated: "2024-07-31T12:32:14.276681-05:00" \ No newline at end of file +digest: sha256:43166002555f6bdaac719d3d54e56a3e069b17ed29acd1c70951b7b99b102ae7 +generated: "2024-10-02T16:37:38.736091938Z" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 7a0f65b844..56c9a82d89 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -10,7 +10,7 @@ maintainers: url: https://github.com/DefectDojo/django-DefectDojo dependencies: - name: postgresql - version: ~15.5.0 + version: ~16.0.0 repository: "https://charts.bitnami.com/bitnami" condition: postgresql.enabled - name: postgresql-ha From b8feb677b138a17adc0aeb1a36da5f53bae3eccf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Oct 2024 13:12:48 -0500 Subject: [PATCH 27/78] Bump boto3 from 1.35.31 to 1.35.32 (#10994) Bumps [boto3](https://github.com/boto/boto3) from 1.35.31 to 1.35.32. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.31...1.35.32) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2551302a88..d1c1a8010a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.31 # Required for Celery Broker AWS (SQS) support +boto3==1.35.32 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.1 fontawesomefree==6.6.0 From c6280c84653fc5aea3e6f6f7de7a129986bdd095 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Oct 2024 13:14:32 -0500 Subject: [PATCH 28/78] Bump python-gitlab from 4.11.1 to 4.12.2 (#10990) Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 4.11.1 to 4.12.2. - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](https://github.com/python-gitlab/python-gitlab/compare/v4.11.1...v4.12.2) --- updated-dependencies: - dependency-name: python-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d1c1a8010a..d44e038605 100644 --- a/requirements.txt +++ b/requirements.txt @@ -46,7 +46,7 @@ titlecase==2.4.1 social-auth-app-django==5.4.2 social-auth-core==4.5.4 gitpython==3.1.43 -python-gitlab==4.11.1 +python-gitlab==4.12.2 cpe==1.3.1 packageurl-python==0.15.6 django-crum==0.7.9 From 8aa81cc8934991373d9f9d33d4577e272a4b5436 Mon Sep 17 00:00:00 2001 From: kiblik <5609770+kiblik@users.noreply.github.com> Date: Thu, 3 Oct 2024 23:33:29 +0200 Subject: [PATCH 29/78] Ruff: Add and fix D2 (#10844) --- dojo/admin.py | 40 ++++------ dojo/api_v2/prefetch/prefetcher.py | 9 ++- dojo/api_v2/prefetch/schema.py | 7 +- dojo/api_v2/prefetch/utils.py | 9 ++- dojo/api_v2/views.py | 4 + .../authorization/authorization_decorators.py | 7 +- dojo/authorization/roles_permissions.py | 4 +- dojo/engagement/views.py | 48 +++--------- dojo/finding/helper.py | 2 +- dojo/forms.py | 6 +- dojo/importers/auto_create_context.py | 6 +- dojo/importers/base_importer.py | 11 ++- dojo/importers/default_importer.py | 2 + dojo/importers/default_reimporter.py | 11 +-- dojo/importers/endpoint_manager.py | 16 +--- dojo/importers/options.py | 2 + dojo/jira_link/helper.py | 2 +- dojo/jira_link/views.py | 76 +++++++++---------- dojo/management/commands/dedupe.py | 2 + .../commands/import_github_languages.py | 2 + .../commands/initialize_permissions.py | 6 +- .../commands/jira_status_reconciliation.py | 1 + .../commands/migrate_authorization_v2.py | 2 + dojo/management/commands/migrate_cve.py | 5 +- .../commands/migrate_staff_users.py | 2 + .../commands/migrate_textquestions.py | 2 + dojo/metrics/utils.py | 17 +++-- dojo/middleware.py | 7 +- dojo/models.py | 55 +++++++------- dojo/request_cache/middleware.py | 2 + dojo/risk_acceptance/helper.py | 1 - dojo/search/views.py | 2 - dojo/test/views.py | 40 +++------- dojo/tools/acunetix/parse_acunetix360_json.py | 2 + dojo/tools/acunetix/parse_acunetix_xml.py | 2 + dojo/tools/acunetix/parser.py | 1 + dojo/tools/anchore_grype/parser.py | 4 +- dojo/tools/api_blackduck/api_client.py | 5 +- dojo/tools/api_blackduck/importer.py | 5 +- dojo/tools/api_blackduck/parser.py | 5 +- dojo/tools/api_bugcrowd/api_client.py | 5 +- dojo/tools/api_bugcrowd/importer.py | 5 +- dojo/tools/api_bugcrowd/parser.py | 5 +- dojo/tools/api_cobalt/api_client.py | 5 +- dojo/tools/api_cobalt/importer.py | 5 +- dojo/tools/api_cobalt/parser.py | 5 +- dojo/tools/api_edgescan/api_client.py | 5 +- dojo/tools/api_edgescan/importer.py | 5 +- dojo/tools/api_edgescan/parser.py | 5 +- dojo/tools/api_sonarqube/api_client.py | 5 +- dojo/tools/api_sonarqube/importer.py | 1 + dojo/tools/api_sonarqube/updater.py | 1 + .../api_sonarqube/updater_from_source.py | 1 + dojo/tools/api_vulners/api_client.py | 5 +- dojo/tools/api_vulners/importer.py | 5 +- dojo/tools/api_vulners/parser.py | 1 + .../engines/appcheck.py | 2 + .../engines/base.py | 18 +++-- .../engines/nmap.py | 2 + .../engines/openvas.py | 2 + .../parser.py | 1 + dojo/tools/appspider/parser.py | 1 + dojo/tools/arachni/parser.py | 4 +- dojo/tools/auditjs/parser.py | 1 + dojo/tools/bearer_cli/parser.py | 5 +- dojo/tools/blackduck/importer.py | 4 +- dojo/tools/blackduck/parser.py | 1 + .../blackduck_binary_analysis/importer.py | 8 +- .../tools/blackduck_binary_analysis/parser.py | 1 + .../blackduck_component_risk/importer.py | 1 + dojo/tools/blackduck_component_risk/parser.py | 1 + dojo/tools/burp/parser.py | 1 + dojo/tools/burp_api/parser.py | 7 +- dojo/tools/cargo_audit/parser.py | 5 +- dojo/tools/checkmarx/parser.py | 6 +- dojo/tools/checkov/parser.py | 3 +- dojo/tools/cloudsploit/parser.py | 5 +- dojo/tools/contrast/parser.py | 1 + dojo/tools/coverity_api/parser.py | 1 + dojo/tools/coverity_scan/parser.py | 1 + dojo/tools/crashtest_security/parser.py | 8 +- dojo/tools/cred_scan/parser.py | 1 + dojo/tools/cyclonedx/parser.py | 4 +- dojo/tools/dependency_track/parser.py | 1 + dojo/tools/detect_secrets/parser.py | 5 +- dojo/tools/dockle/parser.py | 5 +- dojo/tools/ggshield/parser.py | 9 +-- dojo/tools/gitlab_api_fuzzing/parser.py | 1 + dojo/tools/gitlab_container_scan/parser.py | 1 + dojo/tools/gitlab_dast/parser.py | 5 +- .../gitlab_secret_detection_report/parser.py | 1 + dojo/tools/gitleaks/parser.py | 9 +-- dojo/tools/h1/parser.py | 18 ++--- dojo/tools/harbor_vulnerability/parser.py | 5 +- dojo/tools/horusec/parser.py | 1 + dojo/tools/humble/parser.py | 1 + dojo/tools/huskyci/parser.py | 5 +- dojo/tools/hydra/parser.py | 5 +- dojo/tools/ibm_app/parser.py | 4 +- dojo/tools/intsights/parser.py | 6 +- dojo/tools/invicti/parser.py | 3 +- .../parser.py | 1 + dojo/tools/jfrog_xray_unified/parser.py | 1 + dojo/tools/jfrogxray/parser.py | 1 + dojo/tools/kics/parser.py | 5 +- dojo/tools/kubehunter/parser.py | 5 +- dojo/tools/mend/parser.py | 4 +- dojo/tools/microfocus_webinspect/parser.py | 1 + dojo/tools/mobsf/parser.py | 3 +- dojo/tools/mobsfscan/parser.py | 5 +- dojo/tools/mozilla_observatory/parser.py | 4 +- dojo/tools/ms_defender/parser.py | 6 +- dojo/tools/nexpose/parser.py | 5 +- dojo/tools/nikto/parser.py | 4 +- dojo/tools/nmap/parser.py | 6 +- dojo/tools/noseyparker/parser.py | 5 +- dojo/tools/npm_audit_7_plus/parser.py | 1 + dojo/tools/nuclei/parser.py | 5 +- dojo/tools/ort/parser.py | 1 + dojo/tools/ossindex_devaudit/parser.py | 4 +- dojo/tools/pip_audit/parser.py | 1 + dojo/tools/popeye/parser.py | 5 +- dojo/tools/pwn_sast/parser.py | 5 +- dojo/tools/qualys/csv_parser.py | 3 - dojo/tools/qualys_hacker_guardian/parser.py | 1 + dojo/tools/rapplex/parser.py | 6 +- dojo/tools/sarif/parser.py | 7 +- dojo/tools/scantist/parser.py | 1 + dojo/tools/scout_suite/parser.py | 1 + dojo/tools/solar_appscreener/parser.py | 5 +- dojo/tools/spotbugs/parser.py | 1 + dojo/tools/ssh_audit/parser.py | 6 +- dojo/tools/sslyze/parser.py | 1 + dojo/tools/stackhawk/parser.py | 5 +- dojo/tools/sysdig_reports/parser.py | 5 +- .../tools/sysdig_reports/sysdig_csv_parser.py | 5 +- dojo/tools/talisman/parser.py | 21 ++--- dojo/tools/terrascan/parser.py | 5 +- dojo/tools/tfsec/parser.py | 5 +- dojo/tools/threagile/parser.py | 5 +- dojo/tools/threat_composer/parser.py | 5 +- dojo/tools/trivy/parser.py | 4 +- dojo/tools/trivy_operator/parser.py | 4 +- dojo/tools/trustwave_fusion_api/parser.py | 5 +- dojo/tools/utils.py | 10 +-- dojo/tools/vcg/parser.py | 1 + dojo/tools/veracode/json_parser.py | 4 +- dojo/tools/veracode/xml_parser.py | 4 +- dojo/tools/wapiti/parser.py | 4 +- dojo/tools/wazuh/parser.py | 1 + dojo/tools/wfuzz/parser.py | 5 +- dojo/tools/whispers/parser.py | 5 +- dojo/tools/whitehat_sentinel/parser.py | 5 +- dojo/tools/wiz/parser.py | 14 +++- dojo/tools/wizcli_dir/parser.py | 5 +- dojo/tools/wizcli_iac/parser.py | 5 +- dojo/tools/wizcli_img/parser.py | 5 +- dojo/tools/wpscan/parser.py | 4 +- dojo/tools/zap/parser.py | 1 + dojo/utils.py | 22 +++--- ruff.toml | 5 +- tests/base_test_class.py | 1 - unittests/test_apiv2_endpoint.py | 6 +- unittests/test_apiv2_limit_reqresp.py | 5 +- unittests/test_apiv2_metadata.py | 6 +- unittests/test_apiv2_notifications.py | 10 +-- unittests/test_apiv2_scan_import_options.py | 10 +-- unittests/test_apiv2_user.py | 6 +- unittests/test_finding_model.py | 20 ++--- unittests/test_import_reimport.py | 8 +- unittests/test_metrics_queries.py | 4 +- unittests/test_rest_framework.py | 8 +- unittests/tools/test_h1_parser.py | 1 + unittests/tools/test_sonarqube_parser.py | 3 +- unittests/tools/test_spotbugs_parser.py | 3 +- unittests/tools/test_zap_parser.py | 6 +- 176 files changed, 509 insertions(+), 543 deletions(-) diff --git a/dojo/admin.py b/dojo/admin.py index a2452ce1e5..c40d39e3c2 100644 --- a/dojo/admin.py +++ b/dojo/admin.py @@ -22,29 +22,25 @@ class QuestionChildAdmin(PolymorphicChildModelAdmin): - """ - Base admin class for all child models of Question - """ + + """Base admin class for all child models of Question""" base_model = Question class TextQuestionAdmin(QuestionChildAdmin): - """ - ModelAdmin for a TextQuestion - """ + + """ModelAdmin for a TextQuestion""" class ChoiceQuestionAdmin(QuestionChildAdmin): - """ - ModelAdmin for a ChoiceQuestion - """ + + """ModelAdmin for a ChoiceQuestion""" class QuestionParentAdmin(PolymorphicParentModelAdmin): - """ - Question parent model admin - """ + + """Question parent model admin""" base_model = Question child_models = ( @@ -60,29 +56,25 @@ class QuestionParentAdmin(PolymorphicParentModelAdmin): class AnswerChildAdmin(PolymorphicChildModelAdmin): - """ - Base admin class for all child Answer models - """ + + """Base admin class for all child Answer models""" base_model = Answer class TextAnswerAdmin(AnswerChildAdmin): - """ - ModelAdmin for TextAnswer - """ + + """ModelAdmin for TextAnswer""" class ChoiceAnswerAdmin(AnswerChildAdmin): - """ - ModelAdmin for ChoiceAnswer - """ + + """ModelAdmin for ChoiceAnswer""" class AnswerParentAdmin(PolymorphicParentModelAdmin): - """ - The parent model admin for answer - """ + + """The parent model admin for answer""" list_display = ( "answered_survey", diff --git a/dojo/api_v2/prefetch/prefetcher.py b/dojo/api_v2/prefetch/prefetcher.py index 3596b3f940..917afd2a04 100644 --- a/dojo/api_v2/prefetch/prefetcher.py +++ b/dojo/api_v2/prefetch/prefetcher.py @@ -18,7 +18,8 @@ class _Prefetcher: @staticmethod def _build_serializers(): - """Returns a map model -> serializer where model is a django model and serializer is the corresponding + """ + Returns a map model -> serializer where model is a django model and serializer is the corresponding serializer used to serialize the model Returns: @@ -52,7 +53,8 @@ def __init__(self): self._prefetch_data = {} def _find_serializer(self, field_type): - """Find