Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge back 2.36.6 into dev from: master-into-dev/2.36.6-2.37.0-dev #10648

Merged
merged 19 commits into from
Jul 29, 2024
Merged

Release: Merge back 2.36.6 into dev from: master-into-dev/2.36.6-2.37.0-dev #10648

merged 19 commits into from
Jul 29, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by Maffooch

github-actions bot and others added 16 commits July 24, 2024 16:54
@github-actions @Maffooch
Release: Merge back 2.36.5 into bugfix from: master-into-bugfix/2.36.…
5a5d188 
…5-2.37.0-dev (#10627)

* Update versions in application files

* Update versions in application files

---------

Co-authored-by: DefectDojo release bot <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
@Maffooch
Listing Tables: Add toggle switch in system settings (#10617)
9b991c6 
* Listing Tables: Add toggle switch in system settings

* Fixing ruff

* Update help text

* Remove missed italics
@manuel-sommer
🐛 extend aqua format issue #10611 (#10616)
711705f 
* 🐛 extend aqua format issue #10611

* 🐛 fix according to comment

* ruff
@Maffooch
Update Qualys WebApp parser to use DefusedXML (#10637)
04f5e08 
* Update Qualys WebApp parser to use DefusedXML

* Correct ruff errors
@Maffooch
Uploaded File Management: Centralize file serving and bolster error h…
3e36b71 
…andling (#10638)

* Uploaded File Management: Centralize file serving and embolster error handling

* Correct ruff errors
@Maffooch
Engagement: Add missing permission check to view an Engagement (#10639)
bb4bb10
@dogboat
Finding notes cascading deletes (#10636)
a780a8f 
* finding-notes-cascading-deletes first pass at cascading deletes for notes/notehistory

* finding-notes-cascading-deletes remove unused code

* finding-notes-cascading-deletes linter cleanup

* finding-notes-cascading-deletes retrigger actions
@Maffooch
Benchmarks: Add additional permissions for AJAX calls (#10640)
18e1837
@Maffooch
Refresh Helm Cart Lock File: The removal (#10641)
e342639 
The refresh helm chart lock file action uses the `pull_request_target` trigger, which can lead to leaking secret. Because the helm chart lock file is updated on each modification to the chart.yml file by renovate/dependabot, the easiest solution is to remove this action.
@dogboat
creds-notes-fixes Some updates to creds/cred-related notes: Show "Add…
bb24b6f 
… Note" button on cred notes page; show delete note button for note creator and fix note deletion; fix "Associated Products" header to have less spacing around it; fix credential deletion (#10644)
@Maffooch
Importer: Correct logic bug for empty scan reports (#10645)
c9abc65 
* Importer: Correct logic bug for empty scan reports

When importing an empty scan report through the import endpoint, it is possible for two tests to be created during a single request

* Separate logic based on import vs reimport
@Maffooch
Report ToC: Expand on whitespace escaping (#10646)
2bc434b
Update versions in application files
2728024
@Maffooch
Merge branch 'master' into release/2.36.6
f58e43b
@Maffooch
Merge pull request #10647 from DefectDojo/release/2.36.6
73dddf6 
Release: Merge release into master from: release/2.36.6
Update versions in application files
0fd5be0
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 29, 2024
edited
Loading

DryRun Security Summary

This pull request focuses on improving the security and functionality of the DefectDojo application, covering areas such as engagement management, finding handling, credential management, and data import/export processes, with a strong emphasis on maintaining the security and integrity of the application.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and functionality of various components in the DefectDojo application. The changes cover a wide range of areas, including engagement management, finding handling, credential management, and data import/export processes.

Key security-related changes include:

  1. Proper handling of data deletion, such as deleting associated notes and history when an object is deleted.
  2. Implementing robust authorization checks to ensure that only authorized users can perform sensitive actions.
  3. Enhancing data export functionality to sanitize and properly format the exported data.
  4. Improving the handling of user input and data parsing to prevent potential security vulnerabilities, such as SQL injection or cross-site scripting.
  5. Optimizing database queries and data fetching to improve performance and scalability, which can also have a positive impact on the application's security.

Overall, the changes demonstrate a strong focus on maintaining the security and integrity of the DefectDojo application, while also improving the user experience and functionality.

Files Changed:

  • dojo/benchmark/signals.py: Handles the deletion of Benchmark_Product instances and their associated notes.
  • dojo/benchmark/views.py: Adds authorization checks for updating benchmark information.
  • dojo/api_v2/views.py: Introduces a utility function to simplify file download handling.
  • dojo/apps.py: Sets up the integration with the Watson search engine and handles configuration deduplication.
  • dojo/cred/signals.py: Handles the deletion of Cred_User objects and their associated notes.
  • dojo/components/views.py: Adds table-based filtering and sorting functionality.
  • dojo/db_migrations/0213_system_settings_enable_ui_table_based_searching.py: Adds a new system setting to enable table-based filtering.
  • dojo/cred/views.py: Handles the deletion of credentials and associated notes.
  • dojo/engagement/signals.py: Handles the deletion of engagements and associated data.
  • dojo/finding/helper.py: Manages the handling of findings, including deduplication and status updates.
  • dojo/engagement/views.py: Adds functionality for managing risk acceptances.
  • dojo/importers/base_importer.py: Enforces the use of child classes for specific importers.
  • dojo/finding/views.py: Includes functionality for bulk updating and deleting findings.
  • dojo/importers/default_reimporter.py: Handles the reimport process and deduplication of findings.
  • dojo/models.py: Adds a new system setting for enabling table-based filtering.
  • dojo/notes/signals.py: Handles the deletion of notes and associated history.
  • dojo/notes/helper.py: Provides a function to delete notes associated with an object.
  • dojo/notes/views.py: Handles the deletion of notes associated with Cred_User objects.
  • dojo/risk_acceptance/helper.py: Manages the deletion of risk acceptances.
  • dojo/risk_acceptance/signals.py: Handles the deletion of risk acceptances and associated notes.
  • dojo/product/views.py: Adds table-based filtering and improves the performance of product-related functionality.
  • dojo/templates/dojo/custom_html_toc.html: Generates a table of contents for HTML reports.
  • dojo/templates/dojo/components.html: Implements a data table with security-focused features.
  • dojo/templates/dojo/endpoint_pdf_report.html: Generates the table of contents for an endpoint PDF report.
  • dojo/templates/dojo/engagement_pdf_report.html: Generates the table of contents for an engagement PDF report.
  • dojo/templates/dojo/finding_pdf_report.html: Generates the table of contents for a finding PDF report.
  • dojo/templates/dojo/engagements_all.html: Implements a data table with security-focused features.
  • dojo/templates/dojo/findings_list_snippet.html: Displays a list of findings with various security-related features.

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 13 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. apiv2 unittests ui parser helm labels Jul 29, 2024
Update helm lock file
322f4b5 
Signed-off-by: DefectDojo <[email protected]>
@Maffooch Maffooch closed this Jul 29, 2024
@Maffooch Maffooch reopened this Jul 29, 2024
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.5% Duplication on New Code

See analysis details on SonarCloud

@Maffooch Maffooch merged commit afa58cf into dev Jul 29, 2024
128 checks passed
@Maffooch Maffooch deleted the master-into-dev/2.36.6-2.37.0-dev branch July 29, 2024 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 helm New Migration Adding a new migration file. Take care when merging. parser ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Maffooch @manuel-sommer @dogboat