Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.40.1 #11246

Merged
merged 14 commits into from
Nov 12, 2024
Merged

Release: Merge release into master from: release/2.40.1 #11246

merged 14 commits into from
Nov 12, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 14 commits November 4, 2024 18:06
Update versions in application files
c22e073
@rossops
Merge pull request #11191 from DefectDojo/master-into-bugfix/2.40.0-2…
50d01bd 
….41.0-dev

Release: Merge back 2.40.0 into bugfix from: master-into-bugfix/2.40.0-2.41.0-dev
@manuel-sommer
🐛 fix Acunetix date #11206 (#11207)
5f60988 
* 🐛 fix Acunetix date #11206

* fix

* ruff

* add unittest
@manuel-sommer
add TEMP to vulnid (#11180)
bb88310 
* add TEMP to vulnid

* ruff

* sha sum

* sha sum
@manuel-sommer
datetime.utcfromtimestamp() is scheduled for removal (#11208)
7e636fa 
* datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal

* ruff
@manuel-sommer
datetime.utcnow() is scheduled for removal (#11209)
f092d81 
* datetime.utcnow() is scheduled for removal

* ruff
@hblankenship
FileUpload Base64 extension fix (#11203)
ca96f34 
* initial files but likely to change

* improved file extension checks

* remove os import

* Use file url

* not used imports, file url or title
@manuel-sommer
🐛 Fix Defender broken Endpoint #11217 (#11212)
e365c49 
* 🐛 fix MSDefender computerDNSName to match modelregex

* 🐛 fix DefendercomputerDNSName is mostly a userinfo

* ruff

* fix according to review

* add unittest
@manuel-sommer
🐛 fix semgrep severity logic #11218 (#11219)
6330655 
* 🐛 fix semgrep severity logic #11218

* ruff

* udpate according to comment

* fix unittest
@Maffooch
Importers: Force tags to lowercase (#11221)
c5c1052
@Maffooch
Burp Enterprise: Support newer format (#11220)
9b1fd65 
* Burp Enterprise: Support newer format

* Forgot partially updated test

* Add other tests

* Correct tests
@kiblik
feat(helm): Add support for staticName for initializer (#11237)
eb6537e
@Maffooch
GHA Artifacts: Update to v4 (#11205)
b079c37 
* GHA Artifacts: Update to v4

* segregate paths even further

* Adjust artifact paths

* Tweak paths again
Update versions in application files
28569c0
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 12, 2024
edited
Loading

DryRun Security Summary

The pull request covers a wide range of updates and improvements to the DefectDojo application, including GitHub Actions workflows, Kubernetes deployment, and various parsers for security tools, with a strong focus on enhancing security-related functionality, improving reliability and maintainability, and addressing potential issues.

Expand for full summary

Summary:

The changes in this pull request cover a wide range of updates and improvements to the DefectDojo application and its associated infrastructure, such as GitHub Actions workflows, Kubernetes deployment, and various parsers for security tools. The changes focus on enhancing security-related functionality, improving reliability and maintainability, and addressing potential issues.

Key security-focused changes include:

  1. Updating artifact versioning and naming in GitHub Actions workflows to ensure the use of the latest secure versions and improve artifact management.
  2. Improving Kubernetes deployment by using Kubernetes secrets, healthchecks, and Ingress configuration to enhance the overall security posture.
  3. Addressing potential security vulnerabilities in the Checkmarx, AWS Security Hub, and Burp Enterprise parsers by improving date/time handling and input validation.
  4. Enhancing the file upload validation in the DefectDojo application to prevent the upload of potentially malicious files.
  5. Updating dependencies and addressing potential security issues in the Helm chart for the DefectDojo deployment.

Overall, the changes in this pull request demonstrate a strong focus on application security and a commitment to maintaining a secure and reliable DefectDojo platform.

Files Changed:

  1. .github/workflows/build-docker-images-for-testing.yml: Updates artifact versioning and naming to improve artifact management.
  2. .github/workflows/integration-tests.yml: Improves the integration testing workflow by updating artifact handling and Docker image loading.
  3. .github/workflows/k8s-tests.yml: Enhances the Kubernetes deployment process by using Kubernetes secrets, healthchecks, and Ingress configuration.
  4. .github/workflows/fetch-oas.yml: Addresses potential security risks by reviewing hardcoded endpoints and artifact retention.
  5. dojo/__init__.py: Updates the version number, which is a standard practice for software releases.
  6. .github/workflows/release-drafter.yml: Improves the release management process by updating artifact handling.
  7. components/package.json: Updates dependencies, which is important for maintaining security and functionality.
  8. .github/workflows/rest-framework-tests.yml: Enhances the unit testing workflow by improving Docker image handling.
  9. dojo/importers/options.py: Improves the handling of user input by normalizing tag values.
  10. dojo/api_v2/serializers.py: Enhances the file upload validation to prevent the upload of potentially malicious files.
  11. dojo/settings/.settings.dist.py.sha256sum: Updates the SHA-256 hash, which is used for integrity checking.
  12. dojo/templatetags/display_tags.py: Improves the handling of vulnerability URLs.
  13. dojo/tools/acunetix/parse_acunetix_xml.py: Addresses a date parsing issue in the Acunetix XML parser.
  14. dojo/tools/awssecurityhub/compliance.py: Improves the handling of security findings from AWS Security Hub.
  15. dojo/models.py: Enhances the file upload validation to prevent the upload of potentially malicious files.
  16. dojo/tools/awssecurityhub/guardduty.py: Addresses a date parsing issue in the AWS GuardDuty parser.
  17. dojo/tools/checkmarx/parser.py: Fixes a date parsing issue in the Checkmarx parser.
  18. dojo/tools/checkmarx_one/parser.py: Addresses a date parsing issue in the Checkmarx One parser.
  19. dojo/tools/awssecurityhub/inspector.py: Improves the handling of security findings from AWS Inspector.
  20. dojo/tools/burp_enterprise/parser.py: Enhances the parsing of Burp Enterprise scan results.
  21. dojo/tools/contrast/parser.py: Addresses a date parsing issue in the Contrast Security parser.
  22. dojo/tools/dependency_check/parser.py: Improves the handling of datetime values in the Dependency Check parser.
  23. dojo/tools/generic/json_parser.py: Enhances the handling of file uploads and vulnerability IDs in the GenericJSONParser.
  24. dojo/tools/ms_defender/parser.py: Improves the handling of host names in the Microsoft Defender parser.
  25. `dojo/

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@rossops rossops closed this Nov 12, 2024
@rossops rossops reopened this Nov 12, 2024
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 unittests ui parser helm labels Nov 12, 2024
@rossops rossops merged commit 090b2c7 into master Nov 12, 2024
71 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rossops @manuel-sommer @hblankenship @Maffooch @kiblik