Merge pull request #11806 from DefectDojo/release/2.43.2

Release: Merge release into master from: release/2.43.2

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.43.1",
+  "version": "2.43.2",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.43.1"
+__version__ = "2.43.2"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/finding/views.py

@@ -2983,7 +2983,7 @@ def finding_bulk_update_all(request, pid=None):
                         ) = jira_helper.can_be_pushed_to_jira(group)
                         if not can_be_pushed_to_jira:
                             error_counts[error_message] += 1
-                            jira_helper.log_jira_alert(error_message, group)
+                            jira_helper.log_jira_cannot_be_pushed_reason(error_message, group)
                         else:
                             logger.debug(
                                 "pushing to jira from finding.finding_bulk_update_all()",
@@ -3033,10 +3033,10 @@ def finding_bulk_update_all(request, pid=None):
                                 "finding already pushed as part of Finding Group"
                             )
                             error_counts[error_message] += 1
-                            jira_helper.log_jira_alert(error_message, finding)
+                            jira_helper.log_jira_cannot_be_pushed_reason(error_message, finding)
                         elif not can_be_pushed_to_jira:
                             error_counts[error_message] += 1
-                            jira_helper.log_jira_alert(error_message, finding)
+                            jira_helper.log_jira_cannot_be_pushed_reason(error_message, finding)
                         else:
                             logger.debug(
                                 "pushing to jira from finding.finding_bulk_update_all()",

dojo/jira_link/helper.py

@@ -513,8 +513,8 @@ def get_jira_comments(finding):
     return None
 
 
-# Logs the error to the alerts table, which appears in the notification toolbar
 def log_jira_generic_alert(title, description):
+    """Creates a notification for JIRA errors happening outside the scope of a specific (finding/group/epic) object"""
     create_notification(
         event="jira_update",
         title=title,
@@ -523,8 +523,8 @@ def log_jira_generic_alert(title, description):
         source="JIRA")
 
 
-# Logs the error to the alerts table, which appears in the notification toolbar
 def log_jira_alert(error, obj):
+    """Creates a notification for JIRA errors when handling a specific (finding/group/epic) object"""
     create_notification(
         event="jira_update",
         title="Error pushing to JIRA " + "(" + truncate_with_dots(prod_name(obj), 25) + ")",
@@ -535,6 +535,19 @@ def log_jira_alert(error, obj):
         obj=obj)
 
 
+def log_jira_cannot_be_pushed_reason(error, obj):
+    """Creates an Alert for GUI display  when handling a specific (finding/group/epic) object"""
+    create_notification(
+        event="jira_update",
+        title="Error pushing to JIRA " + "(" + truncate_with_dots(prod_name(obj), 25) + ")",
+        description=obj.__class__.__name__ + ": " + error,
+        url=obj.get_absolute_url(),
+        icon="bullseye",
+        source="Push to JIRA",
+        obj=obj,
+        alert_only=True)
+
+
 # Displays an alert for Jira notifications
 def log_jira_message(text, finding):
     create_notification(
@@ -787,10 +800,12 @@ def failure_to_add_message(message: str, exception: Exception, object: Any) -> b
 
     obj_can_be_pushed_to_jira, error_message, _error_code = can_be_pushed_to_jira(obj)
     if not obj_can_be_pushed_to_jira:
+        # not sure why this check is not part of can_be_pushed_to_jira, but afraid to change it
         if isinstance(obj, Finding) and obj.duplicate and not obj.active:
             logger.warning("%s will not be pushed to JIRA as it's a duplicate finding", to_str_typed(obj))
+            log_jira_cannot_be_pushed_reason(error_message + " and findis a duplicate", obj)
         else:
-            log_jira_alert(error_message, obj)
+            log_jira_cannot_be_pushed_reason(error_message, obj)
             logger.warning("%s cannot be pushed to JIRA: %s.", to_str_typed(obj), error_message)
             logger.warning("The JIRA issue will NOT be created.")
         return False

dojo/notifications/helper.py

@@ -54,6 +54,7 @@ def create_notification(
     no_users: bool = False,  # noqa: FBT001
     url: str | None = None,
     url_api: str | None = None,
+    alert_only: bool = False,  # noqa: FBT001
     **kwargs: dict,
 ) -> None:
     """Create an instance of a NotificationManager and dispatch the notification."""
@@ -86,6 +87,7 @@ def create_notification(
         no_users=no_users,
         url=url,
         url_api=url_api,
+        alert_only=alert_only,
         **kwargs,
     )
 
@@ -802,61 +804,68 @@ def _process_notifications(
         )
         logger.debug("process notifications for %s", notifications.user)
 
-        if self.system_settings.enable_slack_notifications and "slack" in getattr(
-            notifications,
-            event,
-            getattr(notifications, "other"),
-        ):
-            logger.debug("Sending Slack Notification")
-            self._get_manager_instance("slack").send_slack_notification(
+        alert_only = kwargs.get("alert_only", False)
+        if alert_only:
+            logger.debug("sending alert only")
+
+        if "alert" in getattr(notifications, event, getattr(notifications, "other")):
+            logger.debug(f"Sending Alert to {notifications.user}")
+            self._get_manager_instance("alert").send_alert_notification(
                 event,
                 user=notifications.user,
                 **kwargs,
             )
 