the best suited serializer for the given type. + """ + Find the best suited serializer for the given type. Args: field_type (django.db.models.fields): the field type for which we need to find a serializer @@ -72,7 +74,8 @@ def _find_serializer(self, field_type): return self._find_serializer(parent_class) def _prefetch(self, entry, fields_to_fetch): - """Apply prefetching for the given field on the given entry + """ + Apply prefetching for the given field on the given entry Args: entry (ModelInstance): Instance of a model as returned by a django queryset diff --git a/dojo/api_v2/prefetch/schema.py b/dojo/api_v2/prefetch/schema.py index 535e01e4e6..ef5cbbf389 100644 --- a/dojo/api_v2/prefetch/schema.py +++ b/dojo/api_v2/prefetch/schema.py @@ -18,7 +18,8 @@ def _get_path_to_GET_serializer_map(generator): def get_serializer_ref_name(serializer): - """Get serializer's ref_name + """ + Get serializer's ref_name inspired by https://github.com/axnsan12/drf-yasg/blob/78031f0c189585c30fccb5005a6899f2d34289a9/src/drf_yasg/utils.py#L416 :param serializer: Serializer instance @@ -37,14 +38,14 @@ def get_serializer_ref_name(serializer): def prefetch_postprocessing_hook(result, generator, request, public): - """OpenAPI v3 (drf-spectacular) Some endpoints are using the PrefetchListMixin and PrefetchRetrieveMixin. + """ + OpenAPI v3 (drf-spectacular) Some endpoints are using the PrefetchListMixin and PrefetchRetrieveMixin. These have nothing to do with Django prefetch_related. The endpoints have an @extend_schema configured with an extra parameter 'prefetch' This parameter contains an array of relations to prefetch. These prefetched models will be returned in an additional property in the response. The below processor ensures the result schema matches this. """ - serializer_classes = _get_path_to_GET_serializer_map(generator) paths = result.get("paths", {}) diff --git a/dojo/api_v2/prefetch/utils.py b/dojo/api_v2/prefetch/utils.py index de7ea2b383..5e588e03ce 100644 --- a/dojo/api_v2/prefetch/utils.py +++ b/dojo/api_v2/prefetch/utils.py @@ -2,7 +2,8 @@ def _is_many_to_many_relation(field): - """Check if a field specified a many-to-many relationship as defined by django. + """ + Check if a field specified a many-to-many relationship as defined by django. This is the case if the field is an instance of the ManyToManyDescriptor as generated by the django framework @@ -16,7 +17,8 @@ def _is_many_to_many_relation(field): def _is_one_to_one_relation(field): - """Check if a field specified a one-to-one relationship as defined by django. + """ + Check if a field specified a one-to-one relationship as defined by django. This is the case if the field is an instance of the ForwardManyToOne as generated by the django framework @@ -30,7 +32,8 @@ def _is_one_to_one_relation(field): def _get_prefetchable_fields(serializer): - """Get the fields that are prefetchable according to the serializer description. + """ + Get the fields that are prefetchable according to the serializer description. Method mainly used by for automatic schema generation. Args: diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index f9ebd4cd45..09e7cb734b 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -2370,6 +2370,7 @@ def get(self, request, format=None): # Authorization: authenticated users, DjangoModelPermissions class ImportScanView(mixins.CreateModelMixin, viewsets.GenericViewSet): + """ Imports a scan report into an engagement or product. @@ -2433,6 +2434,7 @@ def get_queryset(self): class EndpointMetaImporterView( mixins.CreateModelMixin, viewsets.GenericViewSet, ): + """ Imports a CSV file into a product to propagate arbitrary meta and tags on endpoints. @@ -2508,6 +2510,7 @@ def get_queryset(self): # Authorization: object-based class ReImportScanView(mixins.CreateModelMixin, viewsets.GenericViewSet): + """ Reimports a scan report into an existing test. @@ -2908,6 +2911,7 @@ def report_generate(request, obj, options): class SystemSettingsViewSet( mixins.ListModelMixin, mixins.UpdateModelMixin, viewsets.GenericViewSet, ): + """Basic control over System Settings. Use 'id' 1 for PUT, PATCH operations""" permission_classes = (permissions.IsSuperUser, DjangoModelPermissions) diff --git a/dojo/authorization/authorization_decorators.py b/dojo/authorization/authorization_decorators.py index 3063d0821d..1f1bc9dbcb 100644 --- a/dojo/authorization/authorization_decorators.py +++ b/dojo/authorization/authorization_decorators.py @@ -12,7 +12,6 @@ def user_is_authorized(model, permission, arg, lookup="pk", func=None): """Decorator for functions that ensures the user has permission on an object.""" - if func is None: return functools.partial( user_is_authorized, model, permission, arg, lookup, @@ -41,7 +40,6 @@ def _wrapped(request, *args, **kwargs): def user_has_global_permission(permission, func=None): """Decorator for functions that ensures the user has a (global) permission""" - if func is None: return functools.partial(user_has_global_permission, permission) @@ -54,10 +52,7 @@ def _wrapped(request, *args, **kwargs): def user_is_configuration_authorized(permission, func=None): - """ - Decorator for views that checks whether a user has a particular permission enabled. - """ - + """Decorator for views that checks whether a user has a particular permission enabled.""" if func is None: return functools.partial(user_is_configuration_authorized, permission) diff --git a/dojo/authorization/roles_permissions.py b/dojo/authorization/roles_permissions.py index 779463258f..530008a2f7 100644 --- a/dojo/authorization/roles_permissions.py +++ b/dojo/authorization/roles_permissions.py @@ -517,9 +517,7 @@ def get_roles_with_permissions(): def get_global_roles_with_permissions(): - """ - Extra permissions for global roles, on top of the permissions granted to the "normal" roles above. - """ + """Extra permissions for global roles, on top of the permissions granted to the "normal" roles above.""" return { Roles.Maintainer: {Permissions.Product_Type_Add}, Roles.Owner: {Permissions.Product_Type_Add}, diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index 94e7cec960..ea73bd80c6 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -693,9 +693,7 @@ def add_tests(request, eid): class ImportScanResultsView(View): def get_template(self) -> str: - """ - Returns the template that will be presented to the user - """ + """Returns the template that will be presented to the user""" return "dojo/import_scan_results.html" def get_development_environment( @@ -715,9 +713,7 @@ def get_engagement_or_product( engagement_id: Optional[int] = None, product_id: Optional[int] = None, ) -> Tuple[Engagement, Product, Product | Engagement]: - """ - Using the path parameters, either fetch the product or engagement - """ + """Using the path parameters, either fetch the product or engagement""" engagement = product = engagement_or_product = None # Get the product if supplied # Get the engagement if supplied @@ -740,9 +736,7 @@ def get_form( request: HttpRequest, **kwargs: dict, ) -> ImportScanForm: - """ - Returns the default import form for importing findings - """ + """Returns the default import form for importing findings""" if request.method == "POST": return ImportScanForm(request.POST, request.FILES, **kwargs) return ImportScanForm(**kwargs) @@ -776,9 +770,7 @@ def get_jira_form( request: HttpRequest, engagement_or_product: Engagement | Product, ) -> Tuple[JIRAImportScanForm | None, bool]: - """ - Returns a JiraImportScanForm if jira is enabled - """ + """Returns a JiraImportScanForm if jira is enabled""" jira_form = None push_all_jira_issues = False # Determine if jira issues should be pushed automatically @@ -919,18 +911,14 @@ def get_importer( self, context: dict, ) -> BaseImporter: - """ - Gets the importer to use - """ + """Gets the importer to use""" return DefaultImporter(**context) def import_findings( self, context: dict, ) -> str | None: - """ - Attempt to import with all the supplied information - """ + """Attempt to import with all the supplied information""" try: importer_client = self.get_importer(context) context["test"], _, finding_count, closed_finding_count, _, _, _ = importer_client.process_scan( @@ -952,9 +940,7 @@ def process_form( form: ImportScanForm, context: dict, ) -> str | None: - """ - Process the form and manipulate the input in any way that is appropriate - """ + """Process the form and manipulate the input in any way that is appropriate""" # Update the running context dict with cleaned form input context.update({ "scan": request.FILES.get("file", None), @@ -1024,9 +1010,7 @@ def process_credentials_form( form: CredMappingForm, context: dict, ) -> str | None: - """ - Process the credentials form by creating - """ + """Process the credentials form by creating""" if cred_user := form.cleaned_data["cred_user"]: # Select the credential mapping object from the selected list and only allow if the credential is associated with the product cred_user = Cred_Mapping.objects.filter( @@ -1046,18 +1030,14 @@ def success_redirect( self, context: dict, ) -> HttpResponseRedirect: - """ - Redirect the user to a place that indicates a successful import - """ + """Redirect the user to a place that indicates a successful import""" return HttpResponseRedirect(reverse("view_test", args=(context.get("test").id, ))) def failure_redirect( self, context: dict, ) -> HttpResponseRedirect: - """ - Redirect the user to a place that indicates a failed import - """ + """Redirect the user to a place that indicates a failed import""" return HttpResponseRedirect(reverse( "import_scan_results", args=(context.get("engagement", context.get("product")).id, ), @@ -1069,9 +1049,7 @@ def get( engagement_id: Optional[int] = None, product_id: Optional[int] = None, ) -> HttpResponse: - """ - Process GET requests for the Import View - """ + """Process GET requests for the Import View""" # process the request and path parameters request, context = self.handle_request( request, @@ -1087,9 +1065,7 @@ def post( engagement_id: Optional[int] = None, product_id: Optional[int] = None, ) -> HttpResponse: - """ - Process POST requests for the Import View - """ + """Process POST requests for the Import View""" # process the request and path parameters request, context = self.handle_request( request, diff --git a/dojo/finding/helper.py b/dojo/finding/helper.py index d52857f229..1182cb26d6 100644 --- a/dojo/finding/helper.py +++ b/dojo/finding/helper.py @@ -566,7 +566,7 @@ def engagement_post_delete(sender, instance, **kwargs): def fix_loop_duplicates(): - """ Due to bugs in the past and even currently when under high parallel load, there can be transitive duplicates. """ + """Due to bugs in the past and even currently when under high parallel load, there can be transitive duplicates.""" """ i.e. A -> B -> C. This can lead to problems when deleting findingns, performing deduplication, etc """ candidates = Finding.objects.filter(duplicate_finding__isnull=False, original_finding__isnull=False).order_by("-id") diff --git a/dojo/forms.py b/dojo/forms.py index 8c9b79ae02..f312e705bf 100644 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -140,6 +140,7 @@ def render(self, name, *args, **kwargs): class MonthYearWidget(Widget): + """ A Widget that splits date input into two - -

