From 33a962e1d08877f83ff128f8df6cfdfc681217dd Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 10 Feb 2025 15:53:11 +0000 Subject: [PATCH 01/10] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/components/package.json b/components/package.json index feaaf8979ed..559dcab7c3f 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.43.1", + "version": "2.44.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 350c88f3bcb..5b60af0cccb 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.43.1" +appVersion: "2.44.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.172 +version: 1.6.173-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 435b5fe5d13bae4753c25f268eaaff9ae25a4918 Mon Sep 17 00:00:00 2001 From: Achintya Jai <153343775+pUrGe12@users.noreply.github.com> Date: Tue, 11 Feb 2025 03:02:20 +0530 Subject: [PATCH 02/10] corrected link for parser guide (#11761) --- readme-docs/CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme-docs/CONTRIBUTING.md b/readme-docs/CONTRIBUTING.md index 3beb9dd62d5..6603e664bcd 100644 --- a/readme-docs/CONTRIBUTING.md +++ b/readme-docs/CONTRIBUTING.md @@ -54,7 +54,7 @@ feedback, please let us know in the `#defectdojo` channel in [OWASP's Slack](htt ## Writing a New Parser -Please see [the parser guide](https://documentation.defectdojo.com/contributing/how-to-write-a-parser/) for guidance on how to write a parser. +Please see [the parser guide](https://documentation.defectdojo.com/en/open_source/contributing/how-to-write-a-parser/) for guidance on how to write a parser. ## Modifying DefectDojo and Testing From 4ba0eb6d1a48c162a7735f39269589cbc546b0a8 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 12 Feb 2025 02:30:39 +0100 Subject: [PATCH 03/10] :bug: fix Noseyparker description (#11726) --- dojo/tools/noseyparker/parser.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py index 05fcdab49d3..81b03db2847 100644 --- a/dojo/tools/noseyparker/parser.py +++ b/dojo/tools/noseyparker/parser.py @@ -112,8 +112,8 @@ def version_0_22_0(self, line, test): if json_path.get("first_commit"): title = f"Secret(s) Found in Repository with Commit ID {json_path['first_commit']['commit_metadata']['commit_id']}" filepath = json_path["first_commit"]["blob_path"] - description = f"Secret found of type: {rule_name} \n" \ - f"SECRET starts with: '{rule_text_id[:3]}' \n" \ + description = f"Secret found of type: {rule_name} \n" \ + f"Rule Text ID: '{rule_text_id}' \n" \ f"Committer Name: {json_path['first_commit']['commit_metadata']['committer_name']} \n" \ f"Committer Email: {json_path['first_commit']['commit_metadata']['committer_email']} \n" \ f"Commit ID: {json_path['first_commit']['commit_metadata']['commit_id']} \n" \ @@ -123,8 +123,8 @@ def version_0_22_0(self, line, test): else: title = "Secret(s) Found in Repository" filepath = json_path["path"] - description = f"Secret found of type: {rule_name} \n" \ - f"SECRET starts with: '{rule_text_id[:3]}' \n" \ + description = f"Secret found of type: {rule_name} \n" \ + f"Rule Text ID: '{rule_text_id}' \n" \ f"Location: {filepath} line #{line_num} \n" \ f"Line #{line_num} \n" From aa6e6fecb1e2014d967110823e3681185b168183 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 12 Feb 2025 02:31:17 +0100 Subject: [PATCH 04/10] add Typo3 vulnids (#11744) --- dojo/settings/settings.dist.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 5cfce07a0ad..32fb3d27f5c 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1781,6 +1781,7 @@ def saml2_attrib_map_format(dict): "RXSA-": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RXSA-2024:4928 "SNYK-": "https://snyk.io/vuln/", # e.g. https://security.snyk.io/vuln/SNYK-JS-SOLANAWEB3JS-8453984 "TEMP-": "https://security-tracker.debian.org/tracker/", # e.g. https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF + "TYPO3-": "https://typo3.org/security/advisory/", # e.g. https://typo3.org/security/advisory/typo3-core-sa-2025-010 "USN-": "https://ubuntu.com/security/notices/", # e.g. https://ubuntu.com/security/notices/USN-6642-1 "VNS": "https://vulners.com/", } From 2aa4059cf508059e1e7665f6b9e206fff39d4dfa Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 12 Feb 2025 02:33:21 +0100 Subject: [PATCH 05/10] add PMASA (php my admin security advisory) to vulnid (#11753) * add PMASA (php my admin security advisory) to vulnid * ruff --- dojo/settings/settings.dist.