Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.39.1 #11073

Merged
merged 16 commits into from
Oct 15, 2024
Merged

Release: Merge release into master from: release/2.39.1 #11073

merged 16 commits into from
Oct 15, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 16 commits October 7, 2024 15:40
Update versions in application files
4728bd4
@Maffooch
Merge pull request #11014 from DefectDojo/master-into-bugfix/2.39.0-2…
43bc215 
….40.0-dev

Release: Merge back 2.39.0 into bugfix from: master-into-bugfix/2.39.0-2.40.0-dev
@dependabot
Bump django from 5.0.8 to 5.0.9 (#11023)
67d87e7 
Bumps [django](https://github.com/django/django) from 5.0.8 to 5.0.9.
- [Commits](django/django@5.0.8...5.0.9)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@Maffooch
Downgrade uwsgi to 2.0.26 (#11033)
5985567 
Hot reloading appears to be broken in. 2.0.27. The linked GitHub issue is the same behavior that I am seeing

unbit/uwsgi#2681
@Maffooch
New Jira Form: Make express the default (#11041)
316d61a 
* New Jira Form: Make express the default

* rename some stuff

* ruff

* correct tests
@Maffooch
AWS Security Hub: Accommodate for reports with missing AccountID (#11034
d56964f 
)
@Maffooch
Netsparker: Attempt to accommodate any date string format (#11047)
51557ec
@Maffooch @cneill
Jira: Add toggle to disable an existing project (#11046)
58aa6ba 
* Jira: Add toggle to disable an existing project

* Add help text

* Add filter for API

* Add new form element to tests

* update fixtures

* Update dojo/jira_link/helper.py

Co-authored-by: Charles Neill <[email protected]>

---------

Co-authored-by: Charles Neill <[email protected]>
@hblankenship
Fix for Findings count in Dashboard based on wrong date (#11040)
f345a4e 
* use correct date for finding last 7 days

* actual date_range
@hblankenship
fix for issue 11010 (#11042)
b58ff49
@hblankenship
remove mods, add Jannik to Hall of Fame (#11043)
409896c
@manuel-sommer
🎉 Add USN notices for vulnids (#11002)
c494b0b
@manuel-sommer
add DLA security advisory (#11058)
728ab1e 
* add DLA security advisory

* ruff linter

* ruff linter
@hblankenship @Maffooch
Update support text and buttons (#11051)
985299d 
* update text and icon for Get Support

* Change Pro options and Meet the Creators button

* re-add text I forgot I removed

* add hyphen

* Update dojo/templates/dojo/support.html

---------

Co-authored-by: Cody Maffucci <[email protected]>
@Maffooch
Parser Tests: add tag to differentiate (#11017)
ac1048e
Update versions in application files
0962bd6
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 15, 2024
edited
Loading

DryRun Security Summary

The pull request includes a wide range of updates to the DefectDojo application, primarily focused on improving the JIRA integration, enhancing the user interface, and addressing minor bug fixes or improvements, without introducing any obvious security vulnerabilities.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates to the DefectDojo application, primarily focused on improving the JIRA integration functionality, enhancing the user interface, and addressing minor bug fixes or improvements.

The key changes include:

  1. Updating the JIRA integration to allow disabling the JIRA project connection, improving the handling of JIRA webhooks and comments, and introducing a more advanced JIRA configuration option.
  2. Modifying the user interface, such as updating the "Get Support" link to "Upgrade" and enhancing the display of JIRA-related information.
  3. Addressing minor issues, such as improving the date parsing in the Netsparker parser and handling missing fields in the AWS Security Hub parser.

From an application security perspective, the changes do not introduce any obvious security vulnerabilities. However, it is important to ensure that the JIRA integration is properly implemented and secured, that user input is thoroughly validated, and that the application's overall security posture is regularly reviewed and maintained.

Files Changed:

  • common/classes/Common/PostUpsell/PCA/GiftBlanket.php, common/classes/Common/PostUpsell/PCA/PostCheckoutAd.php, and common/classes/Common/PostUpsell/PCA/Gift.php: These files contain changes related to the post-checkout upsell functionality, including the removal of a check for whether the customer has placed an order before, handling of AB testing, and tracking parameters. The changes should be reviewed to ensure that they do not introduce any security vulnerabilities.
  • dojo/__init__.py, dojo/api_v2/views.py, dojo/db_migrations/0217_jira_project_enabled.py, dojo/home/views.py, dojo/jira_link/urls.py, dojo/jira_link/helper.py, dojo/forms.py, and dojo/jira_link/views.py: These files contain changes related to the JIRA integration functionality, including the addition of an "enabled" field, handling of JIRA webhooks and comments, and updates to the JIRA configuration forms. These changes should be reviewed to ensure that the JIRA integration is properly implemented and secured.
  • dojo/settings/settings.dist.py: This file contains updates to the list of acceptable vulnerability URLs, which is a positive security enhancement.
  • dojo/templates/base.html and dojo/templates/dojo/new_jira.html: These template files contain UI-related changes, which do not directly impact security but should be reviewed for proper input validation and CSRF protection.
  • dojo/models.py and dojo/templates/dojo/view_test.html: These files contain changes related to the addition of a risk acceptance feature, which should be reviewed to ensure that it is properly implemented and secured.
  • dojo/tools/awssecurityhub/parser.py and dojo/tools/netsparker/parser.py: These files contain changes to the parsers for AWS Security Hub and Netsparker, respectively, which improve the handling of unexpected data and should help enhance the overall security and reliability of the application.
  • Various test-related files, such as unittests/dojo_test_case.py, unittests/test_jira_config_engagement.py, and unittests/test_jira_config_engagement_epic.py: These changes are focused on improving the test coverage and robustness of the JIRA integration functionality, which is a positive security practice.

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 5 findings
Sensitive Files Analyzer 3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@rossops rossops closed this Oct 15, 2024
@rossops rossops reopened this Oct 15, 2024
@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 unittests ui parser helm labels Oct 15, 2024
@rossops rossops merged commit 52e9f16 into master Oct 15, 2024
71 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 helm New Migration Adding a new migration file. Take care when merging. parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rossops @Maffooch @hblankenship @manuel-sommer