- Finding severity mappings and other options can be edited after express configuration is complete. -
- - -{% endblock %} diff --git a/dojo/templates/dojo/jira.html b/dojo/templates/dojo/jira.html index a3208648d6..1068cf7c4c 100644 --- a/dojo/templates/dojo/jira.html +++ b/dojo/templates/dojo/jira.html @@ -19,13 +19,13 @@

diff --git a/dojo/templates/dojo/new_jira.html b/dojo/templates/dojo/new_jira.html index 232117681c..6f4cb6e055 100644 --- a/dojo/templates/dojo/new_jira.html +++ b/dojo/templates/dojo/new_jira.html @@ -6,8 +6,11 @@

Add a JIRA Configuration

{% include "dojo/form_fields.html" with form=jform %}
- + +
+

+ Finding severity mappings and other options can be edited after configuration is complete.
-{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/dojo/templates/dojo/new_jira_advanced.html b/dojo/templates/dojo/new_jira_advanced.html new file mode 100644 index 0000000000..2af3a37c60 --- /dev/null +++ b/dojo/templates/dojo/new_jira_advanced.html @@ -0,0 +1,13 @@ +{% extends "base.html"%} +{% block content %} + {{ block.super }} +

Add a JIRA Configuration (Advanced)

+
{% csrf_token %} + {% include "dojo/form_fields.html" with form=jform %} +
+
+ +
+
+
+{% endblock %} \ No newline at end of file diff --git a/unittests/test_jira_config_product.py b/unittests/test_jira_config_product.py index ff72f34993..7213a2f5f0 100644 --- a/unittests/test_jira_config_product.py +++ b/unittests/test_jira_config_product.py @@ -49,7 +49,7 @@ def setUp(self): @patch("dojo.jira_link.views.jira_helper.get_jira_connection_raw") def add_jira_instance(self, data, jira_mock): - response = self.client.post(reverse("add_jira"), urlencode(data), content_type="application/x-www-form-urlencoded") + response = self.client.post(reverse("add_jira_advanced"), urlencode(data), content_type="application/x-www-form-urlencoded") # check that storing a new config triggers a login call to JIRA call_1 = call(data["url"], data["username"], data["password"]) call_2 = call(data["url"], data["username"], data["password"]) From d56964f4fd1938f194a1673b2c9a9553d00b5540 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:02:20 -0500 Subject: [PATCH 61/78] AWS Security Hub: Accommodate for reports with missing AccountID (#11034) --- dojo/tools/awssecurityhub/parser.py | 2 +- .../awssecurityhub/missing_account_id.json | 112 ++++++++++++++++++ unittests/tools/test_awssecurityhub_parser.py | 6 + 3 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 unittests/scans/awssecurityhub/missing_account_id.json diff --git a/dojo/tools/awssecurityhub/parser.py b/dojo/tools/awssecurityhub/parser.py index 3d07d2554c..e59afa23ce 100644 --- a/dojo/tools/awssecurityhub/parser.py +++ b/dojo/tools/awssecurityhub/parser.py @@ -28,7 +28,7 @@ def get_tests(self, scan_type, scan): aws_acc = [] for finding in findings: prod.append(finding.get("ProductName", "AWS Security Hub Ruleset")) - aws_acc.append(finding.get("AwsAccountId")) + aws_acc.append(finding.get("AwsAccountId", "No Account Found")) report_date = data.get("createdAt") test = ParserTest( name=self.ID, type=self.ID, version="", diff --git a/unittests/scans/awssecurityhub/missing_account_id.json b/unittests/scans/awssecurityhub/missing_account_id.json new file mode 100644 index 0000000000..fe7ddfc2e9 --- /dev/null +++ b/unittests/scans/awssecurityhub/missing_account_id.json @@ -0,0 +1,112 @@ +{ + "findings": [ + { + "EpssScore": "0.00239", + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:inspector2:us-east-1:1234567:finding/12344bc", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector", + "ProductName": "Inspector", + "CompanyName": "Amazon", + "Region": "us-east-1", + "GeneratorId": "AWSInspector", + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "FirstObservedAt": "2024-07-30T12:17:32.646Z", + "LastObservedAt": "2024-09-18T05:16:44.106Z", + "CreatedAt": "2024-07-30T12:17:32.646Z", + "UpdatedAt": "2024-09-18T05:16:44.106Z", + "Severity": { + "Label": "MEDIUM", + "Normalized": 50 + }, + "Title": "CVE-2024-123 - fdd", + "Description": "A vulnerability was found in sdd.", + "Remediation": { + "Recommendation": { + "Text": "None Provided" + } + }, + "ProductFields": { + "aws/inspector/FindingStatus": "ACTIVE", + "aws/inspector/inspectorScore": "5.1", + "aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "AMAZON_LINUX_2023", + "aws/inspector/ProductVersion": "1", + "aws/inspector/instanceId": "i-1234xxyy", + "aws/securityhub/FindingId": "arn:aws:inspector2:us-east-1:1234567:finding/addfss", + "aws/securityhub/ProductName": "Inspector", + "aws/securityhub/CompanyName": "Amazon" + }, + "Resources": [ + { + "Type": "AwsEc2Instance", + "Id": "i-1234xxyy", + "Partition": "aws", + "Region": "us-east-1", + "Tags": { + "Name": "Name:xx-123-yy" + }, + "Details": { + "AwsEc2Instance": { + "Type": "tt", + "ImageId": "ami-1234", + "IpV4Addresses": [ + "0.0.0.0" + ], + "IamInstanceProfileArn": "arn:aws:iam::1234567:instance-profile/something", + "VpcId": "vpc-1234", + "SubnetId": "subnet-xxxxxxx", + "LaunchedAt": "2024-09-18T05:16:44.106Z" + } + } + } + ], + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE", + "Vulnerabilities": [ + { + "Id": "CVE-2024-1234", + "VulnerablePackages": [ + { + "Name": "aa", + "Version": "1.2.0", + "Architecture": "X86_64]", + "PackageManager": "OS", + "FixedInVersion": "abc[2.0]" + } + ], + "Cvss": [ + { + "Version": "3.1", + "BaseScore": "7.5", + "BaseVector": "CVSS:9.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "Source": "NVD" + } + ], + "Vendor": { + "Name": "AMAZON_CVE", + "Url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-1234.json", + "VendorSeverity": "Medium", + "VendorCreatedAt": "2024-01-16T00:00:00Z", + "VendorUpdatedAt": "2024-09-18T05:16:44.106Z" + }, + "ReferenceUrls": [ + "https://alas.aws.amazon.com" + ], + "FixAvailable": "YES" + } + ], + "FindingProviderFields": { + "Severity": { + "Label": "MEDIUM" + }, + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ] + } + } + ] + } \ No newline at end of file diff --git a/unittests/tools/test_awssecurityhub_parser.py b/unittests/tools/test_awssecurityhub_parser.py index 9d05083eaf..5885852b34 100644 --- a/unittests/tools/test_awssecurityhub_parser.py +++ b/unittests/tools/test_awssecurityhub_parser.py @@ -134,3 +134,9 @@ def test_issue_10956(self): self.assertEqual(1, len(findings)) finding = findings[0] self.assertEqual("0.00239", finding.epss_score) + + def test_missing_account_id(self): + with open(get_unit_tests_path() + sample_path("missing_account_id.json"), encoding="utf-8") as test_file: + parser = AwsSecurityHubParser() + findings = parser.get_findings(test_file, Test()) + self.assertEqual(1, len(findings)) From 51557ec03817a7e90138c1d1e782b57be609c39c Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:02:37 -0500 Subject: [PATCH 62/78] Netsparker: Attempt to accommodate any date string format (#11047) --- dojo/tools/netsparker/parser.py | 23 +- unittests/scans/netsparker/issue_11020.json | 227 ++++++++++++++++++++ unittests/tools/test_netsparker_parser.py | 14 ++ 3 files changed, 256 insertions(+), 8 deletions(-) create mode 100644 unittests/scans/netsparker/issue_11020.json diff --git a/dojo/tools/netsparker/parser.py b/dojo/tools/netsparker/parser.py index 35a0892054..47b81a2a65 100644 --- a/dojo/tools/netsparker/parser.py +++ b/dojo/tools/netsparker/parser.py @@ -3,6 +3,7 @@ import html2text from cvss import parser as cvss_parser +from dateutil import parser as date_parser from dojo.models import Endpoint, Finding @@ -24,14 +25,20 @@ def get_findings(self, filename, test): except Exception: data = json.loads(tree) dupes = {} - if "UTC" in data["Generated"]: - scan_date = datetime.datetime.strptime( - data["Generated"].split(" ")[0], "%d/%m/%Y", - ).date() - else: - scan_date = datetime.datetime.strptime( - data["Generated"], "%d/%m/%Y %H:%M %p", - ).date() + try: + if "UTC" in data["Generated"]: + scan_date = datetime.datetime.strptime( + data["Generated"].split(" ")[0], "%d/%m/%Y", + ).date() + else: + scan_date = datetime.datetime.strptime( + data["Generated"], "%d/%m/%Y %H:%M %p", + ).date() + except ValueError: + try: + scan_date = date_parser.parse(data["Generated"]) + except date_parser.ParserError: + scan_date = None for item in data["Vulnerabilities"]: title = item["Name"] diff --git a/unittests/scans/netsparker/issue_11020.json b/unittests/scans/netsparker/issue_11020.json new file mode 100644 index 0000000000..1c54c7a995 --- /dev/null +++ b/unittests/scans/netsparker/issue_11020.json @@ -0,0 +1,227 @@ +{ + "Generated": "2024-10-08 02:33 PM", + "Target": { + "Duration": "00:00:38.3663144", + "Initiated": "2024-10-08 12:33 PM", + "ScanId": "93d4edbae56145ef001ab203020d164c", + "Url": "http://php.testsparker.com/auth/login.php" + }, + "Vulnerabilities": [ + { + "Certainty": 90, + "Classification": { + "Iso27001": "A.18.1.3", + "Capec": "170", + "Cvss": null, + "Cvss31": null, + "Cvss40": null, + "Cwe": "205", + "Hipaa": "164.306(a), 164.308(a)", + "Owasp": "A5", + "OwaspProactiveControls": "", + "Pci32": "", + "Wasc": "13", + "Asvs40": "14.3.3", + "Nistsp80053": "AC-22", + "DisaStig": "V-16814", + "OwaspApiTop10": "API7", + "OwaspTopTen2021": "A05", + "OwaspTopTen2023": "API8", + "PciDss40": "" + }, + "Confirmed": false, + "Description": "

