Release: Merge back 2.40.2 into dev from: master-into-dev/2.40.2-2.41.0-dev

[github-actions]

Release triggered by rossops

[dryrunsecurity]

DryRun Security Summary

The pull request covers a wide range of updates and improvements to the DefectDojo application security platform, including enhancements to security tool integrations, improvements to configuration management and deployment, and additions and modifications to unit tests, all focused on ensuring the consistent and reliable handling of security vulnerability and compliance data, improving the integration and interoperability of DefectDojo with other security tools, enhancing the security of the DefectDojo application itself, and strengthening the testing and validation of the DefectDojo components.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates and improvements to the DefectDojo application security platform, including:

1. Enhancements to the integration with security scanning tools like Prowler, Kubescape, and Trivy Operator. These changes focus on improving the parsing and handling of the security findings reported by these tools, ensuring that the information is accurately represented in DefectDojo.

2. Improvements to the configuration management and deployment of the DefectDojo application, including updates to the Helm chart and the initializer job.

3. Additions and modifications to the unit tests for various components of the DefectDojo tool, such as the Kubescape and Trivy Operator parsers, to ensure the continued reliability and accuracy of the security reporting.

From an application security perspective, the key areas of focus in these changes are:

• Ensuring the consistent and reliable handling of security vulnerability and compliance data reported by various security tools.
• Improving the integration and interoperability of DefectDojo with other security tools and processes.
• Enhancing the security of the DefectDojo application itself, including the deployment and configuration management.
• Strengthening the testing and validation of the DefectDojo components to maintain the overall security and reliability of the platform.

Overall, the changes in this pull request demonstrate a strong commitment to improving the security capabilities and functionality of the DefectDojo application, which is an important tool for organizations managing their application security posture.

Files Changed:

1. dojo/settings/.settings.dist.py.sha256sum: The hash value for the corresponding .settings.dist.py file has been updated, indicating a change to the configuration file.
2. docs/content/en/usage/features.md: The documentation has been updated to provide more details on the deduplication functionality in DefectDojo, including the different deduplication algorithms and configuration options.
3. .github/workflows/release-drafter.yml: The GitHub Actions workflow for the "Release Drafter" feature has been updated, with changes related to artifact handling, release asset uploads, and sensitive information handling.
4. dojo/settings/settings.dist.py: The default configuration settings for the DefectDojo application have been updated, including changes to security-related settings, deduplication and hashing algorithms, and Celery task scheduling.
5. dojo/tools/aws_prowler_v3plus/prowler_v4.py: The Prowler V4 parser has been updated to handle changes in the JSON report format and improve the deduplication and compliance tracking functionality.
6. dojo/tools/kubescape/parser.py: The Kubescape parser has been updated to only create findings for failed controls and provide more detailed information in the "steps to reproduce" section.
7. dojo/templatetags/display_tags.py: The vulnerability_url function has been updated to handle different types of vulnerability IDs and construct the appropriate URLs.
8. dojo/tools/bearer_cli/parser.py: The BearerCLIParser class has been updated to handle the code_extract field in the bearerfinding dictionary.
9. dojo/tools/trivy_operator/checks_handler.py: The code introduces a UniformTrivyVulnID class to standardize the vulnerability IDs reported by the Trivy Operator.
10. dojo/tools/trivy_operator/compliance_handler.py: Similar to the changes in the checks_handler.py file, the UniformTrivyVulnID class is used to standardize the vulnerability IDs in the compliance report.
11. helm/defectdojo/Chart.yaml: The Helm chart version for the DefectDojo application has been updated from 1.6.160-dev to 1.6.161-dev.
12. dojo/tools/trivy_operator/parser.py: The code has been updated to handle different data structures in the Trivy Operator scan reports, including excluding specific report types.
13. dojo/tools/trivy_operator/secrets_handler.py: The code for handling secrets detected by the Trivy Operator has been updated, including the removal of the unsaved_vulnerability_ids assignment.
14. dojo/tools/trivy_operator/vulnerability_handler.py: The code for handling vulnerabilities detected by the Trivy Operator has been updated, including the use of the `Un

Code Analysis

We ran 9 analyzers against 23 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	3 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.