-        if self.system_settings.enable_msteams_notifications and "msteams" in getattr(
-            notifications,
-            event,
-            getattr(notifications, "other"),
-        ):
-            logger.debug("Sending MSTeams Notification")
-            self._get_manager_instance("msteams").send_msteams_notification(
+        # Some errors should not be pushed to all channels, only to alerts.
+        # For example reasons why JIRA Issues: https://github.com/DefectDojo/django-DefectDojo/issues/11575
+        if not alert_only:
+            if self.system_settings.enable_slack_notifications and "slack" in getattr(
+                notifications,
                 event,
-                user=notifications.user,
-                **kwargs,
-            )
+                getattr(notifications, "other"),
+            ):
+                logger.debug("Sending Slack Notification")
+                self._get_manager_instance("slack").send_slack_notification(
+                    event,
+                    user=notifications.user,
+                    **kwargs,
+                )
 
-        if self.system_settings.enable_mail_notifications and "mail" in getattr(
-            notifications,
-            event,
-            getattr(notifications, "other"),
-        ):
-            logger.debug("Sending Mail Notification")
-            self._get_manager_instance("mail").send_mail_notification(
+            if self.system_settings.enable_msteams_notifications and "msteams" in getattr(
+                notifications,
                 event,
-                user=notifications.user,
-                **kwargs,
-            )
+                getattr(notifications, "other"),
+            ):
+                logger.debug("Sending MSTeams Notification")
+                self._get_manager_instance("msteams").send_msteams_notification(
+                    event,
+                    user=notifications.user,
+                    **kwargs,
+                )
 
-        if self.system_settings.enable_webhooks_notifications and "webhooks" in getattr(
-            notifications,
-            event,
-            getattr(notifications, "other"),
-        ):
-            logger.debug("Sending Webhooks Notification")
-            self._get_manager_instance("webhooks").send_webhooks_notification(
+            if self.system_settings.enable_mail_notifications and "mail" in getattr(
+                notifications,
                 event,
-                user=notifications.user,
-                **kwargs,
-            )
+                getattr(notifications, "other"),
+            ):
+                logger.debug("Sending Mail Notification")
+                self._get_manager_instance("mail").send_mail_notification(
+                    event,
+                    user=notifications.user,
+                    **kwargs,
+                )
 
-        if "alert" in getattr(notifications, event, getattr(notifications, "other")):
-            logger.debug(f"Sending Alert to {notifications.user}")
-            self._get_manager_instance("alert").send_alert_notification(
+            if self.system_settings.enable_webhooks_notifications and "webhooks" in getattr(
+                notifications,
                 event,
-                user=notifications.user,
-                **kwargs,
-            )
+                getattr(notifications, "other"),
+            ):
+                logger.debug("Sending Webhooks Notification")
+                self._get_manager_instance("webhooks").send_webhooks_notification(
+                    event,
+                    user=notifications.user,
+                    **kwargs,
+                )
 
 
 @app.task(ignore_result=True)

dojo/settings/settings.dist.py

@@ -1771,6 +1771,7 @@ def saml2_attrib_map_format(dict):
     "KHV": "https://avd.aquasec.com/misconfig/kubernetes/",  # e.g. https://avd.aquasec.com/misconfig/kubernetes/khv045
     "MGASA-": "https://advisories.mageia.org/&&.html",  # e.g. https://advisories.mageia.org/MGASA-2025-0023.html
     "OSV-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/OSV-2024-1330
+    "PMASA-": "https://www.phpmyadmin.net/security/",  # e.g. https://www.phpmyadmin.net/security/PMASA-2025-1
     "PYSEC-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/PYSEC-2024-48
     "RHBA-": "https://access.redhat.com/errata/",  # e.g. https://access.redhat.com/errata/RHBA-2024:2406
     "RHEA-": "https://access.redhat.com/errata/",  # e.g. https://access.redhat.com/errata/RHEA-2024:8857
@@ -1781,6 +1782,7 @@ def saml2_attrib_map_format(dict):
     "RXSA-": "https://errata.rockylinux.org/",  # e.g. https://errata.rockylinux.org/RXSA-2024:4928
     "SNYK-": "https://snyk.io/vuln/",  # e.g. https://security.snyk.io/vuln/SNYK-JS-SOLANAWEB3JS-8453984
     "TEMP-": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF
+    "TYPO3-": "https://typo3.org/security/advisory/",  # e.g. https://typo3.org/security/advisory/typo3-core-sa-2025-010
     "USN-": "https://ubuntu.com/security/notices/",  # e.g. https://ubuntu.com/security/notices/USN-6642-1
     "VNS": "https://vulners.com/",
 }