Invicti Enterprise identified a version disclosure (PHP) in the target web server's HTTP response.

\n

This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

", + "ExploitationSkills": "", + "ExternalReferences": "", + "ExtraInformation": [ + { + "Name": "Extracted Version", + "Value": "5.2.6" + } + ], + "FirstSeenDate": "2024-07-23 05:32 PM", + "HttpRequest": { + "Content": "GET /auth/login.php HTTP/1.1\r\nHost: php.testsparker.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nCache-Control: no-cache\r\nCookie: PHPSESSID=e6ab62571859a3d766d49945296f081d\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.140 Safari/537.36\r\n\r\n", + "Method": "GET", + "Parameters": [] + }, + "HttpResponse": { + "Content": "HTTP/1.1 200 OK\r\nServer: Apache/2.2.8 (Win32) PHP/5.2.6\r\nContent-Length: 3058\r\nX-Powered-By: PHP/5.2.6\r\nPragma: no-cache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nKeep-Alive: timeout=5, max=150\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\nDate: Tue, 08 Oct 2024 09:37:09 GMT\r\nCache-Control: no-store, must-revalidate, no-cache, post-check=0, pre-check=0\r\n\r\n\n\n\n\n\n\n\nInvicti Test Web Site - PHP\n\n\n
\n \n\t
\n\t\t\n\t
\n\t\n\t
\n\n\t
\n\t\t
\n\t
\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t

Login Area

\n\t\t\t\t\t

\n Enter your credentials (admin / admin123456)\n
\n

\n Username: \n
\n Password:  \n\n\n
\n\t \n
\n \n
\n

\n\n\t\t\t\t
 
\n\t\t\t\t
\n\n\n\t\t\t\t
\n\t\t\t
\n\t\t
 
\n\t\t
\n\t\t\n\t \n\t
\n\t\t\t
    \n\t\t\t\t
  • \n\t\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t\t\t
    \n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\n\t\t\t\t\t
    \n\t\t\t\t\t
     
    \n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Tags

    \n\t\t\t\t\t

    netsparker xss web-application-security false-positive-free automated-exploitation sql-injection local/remote-file-inclusion

    \n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Inner Pages

    \n\t\t\t\t\t\n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Links

    \n\t\t\t\t\t\n\t\t\t\t
    • \n\t\t\t\t
  • \n\n\t\t\t
\n\t\t
\t\t\n\t\t
 
\n\t
\n\t
\n\t
\n\t\n
\nv\n
\n\t\t

Copyright (c) 2010 testsparker.com. All rights reserved. Design by Free CSS Templates.

\n\t
\t\n\n\n", + "Duration": 458.7166, + "StatusCode": 200 + }, + "LookupId": "bfc0a79b-e3dc-45af-0195-b1a1030bc008", + "Impact": "
An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
", + "KnownVulnerabilities": [], + "LastSeenDate": "2024-10-08 12:37 PM", + "Name": "Version Disclosure (PHP)", + "ProofOfConcept": "", + "RemedialActions": "", + "RemedialProcedure": "
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
", + "RemedyReferences": "", + "Severity": "Low", + "State": "Present, Scanning", + "Type": "PhpVersionDisclosure", + "Url": "http://php.testsparker.com/auth/login.php", + "Tags": [] + }, + { + "Certainty": 90, + "Classification": { + "Iso27001": "A.14.1.2", + "Capec": "310", + "Cvss": null, + "Cvss31": null, + "Cvss40": null, + "Cwe": "1035, 937", + "Hipaa": "164.308(a)(1)(i)", + "Owasp": "A9", + "OwaspProactiveControls": "C1", + "Pci32": "6.2", + "Wasc": "", + "Asvs40": "1.14.3", + "Nistsp80053": "CM-6", + "DisaStig": "V-16836", + "OwaspApiTop10": "", + "OwaspTopTen2021": "A06", + "OwaspTopTen2023": "API8", + "PciDss40": "6.3.3" + }, + "Confirmed": false, + "Description": "

Invicti Enterprise identified you are using an out-of-date version of Apache.

", + "ExploitationSkills": "", + "ExternalReferences": "", + "ExtraInformation": [ + { + "Name": "Identified Version", + "Value": "2.2.8" + }, + { + "Name": "Latest Version", + "Value": "2.2.34 (in this branch)" + }, + { + "Name": "Overall Latest Version", + "Value": "2.4.62" + }, + { + "Name": "Branch Status", + "Value": "This branch has stopped receiving updates since 7/11/2017." + }, + { + "Name": "Vulnerability Database", + "Value": "Result is based on 10/01/2024 18:00:00 vulnerability database content." + } + ], + "FirstSeenDate": "2024-07-23 05:32 PM", + "HttpRequest": { + "Content": "GET /auth/login.php HTTP/1.1\r\nHost: php.testsparker.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nCache-Control: no-cache\r\nCookie: PHPSESSID=e6ab62571859a3d766d49945296f081d\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.140 Safari/537.36\r\n\r\n", + "Method": "GET", + "Parameters": [] + }, + "HttpResponse": { + "Content": "HTTP/1.1 200 OK\r\nServer: Apache/2.2.8 (Win32) PHP/5.2.6\r\nContent-Length: 3058\r\nX-Powered-By: PHP/5.2.6\r\nPragma: no-cache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nKeep-Alive: timeout=5, max=150\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\nDate: Tue, 08 Oct 2024 09:37:09 GMT\r\nCache-Control: no-store, must-revalidate, no-cache, post-check=0, pre-check=0\r\n\r\n\n\n\n\n\n\n\nInvicti Test Web Site - PHP\n\n\n
\n \n\t
\n\t\t\n\t
\n\t\n\t
\n\n\t
\n\t\t
\n\t
\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t

Login Area

\n\t\t\t\t\t

\n Enter your credentials (admin / admin123456)\n
\n

\n Username: \n
\n Password:  \n\n\n
\n\t \n
\n \n
\n

\n\n\t\t\t\t
 
\n\t\t\t\t
\n\n\n\t\t\t\t
\n\t\t\t
\n\t\t
 
\n\t\t
\n\t\t\n\t \n\t
\n\t\t\t
    \n\t\t\t\t
  • \n\t\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t\t\t
    \n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\n\t\t\t\t\t
    \n\t\t\t\t\t
     
    \n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Tags

    \n\t\t\t\t\t

    netsparker xss web-application-security false-positive-free automated-exploitation sql-injection local/remote-file-inclusion

    \n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Inner Pages

    \n\t\t\t\t\t\n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Links

    \n\t\t\t\t\t\n\t\t\t\t
    • \n\t\t\t\t
  • \n\n\t\t\t
\n\t\t
\t\t\n\t\t
 
\n\t
\n\t
\n\t
\n\t\n
\nv\n
\n\t\t

Copyright (c) 2010 testsparker.com. All rights reserved. Design by Free CSS Templates.

