Merge branch 'dev' into drop_dc

.dryrunsecurity.yaml

@@ -68,6 +68,7 @@ allowedAuthors:
     - dsever
     - dogboat
     - hblankenship
+    - valentijnscholten
 notificationList:
   - '@mtesauro'
   - '@grendel513'

.github/workflows/build-docker-images-for-testing.yml

@@ -35,7 +35,7 @@ jobs:
 
       - name: Build
         id: docker_build
-        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         timeout-minutes: 10
         env:
           DOCKER_BUILD_CHECKS_ANNOTATIONS: false

.github/workflows/gh-pages.yml

@@ -19,7 +19,7 @@ jobs:
           extended: true
 
       - name: Setup Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: '22.5.1'
 

.github/workflows/release-x-manual-docker-containers.yml

@@ -51,7 +51,7 @@ jobs:
 
       - name: Build and push images with debian
         if: ${{ matrix.os  == 'debian' }}
-        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         env:
           DOCKER_BUILD_CHECKS_ANNOTATIONS: false
           REPO_ORG: ${{ env.repoorg }}
@@ -64,7 +64,7 @@ jobs:
 
       - name: Build and push images with alpine
         if: ${{ matrix.os  == 'alpine' }}
-        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         env:
           DOCKER_BUILD_CHECKS_ANNOTATIONS: false
           REPO_ORG: ${{ env.repoorg }}

.github/workflows/test-helm-chart.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.9
 

.github/workflows/update-sample-data.yml

@@ -0,0 +1,53 @@
+name: Update Sample Data
+
+env:
+  GIT_USERNAME: "DefectDojo release bot"
+  GIT_EMAIL: "dojo-release-bot@users.noreply.github.com"
+
+on:
+  workflow_dispatch: # Trigger manually
+  schedule:
+    # Run on the 1st day of January, April, July, and October at midnight UTC
+    - cron: '0 0 1 1,4,7,10 *'
+
+jobs:
+  run-binary-and-create-pr:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the repository
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name || 'dev'}}
+
+      - name: Run binary
+        run: |
+          ./fixture-updater dojo/fixtures/defect_dojo_sample_data.json
+          mv output.json dojo/fixtures/defect_dojo_sample_data.json
+
+      - name: Configure git
+        run: |
+          git config --global user.name "${{ env.GIT_USERNAME }}"
+          git config --global user.email "${{ env.GIT_EMAIL }}"
+
+      - name: Create and switch to a new branch
+        run: |
+          git checkout -b update-file-$(date +%Y%m%d%H%M%S)
+          git add dojo/fixtures/defect_dojo_sample_data.json
+          git commit -m "Update sample data"
+
+      - name: Push branch
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git push --set-upstream origin $(git rev-parse --abbrev-ref HEAD)
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "Update sample data"
+          branch: ${{ github.ref_name || 'dev'}}
+          base: dev
+          title: "Update sample data"
+          body: "This pull request updates the sample data."

Dockerfile.integration-tests-debian

@@ -1,7 +1,7 @@
 
 # code: language=Dockerfile
 
-FROM openapitools/openapi-generator-cli:v7.10.0@sha256:f2054a5a7908ad81017d0f0839514ba5eab06ae628914ff71554d46fac1bcf7a AS openapitools
+FROM openapitools/openapi-generator-cli:v7.11.0@sha256:a9e7091ac8808c6835cf8ec88252bca603f1f889ef1456b63d8add5781feeca7 AS openapitools
 FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS build
 WORKDIR /app
 RUN \

README.md

@@ -112,7 +112,7 @@ of DefectDojo as we begin work on v3. Please see our [contributing guidelines](r
 information. Check out our latest update on v3 [here](https://github.com/DefectDojo/django-DefectDojo/discussions/8974).
 
 ## Pro Edition
-[Upgrade to DefectDojo Pro](https://www.defectdojo.com/pricing) today to take your DevSecOps to 11. DefectDojo Pro is
+[Upgrade to DefectDojo Pro](https://www.defectdojo.com/) today to take your DevSecOps to 11. DefectDojo Pro is
 designed to meet you wherever you are on your security journey and help you scale, with enhanced dashboards, additional
 smart features, tunable deduplication, and support from DevSecOps experts.
 

docker-compose.override.dev.yml

@@ -54,4 +54,4 @@ services:
         protocol: tcp
         mode: host
   "webhook.endpoint":
-    image: mccutchen/go-httpbin:v2.15.0@sha256:24528cf5229d0b70065ac27e6c9e4d96f5452a84a3ce4433e56573c18d96827a
+    image: mccutchen/go-httpbin:v2.16.0@sha256:2b02b8844eab42d432d9c4bbd96a20d7ff348292097eeee4546e79252f72c70e

