Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge back 2.37.3 into dev from: master-into-dev/2.37.3-2.38.0-dev #10810

Merged
merged 13 commits into from
Aug 26, 2024
Merged

Release: Merge back 2.37.3 into dev from: master-into-dev/2.37.3-2.38.0-dev #10810

merged 13 commits into from
Aug 26, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by Maffooch

DefectDojo release bot and others added 10 commits August 19, 2024 16:23
Update versions in application files
7a48a80
@Maffooch
Merge pull request #10783 from DefectDojo/master-into-bugfix/2.37.2-2…
0a0d101 
….38.0-dev

Release: Merge back 2.37.2 into bugfix from: master-into-bugfix/2.37.2-2.38.0-dev
@cneill
Pinning Chrome version (#10805)
cccf8a7
@dogboat
Finding hash/dedupe changes (#10386)
d417cd1 
* dedupe-help Move logic to set Finding hash code to its own method

* dedupe-help rework set_hash_code method to accept dedupe_option

* Update versions in application files

* Revert "Update versions in application files"

This reverts commit 7ee4bfa.

* dedupe-help reorder method to make linter happy

* dedupe-help Rework finding hash set/dedupe to attempt to load methods based on settings and fall back to existing implementations as defaults

* dedupe-help add helper method to load custom methods and use it

* dedupe-help bug in load custom helper method

* dedupe-help Linter fix (import ordering)

* dedupe-help Update default_importer to handle .values() call on findings set within close old findings method

* dedupe-help extract get_(re)importer methods from engagement/test (re)import views into a separate method

* dedupe-help extract reimport dedupe alg determination into its own method

* dedupe-help refactor where custom methods for hashing/dedupe are called to minimize changes to existing calls

* dedupe-help linter fixes

---------

Co-authored-by: DefectDojo release bot <[email protected]>
@dogboat
appcheck-null-byte-fix Fix null byte issue with AppCheck parser. HTTP…
d5fd11a 
…/2 headers included in the .details.Messages entry are now decoded as req/res pairs, and escaped to prevent null bytes from causing a crash when persisted to the database (#10804)
@DevSecOps-Isotrol @Maffooch
Fixed extraEnv in Chart Values after upgrade (#10731)
fe327fc 
* Fixed extraEnv in Chart Values after upgrade to App 2.37.0 and Chart 1.6.144

* Fixed extraEnv in Chart Values after upgrade to App 2.37.0 and Chart 1.6.144

* Fixed indentation in resources config

* Chart version reverted

* Update _helpers.tpl

---------

Co-authored-by: Sergio Bastián <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
@kiblik
feat(api-token): Add ability to use API tokens but not disable "api-t…
db563be 
…oken-auth" (#10786)
Update versions in application files
2e80f2d
@Maffooch
Merge pull request #10809 from DefectDojo/release/2.37.3
d522bbe 
Release: Merge release into master from: release/2.37.3
Update versions in application files
c6f3859
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 26, 2024
edited
Loading

DryRun Security Summary

This pull request contains a series of changes across multiple files in the DefectDojo application, focusing on improving the security and functionality of various components, including API token authentication, deduplication and reimport functionality, security-related settings and logging, handling of scan results and findings, and deployment and infrastructure changes.

Expand for full summary

Summary:

This pull request contains a series of changes across multiple files in the DefectDojo application, with a focus on improving the security and functionality of various components. The key changes include:

  1. API Token Authentication: The changes introduce more granular control over the API token authentication mechanism, allowing administrators to disable the dedicated API token authentication endpoint. This can be useful in scenarios where alternative authentication methods are used, such as social authentication.

  2. Deduplication and Reimport Functionality: The changes enhance the deduplication and reimport functionality of the application, including the introduction of custom deduplication algorithms, asynchronous processing, and improved handling of matched findings.

  3. Security-related Settings and Logging: The changes include the addition of new security-related settings, such as the API_TOKEN_AUTH_ENDPOINT_ENABLED setting, and improvements to the logging of deduplication-related activities.

  4. Handling of Scan Results and Findings: The changes improve the parsing and processing of scan results and findings, including the handling of non-printable characters, markup, and the association of findings with specific endpoints.

  5. Deployment and Infrastructure Changes: The changes include updates to the Helm chart and Docker configurations, focusing on improving the security context and environment variable handling for the application's components.

Overall, these changes demonstrate a focus on enhancing the security and reliability of the DefectDojo application, particularly in the areas of API authentication, vulnerability deduplication, and the handling of security-related data. As an application security engineer, I would recommend thoroughly reviewing these changes to ensure they align with the application's security requirements and do not introduce any unintended vulnerabilities.

Files Changed:

  1. docs/content/en/integrations/api-v2-docs.md: Added an option to disable the API token authentication endpoint.
  2. dojo/context_processors.py: Added a new setting API_TOKEN_AUTH_ENDPOINT_ENABLED to the template context.
  3. dojo/engagement/views.py: Optimized the import functionality by using a DefaultImporter instance.
  4. Dockerfile.integration-tests-debian: Updated the versions of Google Chrome and ChromeDriver used in the integration tests environment.
  5. dojo/importers/default_importer.py: Optimized the close_old_findings() function.
  6. dojo/settings/.settings.dist.py.sha256sum: Updated the hash value of the settings file.
  7. dojo/importers/default_reimporter.py: Introduced a new deduplication algorithm and asynchronous processing.
  8. dojo/models.py: Added support for custom hash code computation methods.
  9. dojo/settings/settings.dist.py: Added a new setting DD_API_TOKEN_AUTH_ENDPOINT_ENABLED to control the API token authentication endpoint.
  10. dojo/templates/dojo/api_v2_key.html: Added instructions for obtaining API tokens using the /api/v2/api-token-auth/ endpoint.
  11. dojo/tools/appcheck_web_application_scanner/engines/appcheck.py: Improved the handling of HTTP/1 and HTTP/2 request/response data.
  12. dojo/test/views.py: Enhanced the "Re-import Scan Results" functionality.
  13. dojo/tools/appcheck_web_application_scanner/engines/base.py: Improved the handling and processing of data from web application scanners.
  14. dojo/urls.py: Added a new URL pattern for the API token authentication endpoint.
  15. dojo/utils.py: Added a new function get_custom_method() and a generate_file_response() function.
  16. helm/defectdojo/templates/_helpers.tpl: Made indentation changes to the dbMigrationChecker template.
  17. helm/defectdojo/Chart.yaml: Updated the Helm chart version.
  18. unittests/tools/test_appcheck_web_application_scanner_parser.py: Added new test cases and improvements to the AppCheck Web Application Scanner parser.

Code Analysis

We ran 9 analyzers against 19 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 7 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests ui parser helm labels Aug 26, 2024
@Maffooch Maffooch merged commit 096bd04 into dev Aug 26, 2024
74 checks passed
@Maffooch Maffooch deleted the master-into-dev/2.37.3-2.38.0-dev branch August 26, 2024 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docker docs helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Maffooch @cneill @dogboat @DevSecOps-Isotrol @kiblik