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 32fb3d27f5c..d6954b5d951 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1771,6 +1771,7 @@ def saml2_attrib_map_format(dict): "KHV": "https://avd.aquasec.com/misconfig/kubernetes/", # e.g. https://avd.aquasec.com/misconfig/kubernetes/khv045 "MGASA-": "https://advisories.mageia.org/&&.html", # e.g. https://advisories.mageia.org/MGASA-2025-0023.html "OSV-": "https://osv.dev/vulnerability/", # e.g. https://osv.dev/vulnerability/OSV-2024-1330 + "PMASA-": "https://www.phpmyadmin.net/security/", # e.g. https://www.phpmyadmin.net/security/PMASA-2025-1 "PYSEC-": "https://osv.dev/vulnerability/", # e.g. https://osv.dev/vulnerability/PYSEC-2024-48 "RHBA-": "https://access.redhat.com/errata/", # e.g. https://access.redhat.com/errata/RHBA-2024:2406 "RHEA-": "https://access.redhat.com/errata/", # e.g. https://access.redhat.com/errata/RHEA-2024:8857 From 07671bca5631e8b738f71c746df66ab8db497113 Mon Sep 17 00:00:00 2001 From: valentijnscholten Date: Wed, 12 Feb 2025 02:34:04 +0100 Subject: [PATCH 06/10] DOCKER.md: remove leftover `dc-` references (#11760) --- readme-docs/DOCKER.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme-docs/DOCKER.md b/readme-docs/DOCKER.md index 440122f2e39..c6538587bc9 100644 --- a/readme-docs/DOCKER.md +++ b/readme-docs/DOCKER.md @@ -306,11 +306,11 @@ Run a single test. Example: python manage.py test unittests.tools.test_dependency_check_parser.TestDependencyCheckParser.test_parse_file_with_no_vulnerabilities_has_no_findings --keepdb ``` -For docker compose stack, there is a convenience script (`dc-unittest.sh`) capable of running a single test class. +For docker compose stack, there is a convenience script (`run-unittest.sh`) capable of running a single test class. You will need to provide a test case (`--test-case`). Example: ``` -./dc-unittest.sh --test-case unittests.tools.test_stackhawk_parser.TestStackHawkParser +./run-unittest.sh --test-case unittests.tools.test_stackhawk_parser.TestStackHawkParser ``` ## Running the integration tests From 061ef76610bdc96179424747357b96c5df90de92 Mon Sep 17 00:00:00 2001 From: valentijnscholten Date: Wed, 12 Feb 2025 02:37:01 +0100 Subject: [PATCH 07/10] jira push error reasons should not be propagated to all channels (#11738) * jira push error reasons should not be propagated to all notification channels * linting * linting --- dojo/finding/views.py | 6 +-- dojo/jira_link/helper.py | 21 ++++++-- dojo/notifications/helper.py | 95 ++++++++++++++++++++---------------- dojo/templates/base.html | 9 ++-- 4 files changed, 79 insertions(+), 52 deletions(-) diff --git a/dojo/finding/views.py b/dojo/finding/views.py index 13025afc4b3..758634e0388 100644 --- a/dojo/finding/views.py +++ b/dojo/finding/views.py @@ -2983,7 +2983,7 @@ def finding_bulk_update_all(request, pid=None): ) = jira_helper.can_be_pushed_to_jira(group) if not can_be_pushed_to_jira: error_counts[error_message] += 1 - jira_helper.log_jira_alert(error_message, group) + jira_helper.log_jira_cannot_be_pushed_reason(error_message, group) else: logger.debug( "pushing to jira from finding.finding_bulk_update_all()", @@ -3033,10 +3033,10 @@ def finding_bulk_update_all(request, pid=None): "finding already pushed as part of Finding Group" ) error_counts[error_message] += 1 - jira_helper.log_jira_alert(error_message, finding) + jira_helper.log_jira_cannot_be_pushed_reason(error_message, finding) elif not can_be_pushed_to_jira: error_counts[error_message] += 1 - jira_helper.log_jira_alert(error_message, finding) + jira_helper.log_jira_cannot_be_pushed_reason(error_message, finding) else: logger.debug( "pushing to jira from finding.finding_bulk_update_all()", diff --git a/dojo/jira_link/helper.py b/dojo/jira_link/helper.py index adcb6da35fb..102129cf538 100644 --- a/dojo/jira_link/helper.py +++ b/dojo/jira_link/helper.py @@ -513,8 +513,8 @@ def get_jira_comments(finding): return None -# Logs the error to the alerts table, which appears in the notification toolbar def log_jira_generic_alert(title, description): + """Creates a notification for JIRA errors happening outside the scope of a specific (finding/group/epic) object""" create_notification( event="jira_update", title=title, @@ -523,8 +523,8 @@ def log_jira_generic_alert(title, description): source="JIRA") -# Logs the error to the alerts table, which appears in the notification toolbar def log_jira_alert(error, obj): + """Creates a notification for JIRA errors when handling a specific (finding/group/epic) object""" create_notification( event="jira_update", title="Error pushing to JIRA " + "(" + truncate_with_dots(prod_name(obj), 25) + ")", @@ -535,6 +535,19 @@ def log_jira_alert(error, obj): obj=obj) +def log_jira_cannot_be_pushed_reason(error, obj): + """Creates an Alert for GUI display when handling a specific (finding/group/epic) object""" + create_notification( + event="jira_update", + title="Error pushing to JIRA " + "(" + truncate_with_dots(prod_name(obj), 25) + ")", + description=obj.__class__.