docker-compose.override.unit_tests.yml

@@ -52,7 +52,7 @@ services:
     image: busybox:1.37.0-musl
     entrypoint: ['echo', 'skipping', 'redis']
   "webhook.endpoint":
-    image: mccutchen/go-httpbin:v2.15.0@sha256:24528cf5229d0b70065ac27e6c9e4d96f5452a84a3ce4433e56573c18d96827a
+    image: mccutchen/go-httpbin:v2.16.0@sha256:2b02b8844eab42d432d9c4bbd96a20d7ff348292097eeee4546e79252f72c70e
 volumes:
   defectdojo_postgres_unit_tests: {}
   defectdojo_media_unit_tests: {}

docker-compose.override.unit_tests_cicd.yml

@@ -51,7 +51,7 @@ services:
     image: busybox:1.37.0-musl
     entrypoint: ['echo', 'skipping', 'redis']
   "webhook.endpoint":
-    image: mccutchen/go-httpbin:v2.15.0@sha256:24528cf5229d0b70065ac27e6c9e4d96f5452a84a3ce4433e56573c18d96827a
+    image: mccutchen/go-httpbin:v2.16.0@sha256:2b02b8844eab42d432d9c4bbd96a20d7ff348292097eeee4546e79252f72c70e
 volumes:
   defectdojo_postgres_unit_tests: {}
   defectdojo_media_unit_tests: {}

docs/content/en/changelog/changelog.md

@@ -7,6 +7,14 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](../../open_source/upgrading/upgrading_guide).
 
+## Jan 21, 2025: v2.42.2
+
+- **(Classic UI)** Corrected link to Smart Upload form.
+- **(CLI Tools)** Fixed issue with .exe extensions not getting added to Windows binaries
+- **(Findings)** `Mitigated` filter now uses datetime instead of date for filtering.
+- **(OAuth)** Clarified Azure AD labels to better align with Azure's language.  Default value for Azure Resource is now set. <span style="background-color:rgba(242, 86, 29, 0.5)">(Pro)</span>
+- **(RBAC)** Request Review now applies RBAC properly with regard to User Groups.
+
 ## Jan 13, 2025: v2.42.1
 
 - **(API)** Pro users can now specify the fields they want to return in a given API payload.  For example, this request will only return the title, severity and description fields for each Finding.  <span style="background-color:rgba(242, 86, 29, 0.5)">(Pro)</span>
@@ -15,6 +23,10 @@ curl -X 'GET' \
   'https://localhost/api/v2/findings/?response_fields=title,severity,description' \
   -H 'accept: application/json'
 ```
+- **(Findings)** Excel and CSV exports now include tags.
+- **(Reports)** Reports now exclude unenforced SLAs from Executive Summary to avoid confusion.
+- **(Risk Acceptance)** Simple Risk Acceptances now have a 'paper trail' created - when they are added or removed, a note will be added to the Finding to log the action.
+- **(Tools)** ImageTags are now included with AWS SecurityHub and AWS inspector parsers.
 
 ## Jan 6, 2025: v2.42.0
 

docs/content/en/open_source/api-v2-docs.md

@@ -5,13 +5,10 @@ draft: false
 weight: 2
 ---
 
-
-
-
 DefectDojo\'s API is created using [Django Rest
 Framework](http://www.django-rest-framework.org/). The documentation of
 each endpoint is available within each DefectDojo installation at
-[`/api/v2/doc/`](https://demo.defectdojo.org/api/v2/) and can be accessed by choosing the API v2
+[`/api/v2/oa3/swagger-ui`](https://demo.defectdojo.org/api/v2/oa3/swagger-ui/)) and can be accessed by choosing the API v2
 Docs link on the user drop down menu in the header. 
 
 ![image](../../images/api_v2_1.png)
@@ -45,7 +42,7 @@ For example: :
 
 ### Alternative authentication method
 
-If you use [an alternative authentication method](../social-authentication/) for users, you may want to disable DefectDojo API tokens because it could bypass your authentication concept. \
+If you use [an alternative authentication method](../archived_docs/integrations/social-authentication/) for users, you may want to disable DefectDojo API tokens because it could bypass your authentication concept. \
 Using of DefectDojo API tokens can be disabled by specifying the environment variable `DD_API_TOKENS_ENABLED` to `False`.
 Or only `api/v2/api-token-auth/` endpoint can be disabled by setting `DD_API_TOKEN_AUTH_ENDPOINT_ENABLED` to `False`.
 
@@ -128,7 +125,7 @@ The json object result is: :
 {{< /highlight >}}
 
 See [Django Rest Framework\'s documentation on interacting with an
-API](http://www.django-rest-framework.org/topics/api-clients/) for
+API](https://www.django-rest-framework.org/) for
 additional examples and tips.
 
 ## Manually calling the API

docs/content/en/open_source/ldap-authentication.md

@@ -17,7 +17,7 @@ We will need to modify a grand total of 4-5 files, depending on how you want to
  - Dockerfile.django-*
  - Dockerfile.nginx-*
  - requirements.txt
- - settings.dist.py
+ - local_settings.py
  - docker-compose.yml *(Optional)*
 
 
@@ -36,8 +36,8 @@ ldap-utils \
 
 Please check for the latest version of these requirements at the time of implementation on pypi.org and use those if you can.
 
-- [https://pypi.org/project/python-ldap/](python-ldap)
-- [https://pypi.org/project/django-auth-ldap/](django-auth-ldap)
+- [python-ldap](https://pypi.org/project/python-ldap/)
+- [django-auth-ldap](https://pypi.org/project/django-auth-ldap/)
 
 Otherwise add the following to requirements.txt:
 
@@ -47,9 +47,9 @@ django-auth-ldap==4.1.0
 ```
 
