Release 2.40.0: Merge Bugfix into Dev

[rossops]

⚠️ Note on feature completeness ⚠️

We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

Description

Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

• Import Scans (for new scanners/importers)
• enhancement
• performance
• feature
• bugfix
• maintenance (a.k.a chores)
• dependencies
• New Migration (when the PR introduces a DB migration)
• settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev

• Replace pick by fixup on the commits you want squashed out
• Replace pick by reword on the first commit if you want to change the commit message
• Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

[dryrunsecurity]

DryRun Security Summary

The pull request includes a wide range of updates to the DefectDojo application, such as documentation improvements, logo updates, parser enhancements, and Kubernetes configuration changes, which generally improve the security posture of the application, but require ongoing monitoring and review to address any potential vulnerabilities or misconfigurations.

Expand for full summary

Summary:

The changes in this pull request cover a wide range of updates to the DefectDojo application, including documentation improvements, logo updates, parser enhancements, and Kubernetes configuration changes. Overall, the changes do not appear to introduce any significant security concerns, but there are a few areas that warrant further review and consideration from an application security perspective.

The key security-related changes include:

1. Improvements to the parser documentation, emphasizing the use of secure libraries and comprehensive unit testing to ensure the robustness and security of the parsers.
2. Updates to the Tenable CSV parser to extract additional vulnerability-related information, such as plugin IDs and publication/modification dates, which can enhance the security analysis capabilities.
3. Enhancements to the Trivy Operator parser to provide more context and metadata about the identified findings, including resource and container information, which can improve the visibility and traceability of security issues.
4. Changes to the Kubernetes ConfigMap to ensure the correct configuration of the Celery broker and support for Redis transport encryption, which can help improve the overall security and reliability of the application.

While these changes are generally positive from a security standpoint, it's important to continue monitoring the application's security posture and addressing any potential vulnerabilities or misconfigurations that may arise in the future.

Files Changed:

• docs/config.dev.toml, docs/config.master.toml: Changes to the main navigation menu, adding a new "Knowledge Base" item.
• docs/assets/icons/logo.svg: Updates to the application's logo, including a simplified design and updated color palette.
• docs/content/en/contributing/how-to-write-a-parser.md: Improvements to the documentation for writing secure and maintainable parsers.
• docs/content/en/getting_started/installation.md: Updates to the installation instructions, including links to the correct resources.
• dojo/settings/.settings.dist.py.sha256sum: Update to the SHA-256 hash value for the dojo/settings/.settings.dist.py file.
• dojo/tools/tenable/csv_format.py: Enhancements to the Tenable CSV parser, including the addition of new fields and general improvements.
• dojo/api_v2/serializers.py: Update to the setup_common_context method to handle the engagement_end_date field correctly.
• dojo/settings/settings.dist.py: Addition of the ".fpr" file type to the list of acceptable file upload types.
• dojo/tools/trivy_operator/*: Changes to the Trivy Operator parsers, improving the handling and presentation of security findings.
• unittests/tools/test_tenable_parser.py: Addition of a new test case to verify the parsing of a specific Tenable vulnerability.
• unittests/tools/test_trivy_operator_parser.py: Updates to the Trivy Operator parser tests, including a new test case for handling a list of findings.
• helm/defectdojo/templates/configmap.yaml: Changes to the Kubernetes ConfigMap, ensuring the correct configuration of the Celery broker and supporting Redis transport encryption.
• unittests/scans/trivy_operator/findings_in_list.json: Addition of a new test case file containing a sample Trivy Operator report.

Code Analysis

We ran 9 analyzers against 17 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	1 finding

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.