\n\t
\t\n\n\n", + "Duration": 458.7166, + "StatusCode": 200 + }, + "LookupId": "e3f86681-1ae6-49e8-0186-b1a1030bbbb1", + "Impact": "
Since this is an old version of the software, it may be vulnerable to attacks.
", + "KnownVulnerabilities": [ + { + "Severity": "Critical", + "Title": "Apache HTTP Server Out-of-bounds Read Vulnerability" + } + ], + "LastSeenDate": "2024-10-08 12:37 PM", + "Name": "Out-of-date Version (Apache)", + "ProofOfConcept": "", + "RemedialActions": "", + "RemedialProcedure": "
\n

Please upgrade your installation of Apache to the latest stable version.

\n
", + "RemedyReferences": "", + "Severity": "Critical", + "State": "Present, Scanning", + "Type": "ApacheOutOfDate", + "Url": "http://php.testsparker.com/auth/login.php", + "Tags": [] + }, + { + "Certainty": 90, + "Classification": { + "Iso27001": "A.14.1.2", + "Capec": "310", + "Cvss": null, + "Cvss31": null, + "Cvss40": null, + "Cwe": "1035, 937", + "Hipaa": "164.308(a)(1)(i)", + "Owasp": "A9", + "OwaspProactiveControls": "C1", + "Pci32": "6.2", + "Wasc": "", + "Asvs40": "1.14.3", + "Nistsp80053": "CM-6", + "DisaStig": "V-16836", + "OwaspApiTop10": "", + "OwaspTopTen2021": "A06", + "OwaspTopTen2023": "API8", + "PciDss40": "6.3.3" + }, + "Confirmed": false, + "Description": "

Invicti Enterprise identified you are using an out-of-date version of PHP.

", + "ExploitationSkills": "", + "ExternalReferences": "", + "ExtraInformation": [ + { + "Name": "Identified Version", + "Value": "5.2.6" + }, + { + "Name": "Latest Version", + "Value": "5.2.17 (in this branch)" + }, + { + "Name": "Overall Latest Version", + "Value": "8.3.12" + }, + { + "Name": "Branch Status", + "Value": "This branch has stopped receiving updates since 1/6/2011." + }, + { + "Name": "Vulnerability Database", + "Value": "Result is based on 10/01/2024 18:00:00 vulnerability database content." + } + ], + "FirstSeenDate": "2024-07-23 05:32 PM", + "HttpRequest": { + "Content": "GET /auth/login.php HTTP/1.1\r\nHost: php.testsparker.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nCache-Control: no-cache\r\nCookie: PHPSESSID=e6ab62571859a3d766d49945296f081d\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.140 Safari/537.36\r\n\r\n", + "Method": "GET", + "Parameters": [] + }, + "HttpResponse": { + "Content": "HTTP/1.1 200 OK\r\nServer: Apache/2.2.8 (Win32) PHP/5.2.6\r\nContent-Length: 3058\r\nX-Powered-By: PHP/5.2.6\r\nPragma: no-cache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nKeep-Alive: timeout=5, max=150\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\nDate: Tue, 08 Oct 2024 09:37:09 GMT\r\nCache-Control: no-store, must-revalidate, no-cache, post-check=0, pre-check=0\r\n\r\n\n\n\n\n\n\n\nInvicti Test Web Site - PHP\n\n\n
\n \n\t
\n\t\t\n\t
\n\t\n\t
\n\n\t
\n\t\t
\n\t
\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t

Login Area

\n\t\t\t\t\t

\n Enter your credentials (admin / admin123456)\n
\n

\n Username: \n
\n Password:  \n\n\n
\n\t \n
\n \n
\n

\n\n\t\t\t\t
 
\n\t\t\t\t
\n\n\n\t\t\t\t
\n\t\t\t
\n\t\t
 
\n\t\t
\n\t\t\n\t \n\t
\n\t\t\t
    \n\t\t\t\t
  • \n\t\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t\t\t
    \n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\n\t\t\t\t\t
    \n\t\t\t\t\t
     
    \n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Tags

    \n\t\t\t\t\t

    netsparker xss web-application-security false-positive-free automated-exploitation sql-injection local/remote-file-inclusion

    \n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Inner Pages

    \n\t\t\t\t\t\n\t\t\t\t
    • \n\t\t\t\t
  • \n\t\t\t\t\t

    Links

    \n\t\t\t\t\t\n\t\t\t\t
    • \n\t\t\t\t
  • \n\n\t\t\t
\n\t\t
\t\t\n\t\t
 
\n\t
\n\t
\n\t
\n\t\n
\nv\n
\n\t\t

Copyright (c) 2010 testsparker.com. All rights reserved. Design by Free CSS Templates.