 
-#### settings.dist.py
+#### local_settings.py
 
-Find the settings file (hint: `/dojo/settings/settings.dist.py`) and add the following:
+Find the settings file (hint: check in `/dojo/settings/settings.py` for instructions for how to use `/dojo/settings/local_settings.py`, if the file does not already exist) and add the following:
 
 At the top of the file:
 ```python
@@ -116,7 +116,7 @@ Read the docs for Django Authentication with LDAP here: https://django-auth-ldap
 
 #### docker-compose.yml
 
-In order to pass the variables to the settings.dist.py file via docker, it's a good idea to add these to the docker compose file.
+In order to pass the variables to the local_settings.py file via docker, it's a good idea to add these to the docker compose file.
 
 You can do this by adding the following variables to the environment section for the uwsgi image:
 ```yaml

docs/content/en/open_source/upgrading/2.42.md

@@ -4,4 +4,16 @@ toc_hide: true
 weight: -20241202
 description: No special instructions.
 ---
-There are no special instructions for upgrading to 2.42.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.42.0) for the contents of the release.
+
+**Hash Code changes**
+A few parsers have been updated to populate more fields. Some of these fields are part of the hash code calculation. To recalculate the hash code please execute the following command:
+
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Horusec Scan" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Qualys Hacker Guardian Scan --hash_code_only"`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Red Hat Satellite --hash_code_only"`
+
+This command has various command line arguments to tweak its behaviour, for example to trigger a run of the deduplication process.
+See [dedupe.py](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/management/commands/dedupe.py) for more information.
+
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.42.0) for the contents of the release.
+

docs/content/en/open_source/upgrading/2.43.md

@@ -9,4 +9,16 @@ description: Disclaimer field renamed/split and removal of `dc-` scripts.
 
 In the past, when DefectDojo supported different database and message brokers, `dc-` scripts have been added to simplify start of Dojo stack. As these backends are not supported, mentioned scripts are not needed anymore. From now we recommend to use standard `docker compose` (or `docker-compose`) commands as they are described on [README.md](https://github.com/DefectDojo/django-DefectDojo/blob/master/README.md) 
 
-But there are no other special instructions for upgrading to 2.43.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.43.0) for the contents of the release.
+**Hash Code changes**
+The Rusty Hog parser has been [updated](https://github.com/DefectDojo/django-DefectDojo/pull/11433) to populate more fields. Some of these fields are part of the hash code calculation. To recalculate the hash code and deduplicate existing Rusty Hog findings, please execute the following command:
+
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Rusty Hog Scan)" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Choctaw Hog)" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Duroc Hog)" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Gottingen Hog)" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Essex Hog)" --hash_code_only`
+
+This command has various command line arguments to tweak its behaviour, for example to trigger a run of the deduplication process.
+See [dedupe.py](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/management/commands/dedupe.py) for more information.
+
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.43.0) for the contents of the release.

docs/package.json

@@ -21,7 +21,7 @@
   },
   "devDependencies": {
     "prettier": "^3.3.3",
-    "vite": "^6.0.0"
+    "vite": "^6.0.9"
   },
   "engines": {
     "node": ">=20.11.0"

dojo/api_v2/prefetch/mixins.py

@@ -6,7 +6,9 @@
 
 class PrefetchListMixin(ListModelMixin):
     def list(self, request, *args, **kwargs):
-        prefetch_params = request.GET.get("prefetch", "").split(",")
+        prefetch_params = request.GET.get("prefetch", "")
+        prefetch_params = prefetch_params.split(",") if "," in prefetch_params else request.GET.getlist("prefetch")
+
         prefetcher = _Prefetcher()
 
         # Apply the same operations as the standard list method defined in the
@@ -30,7 +32,9 @@ def list(self, request, *args, **kwargs):
 
 class PrefetchRetrieveMixin(RetrieveModelMixin):
     def retrieve(self, request, *args, **kwargs):
-        prefetch_params = request.GET.get("prefetch", "").split(",")
+        prefetch_params = request.GET.get("prefetch", "")
+        prefetch_params = prefetch_params.split(",") if "," in prefetch_params else request.GET.getlist("prefetch")
+
         prefetcher = _Prefetcher()
 
         entry = self.get_object()

dojo/components/sql_group_concat.py

@@ -18,14 +18,6 @@ def __init__(
             **extra,
         )
 
-    def as_mysql(self, compiler, connection):
-        return super().as_sql(
-            compiler,
-            connection,
-            template="%(function)s(%(distinct)s%(expressions)s%(ordering)s%(separator)s)",
-            separator=f" SEPARATOR '{self.separator}'",
-        )
-
     def as_sql(self, compiler, connection, **extra):
         return super().as_sql(
             compiler,