__name__ + ": " + error, + url=obj.get_absolute_url(), + icon="bullseye", + source="Push to JIRA", + obj=obj, + alert_only=True) + + # Displays an alert for Jira notifications def log_jira_message(text, finding): create_notification( @@ -787,10 +800,12 @@ def failure_to_add_message(message: str, exception: Exception, object: Any) -> b obj_can_be_pushed_to_jira, error_message, _error_code = can_be_pushed_to_jira(obj) if not obj_can_be_pushed_to_jira: + # not sure why this check is not part of can_be_pushed_to_jira, but afraid to change it if isinstance(obj, Finding) and obj.duplicate and not obj.active: logger.warning("%s will not be pushed to JIRA as it's a duplicate finding", to_str_typed(obj)) + log_jira_cannot_be_pushed_reason(error_message + " and findis a duplicate", obj) else: - log_jira_alert(error_message, obj) + log_jira_cannot_be_pushed_reason(error_message, obj) logger.warning("%s cannot be pushed to JIRA: %s.", to_str_typed(obj), error_message) logger.warning("The JIRA issue will NOT be created.") return False diff --git a/dojo/notifications/helper.py b/dojo/notifications/helper.py index 3e0a0295de2..0807e4e9f21 100644 --- a/dojo/notifications/helper.py +++ b/dojo/notifications/helper.py @@ -54,6 +54,7 @@ def create_notification( no_users: bool = False, # noqa: FBT001 url: str | None = None, url_api: str | None = None, + alert_only: bool = False, # noqa: FBT001 **kwargs: dict, ) -> None: """Create an instance of a NotificationManager and dispatch the notification.""" @@ -86,6 +87,7 @@ def create_notification( no_users=no_users, url=url, url_api=url_api, + alert_only=alert_only, **kwargs, ) @@ -802,61 +804,68 @@ def _process_notifications( ) logger.debug("process notifications for %s", notifications.user) - if self.system_settings.enable_slack_notifications and "slack" in getattr( - notifications, - event, - getattr(notifications, "other"), - ): - logger.debug("Sending Slack Notification") - self._get_manager_instance("slack").send_slack_notification( + alert_only = kwargs.get("alert_only", False) + if alert_only: + logger.debug("sending alert only") + + if "alert" in getattr(notifications, event, getattr(notifications, "other")): + logger.debug(f"Sending Alert to {notifications.user}") + self._get_manager_instance("alert").send_alert_notification( event, user=notifications.user, **kwargs, ) - if self.system_settings.enable_msteams_notifications and "msteams" in getattr( - notifications, - event, - getattr(notifications, "other"), - ): - logger.debug("Sending MSTeams Notification") - self._get_manager_instance("msteams").send_msteams_notification( + # Some errors should not be pushed to all channels, only to alerts. + # For example reasons why JIRA Issues: https://github.com/DefectDojo/django-DefectDojo/issues/11575 + if not alert_only: + if self.system_settings.enable_slack_notifications and "slack" in getattr( + notifications, event, - user=notifications.user, - **kwargs, - ) + getattr(notifications, "other"), + ): + logger.debug("Sending Slack Notification") + self._get_manager_instance("slack").send_slack_notification( + event, + user=notifications.user, + **kwargs, + ) - if self.system_settings.enable_mail_notifications and "mail" in getattr( - notifications, - event, - getattr(notifications, "other"), - ): - logger.debug("Sending Mail Notification") - self._get_manager_instance("mail").send_mail_notification( + if self.system_settings.enable_msteams_notifications and "msteams" in getattr( + notifications, event, - user=notifications.user, - **kwargs, - ) + getattr(notifications, "other"), + ): + logger.debug("Sending MSTeams Notification") + self._get_manager_instance("msteams").send_msteams_notification( + event, + user=notifications.user, + **kwargs, + ) - if self.system_settings.enable_webhooks_notifications and "webhooks" in getattr( - notifications, - event, - getattr(notifications, "other"), - ): - logger.debug("Sending Webhooks Notification") - self._get_manager_instance("webhooks").send_webhooks_notification( + if self.system_settings.enable_mail_notifications and "mail" in getattr( + notifications, event, - user=notifications.user, - **kwargs, - ) + getattr(notifications, "other"), + ): + logger.debug("Sending Mail Notification") + self._get_manager_instance("mail").send_mail_notification( + event, + user=notifications.user, + **kwargs, + ) - if "alert" in getattr(notifications, event, getattr(notifications, "other")): - logger.debug(f"Sending Alert to {notifications.user}") - self._get_manager_instance("alert").send_alert_notification( + if self.system_settings.enable_webhooks_notifications and "webhooks" in getattr( + notifications, event, - user=notifications.user, - **kwargs, - ) + getattr(notifications, "other"), + ): + logger.debug("Sending Webhooks Notification") + self._get_manager_instance("webhooks").send_webhooks_notification( + event, + user=notifications.user, + **kwargs, + ) @app.task(ignore_result=True) diff --git a/dojo/templates/base.html b/dojo/templates/base.html index 5470baf13bd..d64ef8d5f69 100644 --- a/dojo/templates/base.html +++ b/dojo/templates/base.html @@ -159,7 +159,7 @@ {% if request.user.is_authenticated %}
  • - + {{ request.user.username }}
    • @@ -438,7 +438,7 @@