\n\t
\t\n\n\n", + "Duration": 458.7166, + "StatusCode": 200 + }, + "LookupId": "c609abb8-f7c6-4646-0190-b1a1030bbeb1", + "Impact": "
Since this is an old version of the software, it may be vulnerable to attacks.
", + "KnownVulnerabilities": [ + { + "Severity": "Critical", + "Title": "PHP Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Vulnerability" + } + ], + "LastSeenDate": "2024-10-08 12:37 PM", + "Name": "Out-of-date Version (PHP)", + "ProofOfConcept": "", + "RemedialActions": "", + "RemedialProcedure": "
Please upgrade your installation of PHP to the latest stable version.
", + "RemedyReferences": "", + "Severity": "Critical", + "State": "Present, Scanning", + "Type": "PhpOutOfDate", + "Url": "http://php.testsparker.com/auth/login.php", + "Tags": [] + } + ] +} \ No newline at end of file diff --git a/unittests/tools/test_netsparker_parser.py b/unittests/tools/test_netsparker_parser.py index 55e396205a..8537686b97 100644 --- a/unittests/tools/test_netsparker_parser.py +++ b/unittests/tools/test_netsparker_parser.py @@ -96,3 +96,17 @@ def test_parse_file_issue_10311(self): self.assertEqual("High", finding.severity) self.assertEqual(614, finding.cwe) self.assertEqual("03/02/2019", finding.date.strftime("%d/%m/%Y")) + + def test_parse_file_issue_11020(self): + with open("unittests/scans/netsparker/issue_11020.json", encoding="utf-8") as testfile: + parser = NetsparkerParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(3, len(findings)) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + with self.subTest(i=0): + finding = findings[0] + self.assertEqual("Low", finding.severity) + self.assertEqual(205, finding.cwe) + self.assertEqual("08/10/2024", finding.date.strftime("%d/%m/%Y")) From 58aa6baf961571e5e5d44670a0da1114cdbbc16c Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:03:33 -0500 Subject: [PATCH 63/78] Jira: Add toggle to disable an existing project (#11046) * Jira: Add toggle to disable an existing project * Add help text * Add filter for API * Add new form element to tests * update fixtures * Update dojo/jira_link/helper.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/api_v2/views.py | 1 + .../0217_jira_project_enabled.py | 18 ++++++++ dojo/fixtures/defect_dojo_sample_data.json | 3 ++ dojo/forms.py | 5 ++- dojo/jira_link/helper.py | 44 +++++++++++++++---- dojo/models.py | 10 ++++- unittests/dojo_test_case.py | 5 +++ unittests/test_jira_config_engagement.py | 6 +++ unittests/test_jira_config_engagement_epic.py | 1 + 9 files changed, 82 insertions(+), 11 deletions(-) create mode 100644 dojo/db_migrations/0217_jira_project_enabled.py diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index 09e7cb734b..52978f3b24 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -1517,6 +1517,7 @@ class JiraProjectViewSet( "jira_instance", "product", "engagement", + "enabled", "component", "project_key", "push_all_issues", diff --git a/dojo/db_migrations/0217_jira_project_enabled.py b/dojo/db_migrations/0217_jira_project_enabled.py new file mode 100644 index 0000000000..6bde35303b --- /dev/null +++ b/dojo/db_migrations/0217_jira_project_enabled.py @@ -0,0 +1,18 @@ +# Generated by Django 5.0.8 on 2024-10-10 17:07 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('dojo', '0216_alter_jira_project_push_all_issues'), + ] + + operations = [ + migrations.AddField( + model_name='jira_project', + name='enabled', + field=models.BooleanField(blank=True, default=True, help_text='When disabled, Findings will no longer be pushed to Jira, even if they have already been pushed previously.', verbose_name='Enable Connection With Jira Project'), + ), + ] diff --git a/dojo/fixtures/defect_dojo_sample_data.json b/dojo/fixtures/defect_dojo_sample_data.json index d9a51e13e2..2d0ece6cb1 100644 --- a/dojo/fixtures/defect_dojo_sample_data.json +++ b/dojo/fixtures/defect_dojo_sample_data.json @@ -35210,6 +35210,7 @@ "engagement": null, "component": "", "push_all_issues": false, + "enabled": true, "enable_engagement_epic_mapping": true, "push_notes": false, "product_jira_sla_notification": false, @@ -35227,6 +35228,7 @@ "engagement": null, "component": "", "push_all_issues": true, + "enabled": true, "enable_engagement_epic_mapping": true, "push_notes": true, "product_jira_sla_notification": false, @@ -35244,6 +35246,7 @@ "engagement": null, "component": "", "push_all_issues": false, + "enabled": true, "enable_engagement_epic_mapping": false, "push_notes": false, "product_jira_sla_notification": false, diff --git a/dojo/forms.py b/dojo/forms.py index 9869af6270..6fe83668d1 100644 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -2859,7 +2859,7 @@ class JIRAProjectForm(forms.ModelForm): class Meta: model = JIRA_Project exclude = ["product", "engagement"] - fields = ["inherit_from_product", "jira_instance", "project_key", "issue_template_dir", "epic_issue_type_name", "component", "custom_fields", "jira_labels", "default_assignee", "add_vulnerability_id_to_jira_label", "push_all_issues", "enable_engagement_epic_mapping", "push_notes", "product_jira_sla_notification", "risk_acceptance_expiration_notification"] + fields = ["inherit_from_product", "jira_instance", "project_key", "issue_template_dir", "epic_issue_type_name", "component", "custom_fields", "jira_labels", "default_assignee", "enabled", "add_vulnerability_id_to_jira_label", "push_all_issues", "enable_engagement_epic_mapping", "push_notes", "product_jira_sla_notification", "risk_acceptance_expiration_notification"] def __init__(self, *args, **kwargs): from dojo.jira_link import helper as jira_helper @@ -2897,6 +2897,7 @@ def __init__(self, *args, **kwargs): self.fields["custom_fields"].disabled = False self.fields["default_assignee"].disabled = False self.fields["jira_labels"].disabled = False + self.fields["enabled"].disabled = False self.fields["add_vulnerability_id_to_jira_label"].disabled = False self.fields["push_all_issues"].disabled = False self.fields["enable_engagement_epic_mapping"].disabled = False @@ -2921,6 +2922,7 @@ def __init__(self, *args, **kwargs): self.initial["custom_fields"] = jira_project_product.custom_fields self.initial["default_assignee"] = jira_project_product.default_assignee self.initial["jira_labels"] = jira_project_product.jira_labels + self.initial["enabled"] = jira_project_product.enabled self.initial["add_vulnerability_id_to_jira_label"] = jira_project_product.add_vulnerability_id_to_jira_label self.initial["push_all_issues"] = jira_project_product.push_all_issues self.initial["enable_engagement_epic_mapping"] = jira_project_product.enable_engagement_epic_mapping @@ -2936,6 +2938,7 @@ def __init__(self, *args, **kwargs): self.fields["custom_fields"].disabled = True self.fields["default_assignee"].disabled = True self.fields["jira_labels"].disabled = True + self.fields["enabled"].disabled = True self.fields["add_vulnerability_id_to_jira_label"].disabled = True self.fields["push_all_issues"].disabled = True self.fields["enable_engagement_epic_mapping"].disabled = True diff --git a/dojo/jira_link/helper.py b/dojo/jira_link/helper.py index c05f880826..fb0eab686e 100644 --- a/dojo/jira_link/helper.py +++ b/dojo/jira_link/helper.py @@ -71,11 +71,12 @@ def is_jira_configured_and_enabled(obj): if not is_jira_enabled(): return False - if get_jira_project(obj) is None: + jira_project = get_jira_project(obj) + if jira_project is None: logger.debug('JIRA project not found for: "%s" not doing anything', obj) return False - return True + return jira_project.enabled def is_push_to_jira(instance, push_to_jira_parameter=None): @@ -88,6 +89,10 @@ def is_push_to_jira(instance, push_to_jira_parameter=None): if push_to_jira_parameter is not None: return push_to_jira_parameter + # Check to see if jira project is disabled to prevent pushing findings + if not jira_project.enabled: + return False + # push_to_jira was not specified, so look at push_all_issues in JIRA_Project return jira_project.push_all_issues @@ -96,8 +101,10 @@ def is_push_all_issues(instance): if not is_jira_configured_and_enabled(instance): return False - jira_project = get_jira_project(instance) - if jira_project: + if jira_project := get_jira_project(instance): + # Check to see if jira project is disabled to prevent pushing findings + if not jira_project.enabled: + return None return jira_project.push_all_issues return None @@ -108,9 +115,13 @@ def is_push_all_issues(instance): # returns True/False, error_message, error_code def can_be_pushed_to_jira(obj, form=None): # logger.debug('can be pushed to JIRA: %s', finding_or_form) - if not get_jira_project(obj): + jira_project = get_jira_project(obj) + if not jira_project: return False, f"{to_str_typed(obj)} cannot be pushed to jira as there is no jira project configuration for this product.", "error_no_jira_project" + if not jira_project.enabled: + return False, f"{to_str_typed(obj)} cannot be pushed to jira as the jira project is not enabled.", "error_no_jira_project" + if not hasattr(obj, "has_jira_issue"): return False, f"{to_str_typed(obj)} cannot be pushed to jira as there is no jira_issue attribute.", "error_no_jira_issue_attribute" @@ -1389,6 +1400,13 @@ def add_comment(obj, note, force_push=False, **kwargs): def add_simple_jira_comment(jira_instance, jira_issue, comment): try: + jira_project = get_jira_project(jira_issue) + + # Check to see if jira project is disabled to prevent pushing findings + if not jira_project.enabled: + log_jira_generic_alert("JIRA Project is disabled", "Push to JIRA for Epic skipped because JIRA Project is disabled") + return False + jira = get_jira_connection(jira_instance) jira.add_comment( @@ -1403,9 +1421,13 @@ def add_simple_jira_comment(jira_instance, jira_issue, comment): def finding_link_jira(request, finding, new_jira_issue_key): logger.debug("linking existing jira issue %s for finding %i", new_jira_issue_key, finding.id) - existing_jira_issue = jira_get_issue(get_jira_project(finding), new_jira_issue_key) - jira_project = get_jira_project(finding) + existing_jira_issue = jira_get_issue(jira_project, new_jira_issue_key) + + # Check to see if jira project is disabled to prevent pushing findings + if not jira_project.enabled: + add_error_message_to_response("Push to JIRA for finding skipped because JIRA Project is disabled") + return False if not existing_jira_issue: raise ValueError("JIRA issue not found or cannot be retrieved: " + new_jira_issue_key) @@ -1433,9 +1455,13 @@ def finding_link_jira(request, finding, new_jira_issue_key): def finding_group_link_jira(request, finding_group, new_jira_issue_key): logger.debug("linking existing jira issue %s for finding group %i", new_jira_issue_key, finding_group.id) - existing_jira_issue = jira_get_issue(get_jira_project(finding_group), new_jira_issue_key) - jira_project = get_jira_project(finding_group) + existing_jira_issue = jira_get_issue(jira_project, new_jira_issue_key) + + # Check to see if jira project is disabled to prevent pushing findings + if not jira_project.enabled: + add_error_message_to_response("Push to JIRA for group skipped because JIRA Project is disabled") + return False if not existing_jira_issue: raise ValueError("JIRA issue not found or cannot be retrieved: " + new_jira_issue_key) diff --git a/dojo/models.py b/dojo/models.py index b34691b710..a5bbe7c01f 100644 --- a/dojo/models.py +++ b/dojo/models.py @@ -3919,9 +3919,17 @@ class JIRA_Project(models.Model): push_notes = models.BooleanField(default=False, blank=True) product_jira_sla_notification = models.BooleanField(default=False, blank=True, verbose_name=_("Send SLA notifications as comment?")) risk_acceptance_expiration_notification = models.BooleanField(default=False, blank=True, verbose_name=_("Send Risk Acceptance expiration notifications as comment?")) + enabled = models.BooleanField( + verbose_name=_("Enable Connection With Jira Project"), + help_text=_("When disabled, Findings will no longer be pushed to Jira, even if they have already been pushed previously."), + default=True, + blank=True) def __str__(self): - return ("%s: " + self.project_key + "(%s)") % (str(self.id), str(self.jira_instance.url) if self.jira_instance else "None") + value = f"{self.id}: {self.project_key} ({self.jira_instance.url if self.jira_instance else 'None'})" + if not self.enabled: + value += " - Not Connected" + return value def clean(self): if not self.jira_instance: diff --git a/unittests/dojo_test_case.py b/unittests/dojo_test_case.py index f72918cf93..39d65e113b 100644 --- a/unittests/dojo_test_case.py +++ b/unittests/dojo_test_case.py @@ -173,6 +173,7 @@ def get_new_product_with_jira_project_data(self): "jira-project-form-jira_instance": 2, "jira-project-form-enable_engagement_epic_mapping": "on", "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-push_notes": "on", "jira-project-form-product_jira_sla_notification": "on", "jira-project-form-custom_fields": "null", @@ -188,6 +189,7 @@ def get_new_product_without_jira_project_data(self): "sla_configuration": 1, # A value is set by default by the model, so we need to add it here as well "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", # 'project_key': 'IFFF', # 'jira_instance': 2, # 'enable_engagement_epic_mapping': 'on', @@ -204,6 +206,7 @@ def get_product_with_jira_project_data(self, product): "jira-project-form-jira_instance": 2, "jira-project-form-enable_engagement_epic_mapping": "on", "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-push_notes": "on", "jira-project-form-product_jira_sla_notification": "on", "jira-project-form-custom_fields": "null", @@ -220,6 +223,7 @@ def get_product_with_jira_project_data2(self, product): "jira-project-form-jira_instance": 2, "jira-project-form-enable_engagement_epic_mapping": "on", "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-push_notes": "on", "jira-project-form-product_jira_sla_notification": "on", "jira-project-form-custom_fields": "null", @@ -235,6 +239,7 @@ def get_product_with_empty_jira_project_data(self, product): "sla_configuration": 1, # A value is set by default by the model, so we need to add it here as well "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-custom_fields": "null", # 'project_key': 'IFFF', # 'jira_instance': 2, diff --git a/unittests/test_jira_config_engagement.py b/unittests/test_jira_config_engagement.py index 6db30e089a..59adb4f319 100644 --- a/unittests/test_jira_config_engagement.py +++ b/unittests/test_jira_config_engagement.py @@ -30,6 +30,7 @@ def get_new_engagement_with_jira_project_data(self): "jira-project-form-jira_instance": 2, "jira-project-form-project_key": "IUNSEC", "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-product_jira_sla_notification": "on", "jira-project-form-custom_fields": "null", } @@ -47,6 +48,7 @@ def get_new_engagement_with_jira_project_data_and_epic_mapping(self): "jira-project-form-jira_instance": 2, "jira-project-form-project_key": "IUNSEC", "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-product_jira_sla_notification": "on", "jira-project-form-enable_engagement_epic_mapping": "on", "jira-epic-form-push_to_jira": "on", @@ -65,6 +67,7 @@ def get_new_engagement_without_jira_project_data(self): "jira-project-form-inherit_from_product": "on", # A value is set by default by the model, so we need to add it here as well "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", # 'project_key': 'IFFF', # 'jira_instance': 2, # 'enable_engagement_epic_mapping': 'on', @@ -85,6 +88,7 @@ def get_engagement_with_jira_project_data(self, engagement): "jira-project-form-jira_instance": 2, "jira-project-form-project_key": "ISEC", "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-product_jira_sla_notification": "on", "jira-project-form-custom_fields": "null", } @@ -102,6 +106,7 @@ def get_engagement_with_jira_project_data2(self, engagement): "jira-project-form-jira_instance": 2, "jira-project-form-project_key": "ISEC2", "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-product_jira_sla_notification": "on", "jira-project-form-custom_fields": "null", } @@ -118,6 +123,7 @@ def get_engagement_with_empty_jira_project_data(self, engagement): "jira-project-form-inherit_from_product": "on", # A value is set by default by the model, so we need to add it here as well "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", # 'project_key': 'IFFF', # 'jira_instance': 2, # 'enable_engagement_epic_mapping': 'on', diff --git a/unittests/test_jira_config_engagement_epic.py b/unittests/test_jira_config_engagement_epic.py index 75c241fab6..7b6b753416 100644 --- a/unittests/test_jira_config_engagement_epic.py +++ b/unittests/test_jira_config_engagement_epic.py @@ -58,6 +58,7 @@ def get_new_engagement_with_jira_project_data_and_epic_mapping(self): "jira-project-form-jira_instance": 2, "jira-project-form-project_key": "NTEST", "jira-project-form-epic_issue_type_name": "Epic", + "jira-project-form-enabled": "True", "jira-project-form-product_jira_sla_notification": "on", "jira-project-form-enable_engagement_epic_mapping": "on", "jira-epic-form-push_to_jira": "on", From f345a4e9907bbd39c863389b9e8564d338202fce Mon Sep 17 00:00:00 2001 From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:03:58 -0500 Subject: [PATCH 64/78] Fix for Findings count in Dashboard based on wrong date (#11040) * use correct date for finding last 7 days * actual date_range --- dojo/home/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/home/views.py b/dojo/home/views.py index 2c4d16fade..3c485eb1e9 100644 --- a/dojo/home/views.py +++ b/dojo/home/views.py @@ -33,7 +33,7 @@ def dashboard(request: HttpRequest) -> HttpResponse: date_range = [today - timedelta(days=6), today] # 7 days (6 days plus today) finding_count = findings\ - .filter(created__date__range=date_range)\ + .filter(date__range=date_range)\ .count() mitigated_count = findings\ .filter(mitigated__date__range=date_range)\ From b58ff497e329a91909716e59c34ffb14ed8bc0f8 Mon Sep 17 00:00:00 2001 From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:04:22 -0500 Subject: [PATCH 65/78] fix for issue 11010 (#11042) --- dojo/templates/dojo/view_test.html | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dojo/templates/dojo/view_test.html b/dojo/templates/dojo/view_test.html index 55bcb4ff8d..a4e0390b91 100644 --- a/dojo/templates/dojo/view_test.html +++ b/dojo/templates/dojo/view_test.html @@ -1080,8 +1080,7 @@

