Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix -> Dev: 2.35.0 #10322

Merged
merged 11 commits into from
Jun 3, 2024
Merged

Bugfix -> Dev: 2.35.0 #10322

merged 11 commits into from
Jun 3, 2024

Conversation

Maffooch
Copy link
Contributor

@Maffooch Maffooch commented Jun 3, 2024

No description provided.

DefectDojo release bot and others added 10 commits May 28, 2024 17:56
Update versions in application files
c341295
@Maffooch
Merge pull request #10283 from DefectDojo/master-into-bugfix/2.34.5-2…
6a1173b 
….35.0-dev

Release: Merge back 2.34.5 into bugfix from: master-into-bugfix/2.34.5-2.35.0-dev
@kiblik
fix(docker): Bump versions (python 3.11, alpine 3.20) (#10280)
73a5a41 
* fix(docker): Bump versions

* Upgrate "only" to latest 3.11 and latest alpine (3.20)

* Fix typo in "as"
@manuel-sommer
Sonarqube flow field contains dict (#10290)
409caf1 
* Sonarqube flow field contains dict

* fix bugs
@manuel-sommer
RedHatSatellite module_streams field is dict within list (#10291)
5f55734 
* RedHatSatellite module_streams field is dict within list

* fix bug
@manuel-sommer
Calm Deduplication of MsDefender (#10293)
ef3f8dd
@lme-nca
fix NoneType exception in case of simple risk acceptance (#10309)
23a826a
@hblankenship
Rebased PR for Vulnerability Ids (#10301)
d9eb67f 
* use helper

* ignore linter line

* two spaces

* fix bulk_create using wrong vulns

* going back to loop with save

* drop the finding helper

* trailing whitespace

* update vuln ids

* update num calls

* parity with PR

* trailing whitespace and breakdown test

* newline eof

* add blank line
@kiblik
fix(docker): Bump versions (python 3.11, debian bookworm) (#10286)
9da1f7b
@WojTecH94 @blakeaowens
Make social login buttons fully clickable (#10304)
541976c 
* Make social login buttons fully clickable

Fix for #10292

* Change "Github" => "GitHub"

---------

Co-authored-by: Blake Owens <[email protected]>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jun 3, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 2 findings
Sensitive Files Analyzer 0 findings
AppSec Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover a wide range of updates and improvements to the DefectDojo application, primarily focused on maintaining security and reliability. The changes include updates to the Docker build process, improvements to the handling of vulnerability IDs and security scan data, enhancements to the user interface and authentication, and various bug fixes and refactoring efforts.

From an application security perspective, the key aspects of these changes are:

  1. Dependency and Base Image Updates: The Dockerfiles have been updated to use the latest stable versions of Python, Node.js, and other dependencies, which helps ensure the application is running on secure and up-to-date components.
  2. Vulnerability ID Management: The changes to the base_importer.py and finding.helper.py modules demonstrate a focus on accurately tracking and associating vulnerability IDs with findings, which is crucial for effective vulnerability management.
  3. User Interface and Authentication: The updates to the login page and the handling of different authentication providers show a commitment to providing a secure and user-friendly authentication experience.
  4. Parsing and Reporting Improvements: The changes to the various parsers (e.g., SonarQube, Red Hat Satellite, MS Defender) and the open findings burndown chart indicate a focus on improving the accuracy and reliability of the application's security analysis and reporting capabilities.
  5. Test Coverage and Robustness: The updates to the unit tests in the test_importers_importer.py file demonstrate a commitment to ensuring the application's security and functionality through comprehensive testing.

Overall, the code changes in this pull request appear to be focused on improving the security, reliability, and usability of the DefectDojo application. As an application security engineer, I would recommend thoroughly reviewing the changes, testing the application's security and functionality, and monitoring the impact of these changes on the overall security posture of the application.

Files Changed:

  1. Dockerfile.nginx-alpine: Updates the base Python image and installs Node.js and Yarn to support static file generation.
  2. Dockerfile.django-alpine: Updates the base Python image and installs various dependencies required for the Django application.
  3. Dockerfile.integration-tests-debian: Updates the base Python image and installs Chrome and ChromeDriver for running integration tests.
  4. Dockerfile.django-debian: Updates the base Python image and configures the Django application's environment.
  5. Dockerfile.nginx-debian: Updates the base Python image and configures the Nginx web server for the application.
  6. dojo/importers/base_importer.py: Improves the handling of vulnerability IDs associated with findings during the import process.
  7. dojo/finding/helper.py: Provides a helper function to save vulnerability IDs associated with a finding.
  8. dojo/templates/dojo/login.html: Enhances the user interface and handling of different authentication providers for the login page.
  9. dojo/tools/redhatsatellite/parser.py: Addresses a potential issue with missing fields in the Red Hat Satellite scan output.
  10. dojo/tools/ms_defender/parser.py: Removes certain machine information details from the description of the findings generated by the MSDefenderParser.
  11. dojo/tools/sonarqube/sonarqube_restapi_json.py: Improves the handling of missing data and the detection of known vulnerabilities in the SonarQube scan output.
  12. dojo/utils.py: Enhances the accuracy and reliability of the open findings burndown chart.
  13. unittests/scans/sonarqube/findings_over_api.json: Updates the sample SonarQube scan findings to include more detailed information about vulnerabilities.
  14. unittests/test_importers_importer.py: Adds more comprehensive tests for the import and reimport functionality of the application.

Powered by DryRun Security

@github-actions github-actions bot removed the helm label Jun 3, 2024
@Maffooch Maffooch merged commit 20b86c1 into dev Jun 3, 2024
126 of 127 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docker parser ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Maffooch @kiblik @manuel-sommer @lme-nca @hblankenship @WojTecH94