dojo/templates/base.html

@@ -159,7 +159,7 @@
                                     {% if request.user.is_authenticated %}
                                         <li>
                                             <a href="{% url 'view_profile' %}">
-                                                <i class="fa-solid fa-user fa-fw"></i> 
+                                                <i class="fa-solid fa-user fa-fw"></i>
                                                 {{ request.user.username }}
                                             </a>
                                         </li>
@@ -438,7 +438,7 @@
                                                 </a>
                                                 <ul class="nav nav-second-level">
                                                     {% if "auth.view_user"|has_configuration_permission:request %}
-                                                        <li>    
+                                                        <li>
                                                             <a href="{% url 'users' %}">
                                                                 {% trans "Users" %}
                                                             </a>
@@ -666,7 +666,7 @@ <h3 class="no-margin-top" style="padding-bottom: 5px;">
                                             <a class="dropdown-toggle" data-toggle="dropdown" href="">
                                                 <span class="fa-solid fa-calendar-days" aria-hidden="true"></span>
                                                 <span class="hidden-xs">{% trans "Engagements" %}
-                                                    {% if product_tab.engagements > 0 %} 
+                                                    {% if product_tab.engagements > 0 %}
                                                         <span class="badge">{{ product_tab.engagements }}</span>
                                                     {% endif %}
                                                 </span>
@@ -1136,6 +1136,9 @@ <h3 class="no-margin-top" style="padding-bottom: 5px;">
                 {% endif %}
 
                 function htmlEscape(str) {
+                    if (!str) {
+                        return '';
+                    }
                     return str
                         .replace(/\n/g, " ")
                         .replace(/&/g, '&amp;')

dojo/tools/noseyparker/parser.py

@@ -112,8 +112,8 @@ def version_0_22_0(self, line, test):
             if json_path.get("first_commit"):
                 title = f"Secret(s) Found in Repository with Commit ID {json_path['first_commit']['commit_metadata']['commit_id']}"
                 filepath = json_path["first_commit"]["blob_path"]
-                description = f"Secret found of type:   {rule_name} \n" \
-                                f"SECRET starts with:  '{rule_text_id[:3]}' \n" \
+                description = f"Secret found of type: {rule_name} \n" \
+                                f"Rule Text ID: '{rule_text_id}' \n" \
                                 f"Committer Name: {json_path['first_commit']['commit_metadata']['committer_name']}  \n" \
                                 f"Committer Email: {json_path['first_commit']['commit_metadata']['committer_email']} \n" \
                                 f"Commit ID: {json_path['first_commit']['commit_metadata']['commit_id']}  \n" \
@@ -123,8 +123,8 @@ def version_0_22_0(self, line, test):
             else:
                 title = "Secret(s) Found in Repository"
                 filepath = json_path["path"]
-                description = f"Secret found of type:   {rule_name} \n" \
-                                f"SECRET starts with:  '{rule_text_id[:3]}' \n" \
+                description = f"Secret found of type: {rule_name} \n" \
+                                f"Rule Text ID: '{rule_text_id}' \n" \
                                 f"Location: {filepath} line #{line_num} \n" \
                                 f"Line #{line_num} \n"
 

helm/defectdojo/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.43.1"
+appVersion: "2.43.2"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.172
+version: 1.6.173
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap

helm/defectdojo/templates/media-pvc.yaml

@@ -10,7 +10,7 @@ metadata:
     app.kubernetes.io/instance: {{ $.Release.Name }}
     app.kubernetes.io/managed-by: {{ $.Release.Service }}
     helm.sh/chart: {{ include "defectdojo.chart" $ }}
-    {{- with .Values.extraLabels }}
+    {{- with $.Values.extraLabels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ $fullName }}

readme-docs/CONTRIBUTING.md

@@ -54,7 +54,7 @@ feedback, please let us know in the `#defectdojo` channel in [OWASP's Slack](htt
 
 ## Writing a New Parser
 
-Please see [the parser guide](https://documentation.defectdojo.com/contributing/how-to-write-a-parser/) for guidance on how to write a parser.
+Please see [the parser guide](https://documentation.defectdojo.com/en/open_source/contributing/how-to-write-a-parser/) for guidance on how to write a parser.
 
 ## Modifying DefectDojo and Testing
 

readme-docs/DOCKER.md

@@ -306,11 +306,11 @@ Run a single test. Example:
 python manage.py test unittests.tools.test_dependency_check_parser.TestDependencyCheckParser.test_parse_file_with_no_vulnerabilities_has_no_findings --keepdb
 ```
 
-For docker compose stack, there is a convenience script (`dc-unittest.sh`) capable of running a single test class. 
+For docker compose stack, there is a convenience script (`run-unittest.sh`) capable of running a single test class. 
 You will need to provide a test case (`--test-case`). Example:
 
 ```
-./dc-unittest.sh --test-case unittests.tools.test_stackhawk_parser.TestStackHawkParser
+./run-unittest.sh --test-case unittests.tools.test_stackhawk_parser.TestStackHawkParser
 ```
 
 ## Running the integration tests

requirements.txt

@@ -74,3 +74,4 @@ netaddr==1.3.0
 vulners==2.2.3
 fontawesomefree==6.6.0
 PyYAML==6.0.2
+pyopenssl==25.0.0