{% endif %} {% if finding.test.engagement.product.enable_full_risk_acceptance %}
  • - + {% trans "Add Risk Acceptance..." %}
    • From 409896ceced66ce4edaf6c85cd4d4e6d97c2984d Mon Sep 17 00:00:00 2001 From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:05:41 -0500 Subject: [PATCH 66/78] remove mods, add Jannik to Hall of Fame (#11043) --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 6cb9098145..17d7bedfb3 100644 --- a/README.md +++ b/README.md @@ -132,15 +132,14 @@ Core Moderators can help you with pull requests or feedback on dev ideas: * Cody Maffucci ([@Maffooch](https://github.com/maffooch) | [LinkedIn](https://www.linkedin.com/in/cody-maffucci)) Moderators can help you with pull requests or feedback on dev ideas: -* Damien Carol ([@damiencarol](https://github.com/damiencarol) | [LinkedIn](https://www.linkedin.com/in/damien-carol/)) -* Jannik Jürgens ([@alles-klar](https://github.com/alles-klar)) -* Dubravko Sever ([@dsever](https://github.com/dsever)) * Charles Neill ([@cneill](https://github.com/cneill) | [@ccneill](https://twitter.com/ccneill)) * Jay Paz ([@jjpaz](https://twitter.com/jjpaz)) * Blake Owens ([@blakeaowens](https://github.com/blakeaowens)) ## Hall of Fame - +* Jannik Jürgens ([@alles-klar](https://github.com/alles-klar)) - Jannik was a long time contributor and moderator for + DefectDojo and made significant contributions to many areas of the platform. Jannik was instrumental in pioneering + and optimizing deployment methods. * Valentijn Scholten ([@valentijnscholten](https://github.com/valentijnscholten) | [Sponsor](https://github.com/sponsors/valentijnscholten) | [LinkedIn](https://www.linkedin.com/in/valentijn-scholten/)) - Valentijn served as a core moderator for 3 years. From ac6e327d7fc4dba78adfc616065c22cbea316340 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Fri, 11 Oct 2024 08:07:19 -0700 Subject: [PATCH 67/78] Mend SCA imports contain locations which are similar to filePaths for SAST scans (#11001) * add impact add impact since it is unused * Update test_asff_parser.py * Update parser.py * Update parser.py * Mend SCA imports contain locations which are similar to filePaths for the SAST scans This code will use the 'locations' for SCA scan outputs to do the same thing that's done for SAST 'filePaths'. Since a Finding report will either be from SAST or SCA, it is unlikely that a collision will happen, since those findings are inherently different from Mend. Since the filepaths is already being joined for the SAST implementation, if it is indeed SCA results instead, the same thing will happen except now with the appropriate locations of the library and vulnerability. Note: this is not from Mend Platform or the CLI Agent output, but rather the Mend SCA portal. There is a new Platform API that combines both SAST and SCA vulnerabilities, so a new parser at some point for that would be good, and then it's possible to rename this to 'Legacy' for the Mend parser, since the 'Platform' should be the new. * Update parser.py * adding unit test for mend_sca_vulns from Mend SCA portal Mend has gone through some updates. Historically they've been SAST and then SCA, with their own separate portals. They are joining to a Mend Platform that contains both SAST+SCA+other vulnerabilities. This parser originally looks like it was based on Mend SAST, but I have been using it for SCA also since the vulnerabilities.json output files were similarly structured. This parser change hopes to update this to extract the location and path from an SCA.json and provide that as the file path. SAST calls this in a different way than SCA, which is why I think file path can be reused for both - depending on the file context found. I hope this code reflects that goal. To note: this was not a CLI or Unified Agent generated output file, but rather from downloading the Mend SCA portal API vulnerability data and uploading the returned vuln.json files using this parser. There may be a need in the future to add a parser that can correctly accept the updated format from the Mend Portal which contains combined vulnerability data sets, and the API response .json is different, so the parser does not work for the new Mend Platform returned .json, as experienced. * Update test_mend_parser.py --- dojo/tools/mend/parser.py | 18 ++++++++ unittests/scans/mend/mend_sca_vuln.json | 56 +++++++++++++++++++++++++ unittests/tools/test_mend_parser.py | 8 ++++ 3 files changed, 82 insertions(+) create mode 100644 unittests/scans/mend/mend_sca_vuln.json diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 75ed871a6a..6bcc96f750 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -102,6 +102,24 @@ def _build_common_output(node, lib_name=None): "Error handling local paths for vulnerability.", ) + locations = [] + if "locations" in node: + try: + locations_node = node.get("locations", []) + for location in locations_node: + path = location.get("path") + if path is not None: + locations.append(path) + except Exception: + logger.exception( + "Error handling local paths for vulnerability.", + ) + + if locations: + filepaths = locations + else: + filepaths = filepaths + new_finding = Finding( title=title, test=test, diff --git a/unittests/scans/mend/mend_sca_vuln.json b/unittests/scans/mend/mend_sca_vuln.json new file mode 100644 index 0000000000..6af95cb315 --- /dev/null +++ b/unittests/scans/mend/mend_sca_vuln.json @@ -0,0 +1,56 @@ +{ + "vulnerabilities": [ + { + "name": "WS-2019-0379", + "type": "WS", + "severity": "medium", + "score": "6.5", + "cvss3_severity": "MEDIUM", + "cvss3_score": "6.5", + "publishDate": "2019-05-20", + "lastUpdatedDate": "2020-03-05", + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "description": "Apache commons-codec before version \\u201ccommons-codec-1.13-RC1\\u201d is vulnerable to information disclosure due to Improper Input validation.", + "project": "mend-test-sca-project", + "product": "mend-test-sca-product", + "cvss3Attributes": { + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "userInteraction": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE" + }, + "library": { + "keyUuid": "e4ad5291-19e0-4907-9cf1-5ce5a1746e89", + "filename": "commons-codec-1.6.jar", + "type": "JAVA_ARCHIVE", + "description": "", + "sha1": "b7f0fc8f61ecadeb3695f0b9464755eee44374d4", + "name": "commons-codec-1.6", + "artifactId": "commons-codec-1.6.jar", + "version": "1.6", + "groupId": "commons-codec-1.6", + "architecture": "", + "languageVersion": "" + }, + "topFix": { + "vulnerability": "WS-2019-0379", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113", + "fixResolution": "Upgrade to version commons-codec:commons-codec:1.13", + "date": "2019-05-20 15:39:18", + "message": "Upgrade to version" + }, + "locations": [ + { + "matchType": "Exact Match", + "path": "D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar" + } + ] + } + ] +} \ No newline at end of file diff --git a/unittests/tools/test_mend_parser.py b/unittests/tools/test_mend_parser.py index 393dd4097c..1cd8cc11dd 100644 --- a/unittests/tools/test_mend_parser.py +++ b/unittests/tools/test_mend_parser.py @@ -35,3 +35,11 @@ def test_parse_file_with_multiple_vuln_cli_output(self): parser = MendParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(20, len(findings)) + + def test_parse_file_with_one_sca_vuln_finding(self): + with open("unittests/scans/mend/mend_sca_vuln.json", encoding="utf-8") as testfile: + parser = MendParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + finding = list(findings)[0] + self.assertEqual("D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) From c494b0b5780293db2aadbabe0dc21841d272fdac Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:08:21 +0200 Subject: [PATCH 68/78] :tada: Add USN notices for vulnids (#11002) --- dojo/settings/.settings.dist.py.sha256sum | 2 +- dojo/settings/settings.dist.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index 5f387ae715..c433539b1a 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -7ad5e28c5c96c6a3d40826bf32cea96c131825bd4eca857276b0458e26de36a3 +6cd4cfc4ae1dc8f89a2d28122705df499b12efae6993c60aa205661cffea2220 diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index f60d6d695d..8594ef4a7a 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1733,6 +1733,7 @@ def saml2_attrib_map_format(dict): "RHEA": "https://access.redhat.com/errata/", "FEDORA": "https://bodhi.fedoraproject.org/updates/", "ALSA": "https://osv.dev/vulnerability/", # e.g. https://osv.dev/vulnerability/ALSA-2024:0827 + "USN": "https://ubuntu.com/security/notices/", # e.g. https://ubuntu.com/security/notices/USN-6642-1 } # List of acceptable file types that can be uploaded to a given object via arbitrary file upload FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES") From 6cd1f998c93bfc734af1b1dd34e5e32de4cdcd43 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 20:51:06 -0500 Subject: [PATCH 69/78] Bump boto3 from 1.35.37 to 1.35.38 (#11049) Bumps [boto3](https://github.com/boto/boto3) from 1.35.37 to 1.35.38. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.37...1.35.38) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 7a8f53dbae..ebb62de12c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.37 # Required for Celery Broker AWS (SQS) support +boto3==1.35.38 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.1 fontawesomefree==6.6.0 From 0bc4879ad15b8f7235a02f99600ba5a354249fc1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 20:51:23 -0500 Subject: [PATCH 70/78] Bump vulners from 2.2.1 to 2.2.2 (#11050) Bumps vulners from 2.2.1 to 2.2.2. --- updated-dependencies: - dependency-name: vulners dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index ebb62de12c..b1e8b0be6a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -71,6 +71,6 @@ blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support boto3==1.35.38 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 -vulners==2.2.1 +vulners==2.2.2 fontawesomefree==6.6.0 PyYAML==6.0.2 From a0ac0f6586061ec12d4aa09d10682087c08b5a67 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:14:13 -0500 Subject: [PATCH 71/78] Add release notes for Postgres 12 (#11035) * Add release notes for Postgres 12 * Update 2.40.md --- docs/content/en/getting_started/upgrading/2.40.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/content/en/getting_started/upgrading/2.40.md b/docs/content/en/getting_started/upgrading/2.40.md index 3420f9b835..fd399b3f53 100644 --- a/docs/content/en/getting_started/upgrading/2.40.md +++ b/docs/content/en/getting_started/upgrading/2.40.md @@ -2,6 +2,8 @@ title: 'Upgrading to DefectDojo Version 2.40.x' toc_hide: true weight: -20241007 -description: No special instructions. +description: Breaking Change for Postgres 12. --- -There are no special instructions for upgrading to 2.40.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.40.0) for the contents of the release. +With the upgrade to Django 5.1.x, Posgres 12 will no longer be supported. Please make plans to upgrade to a later version of Postrges before upgrading to version 2.40.0 of DefectDojo. To determine which version of Postgres to target, please refer to the [end of life version schedule](https://endoflife.date/postgresql) + +Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.40.0) for the contents of the release. From 728ab1e9c3348d056df180fdbc5da355eb155ea1 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:14:31 +0200 Subject: [PATCH 72/78] add DLA security advisory (#11058) * add DLA security advisory * ruff linter * ruff linter --- dojo/settings/.settings.dist.py.sha256sum | 2 +- dojo/settings/settings.dist.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index c433539b1a..b26b379a22 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -6cd4cfc4ae1dc8f89a2d28122705df499b12efae6993c60aa205661cffea2220 +4d3e91f176b73278750dc2f46d27cd4fe2b47d24682ad06d6267880bbdec599c diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 8594ef4a7a..39e033010d 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1734,6 +1734,7 @@ def saml2_attrib_map_format(dict): "FEDORA": "https://bodhi.fedoraproject.org/updates/", "ALSA": "https://osv.dev/vulnerability/", # e.g. https://osv.dev/vulnerability/ALSA-2024:0827 "USN": "https://ubuntu.com/security/notices/", # e.g. https://ubuntu.com/security/notices/USN-6642-1 + "DLA": "https://security-tracker.debian.org/tracker/", # e.g. https://security-tracker.debian.org/tracker/DLA-3917-1 } # List of acceptable file types that can be uploaded to a given object via arbitrary file upload FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES") From 985299d2187829e47b5b9405c860dffc47332cf8 Mon Sep 17 00:00:00 2001 From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:16:57 -0500 Subject: [PATCH 73/78] Update support text and buttons (#11051) * update text and icon for Get Support * Change Pro options and Meet the Creators button * re-add text I forgot I removed * add hyphen * Update dojo/templates/dojo/support.html --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --- dojo/templates/base.html | 4 +-- dojo/templates/dojo/support.html | 62 +++++++++++++++++++++++++++----- 2 files changed, 55 insertions(+), 11 deletions(-) diff --git a/dojo/templates/base.html b/dojo/templates/base.html index 9515d68d34..5470baf13b 100644 --- a/dojo/templates/base.html +++ b/dojo/templates/base.html @@ -589,8 +589,8 @@ {% block support-tab %}
    • {% endblock %} diff --git a/dojo/templates/dojo/support.html b/dojo/templates/dojo/support.html index fd0a49a095..45066a551f 100644 --- a/dojo/templates/dojo/support.html +++ b/dojo/templates/dojo/support.html @@ -14,24 +14,68 @@

