Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🎉 ADD ELSA errata #11069

Merged
merged 3 commits into from
Oct 18, 2024
Merged

🎉 ADD ELSA errata #11069

merged 3 commits into from
Oct 18, 2024

Conversation

manuel-sommer
Copy link
Contributor

No description provided.

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui labels Oct 15, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 15, 2024
edited
Loading

DryRun Security Summary

This pull request focuses on improving the security and functionality of the DefectDojo vulnerability management tool, with changes to the configuration files, the vulnerability_url function, and extensive updates to the settings.dist.py file to enhance features like SAML2 authentication, remote user authentication, deduplication, and security headers.

Expand for full summary

Summary:

The changes in this pull request appear to be focused on improving the security and functionality of the DefectDojo application, a vulnerability management tool. The key changes include:

  1. Updates to the dojo/settings/.settings.dist.py.sha256sum file, which likely contains a hash of the dojo/settings/.settings.dist.py file. This change should be reviewed to ensure that the underlying configuration file has not been modified in a way that could introduce security vulnerabilities.

  2. Enhancements to the vulnerability_url function in the display_tags.py file, which allows for more flexibility in constructing the URL for a given vulnerability ID. This change does not appear to introduce any security concerns.

  3. Extensive updates to the dojo/settings/settings.dist.py file, which include support for SAML2 authentication, remote user authentication, deduplication configuration, hash code configuration, file upload type restrictions, Jira integration, and security headers. These changes are generally positive from an application security perspective, as they improve the overall security and functionality of the application.

Files Changed:

  1. dojo/settings/.settings.dist.py.sha256sum: The hash value for the dojo/settings/.settings.dist.py file has been changed, which could indicate that the underlying configuration file has been modified. This change should be reviewed to ensure that no sensitive information has been exposed or compromised.

  2. dojo/templatetags/display_tags.py: The vulnerability_url function has been updated to allow for more flexibility in constructing the URL for a given vulnerability ID. This change does not appear to introduce any security concerns.

  3. dojo/settings/settings.dist.py: This file has been extensively updated to include support for SAML2 authentication, remote user authentication, deduplication configuration, hash code configuration, file upload type restrictions, Jira integration, and security headers. These changes are generally positive from an application security perspective, as they improve the overall security and functionality of the application.

Code Analysis

We ran 9 analyzers against 3 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 2 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

mtesauro
mtesauro approved these changes Oct 16, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 05faab6 into DefectDojo:bugfix Oct 18, 2024
72 of 73 checks passed
@manuel-sommer manuel-sommer deleted the add_elsa branch October 20, 2024 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@manuel-sommer @cneill @mtesauro @Maffooch @blakeaowens