    Community Support

    What's included:

    Support from the community via OWASP Slack

    -

    Community based discussion

    +

    Community-based discussion

    Join #defectdojo
    -

    Get DefectDojo Pro

    +

    Go Pro!

    What's included:

    -

    Support directly from the creators

    -

    Additional features

    -

    Response time SLA

    -

    Bug fixes

    -

    Feature enhancements

    -

    Best practice advice

    +

    New UI + + +

    +

    Connectors + + +

    +

    Insights + + +

    +

    Data Enrichment + + +

    +

    Universal Importer + + +

    +

    Async Functions + + +

    +

    Support directly from the DefectDojo Team

    +

    Assistance with best practice and implementation

    - Meet The Creators + Go Pro Now
    From ac1048e5d9e33990993b05fef46908519530866c Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:17:11 -0500 Subject: [PATCH 74/78] Parser Tests: add tag to differentiate (#11017) --- unittests/test_parsers.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/unittests/test_parsers.py b/unittests/test_parsers.py index 63edff395c..9e2ac077f1 100644 --- a/unittests/test_parsers.py +++ b/unittests/test_parsers.py @@ -1,11 +1,14 @@ import os from pathlib import Path +from django.test import tag as test_tag + from .dojo_test_case import DojoTestCase, get_unit_tests_path basedir = os.path.join(get_unit_tests_path(), "..") +@test_tag("parser-supplement-tests") class TestParsers(DojoTestCase): def test_file_existence(self): for parser_dir in os.scandir(os.path.join(basedir, "dojo", "tools")): From 0962bd6b622e61c7c594c9ff48cfc3a493e9deea Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Tue, 15 Oct 2024 15:29:37 +0000 Subject: [PATCH 75/78] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 06cdce1889..019e424ade 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.40.0-dev", + "version": "2.39.1", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 6bc97e6bbb..fde5a6c98f 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.39.0" +__version__ = "2.39.1" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 4f2c96ba0f..bd105fc95f 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.40.0-dev" +appVersion: "2.39.1" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.154-dev +version: 1.6.154 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 309a65f187ea41a1b7ce87de2aa934e39ba27ef0 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Tue, 15 Oct 2024 16:09:23 +0000 Subject: [PATCH 76/78] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 019e424ade..06cdce1889 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.39.1", + "version": "2.40.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index fde5a6c98f..0dc36e95a1 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.39.1" +__version__ = "2.40.0-dev" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index bd105fc95f..a0cabd6bb3 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.39.1" +appVersion: "2.40.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.154 +version: 1.6.155-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From ab286179cd9c84e5e60219613205d99459dbe084 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 11:36:55 -0500 Subject: [PATCH 77/78] Bump boto3 from 1.35.38 to 1.35.40 (#11071) Bumps [boto3](https://github.com/boto/boto3) from 1.35.38 to 1.35.40. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.38...1.35.40) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 995a5ac894..84d23d99e1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -69,7 +69,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.3 pycurl==7.45.3 # Required for Celery Broker AWS (SQS) support -boto3==1.35.38 # Required for Celery Broker AWS (SQS) support +boto3==1.35.40 # Required for Celery Broker AWS (SQS) support netaddr==1.3.0 vulners==2.2.2 fontawesomefree==6.6.0 From 31cf55d08009bb1877749d51528bcbc73f3171df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 11:38:00 -0500 Subject: [PATCH 78/78] Bump openapitools/openapi-generator-cli from v7.8.0 to v7.9.0 (#11060) Bumps openapitools/openapi-generator-cli from v7.8.0 to v7.9.0. --- updated-dependencies: - dependency-name: openapitools/openapi-generator-cli dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Dockerfile.integration-tests-debian | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.integration-tests-debian b/Dockerfile.integration-tests-debian index 3a01815f82..ae890a24c1 100644 --- a/Dockerfile.integration-tests-debian +++ b/Dockerfile.integration-tests-debian @@ -1,7 +1,7 @@ # code: language=Dockerfile -FROM openapitools/openapi-generator-cli:v7.8.0@sha256:c409bfa9b276faf27726d2884b859d18269bf980cb63546e80b72f3b2648c492 AS openapitools +FROM openapitools/openapi-generator-cli:v7.9.0@sha256:bb32f5f0c9f5bdbb7b00959e8009de0230aedc200662701f05fc244c36f967ba AS openapitools FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS build WORKDIR /app RUN \