Dependency-Track Hash Code computation: Add severity in the hash code calculation of the finding #8778

kmouzoul23 · 2023-10-03T09:13:33Z

Problem description
At the moment severity is not part of the Unique Hash code for findings found via Dependency Track. This configuration leads to misleading information within Defect Dojo when findings CVSS score changes.
DefectDojo/django-DefectDojo/tree/master/dojo/settings)
/settings.dist.py:
'Dependency Track Finding Packaging Format (FPF) Export': ['component_name', 'component_version', 'vulnerability_ids']

Steps to reproduce the behavior:

Upload a Dependency-Track Report
Change the severity of a finding included in the report
Reupload this Dependency-Track file to the same engagement
View the result (finding with changed severity will be marked as Inactive, Duplicate)

Expected behavior
The duplicate finding (with changed severity) should be considered the active one in Defect Dojo

Deployment method

Docker Compose
Kubernetes
GoDojo

quirinziessler · 2023-10-23T21:42:29Z

@kmouzoul23 The hash code is without the severity on purpose. Otherwise it would cause a lot of false truth in DD. If you want to have this feature I would recommend you to open up a issue to the DependencyTrack project or even better create a PR for this there. Resturcturing the sync to use patch methods for existing findings will probably be the most easiest & effective way.

manuel-sommer · 2024-01-10T15:58:08Z

#9117

I guess this can be closed @mtesauro

kepten · 2024-01-10T17:13:10Z

I agree with @quirinziessler that this should have been addressed in DT and not in DD. CVE severities are sometimes unassigned at first or get recalculated afterwards but they should still be considered the same finding in DD.
I'm still investigating but this change seems to result in existing DT findings with old hash_code to be closed and then re-created with the new hash_code which totally messed up our SLA tracking.
@manuel-sommer I think #9117 should be reverted because I'd imagine this will cause unnecessary trouble for lots of users once they happen to upgrade to DD v2.30.x.

manuel-sommer · 2024-01-10T19:21:42Z

@kepten and @quirinziessler I had a quick look at the code.
Do findings with unassigned severity get a critical severity? Maybe we should change this behavior in a way that they will become an info finding. Then, this makes more sense. Maybe I had it wrong in my mind.
I don't know if the severity issue can be fixed on DT in an easy way as there is probably no trigger mechanism inside DT when the severity of a finding changes. Then, this mechanism could be used to implement a method to patch the finding's severity on DefectDojo side. Feel free to open up a new issue if you still have problems or you still have the opinion that this should be reverted.

kepten · 2024-01-11T09:38:54Z

I think there are two distinct problems which need two distinct solutions and neither of them should be to add severity to hash_code (which got implemented so far):

The problem statement in this issue by @kmouzoul23 is that DD severity is not updated if the severity in DT changes. Since DD right now works in a way that it never updates imported findings (except some metadata like active and mitigation_date), that should be done differently, e.g DT updating the findings via DD API when their metadata (e.g. severity) changes.
@manuel-sommer in Filter out rejected findings to not sync with DefectDojo DependencyTrack/dependency-track#1915 described the problem that rejected CVE findings are not automatically closed in DD. To solve this, no code change is necessary in DD. DT should either not send rejected findings to DD in the first place or set their severity to Info so DD would ignore them at import time (thanks to minimum_severity set to Info).

There is a 3rd topic raised in the previous comment:

Do findings with unassigned severity get a critical severity?

The answer is yes. I'd be okay changing it to Info, I think it would make much more sense than treating a finding with unknown severity as critical. Although making this change would solve DependencyTrack/dependency-track#1915, we should rather consider it as a conceptual question, i.e how to treat "unknown" severity findings in DD. Should we treat them with the utmost care (because they might turn out to be critical indeed) or should they be "ignored" unless their real severity is determined? Personally, I'd be fine with both but might prefer the latter.

Why I think #9117 should be reverted asap?

Because changing the hash_code calculation results in all existing DT findings in DD to be closed and then re-created with the new hash_code upon the next import. That has several drawbacks:

The SLA of the new findings will start from the import day, losing the original "age" of the finding stored in the previous finding. This means SLAs for DT findings in DD will be all incorrect and this crucial information (at least in a corporate/compliance-sensitive environment) will be lost/messed up. That will impact everyone with existing DT findings once they upgrade to DD v2.30.x
If the previous finding was already triaged (e.g. set to false positive in DD) then this information will be "lost" and won't be visible in the newly created finding.
I checked and none of the other dependency checkers seem to include severity in their hash_code, I guess for a reason...

manuel-sommer · 2024-01-11T15:22:56Z

I have an additional idea: There should be a mechanism to automatically update the finding's hashcode as soon as the hash code settings changes. https://defectdojo.github.io/django-DefectDojo/usage/features/#hashcode-generation--regeneration

By the way, this is the solution that not all findings will be destroyed and recreated. But this has to be done when you upgrade to v2.30.0

kepten · 2024-01-12T08:54:06Z

@manuel-sommer Yes, this could be a solution for not recreating the findings. But it still doesn't solve the issue that if the severity of a CVE is changed (e.g in the NVD database) it'd destroy and create a new finding with the new severity, practically "resetting" the age attribute of the finding, losing any previous triage state, etc which doesn't make sense to me. If a CVE is created (e.g. with critical initial severity) and then it gets lowered (e.g. to low), the "age" of the finding should not change just the corresponding SLA in DD. Similarly if a finding was out of scope with some severity, it'll still be out of scope even if its severity changes. Therefore I still think that severity should not be added to the hash_code because it's not a unique attribute of it which should be used for deduplication but a dynamic field which can change during its lifecycle.

manuel-sommer · 2024-01-19T12:45:51Z

@kepten, I opened up a followup PR.

kepten · 2024-01-19T13:07:54Z

@manuel-sommer If you mean #9370, that is a good change but it's still not reverting #9117 which is the root cause of my problems (and eventually other's as well once they upgrade to v2.30.x).

manuel-sommer · 2024-01-19T13:12:52Z

Feel free to open a PR.

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

* Update versions in application files * Update jira-description.tpl (DefectDojo#9403) * Update and rename whitesource.md to mend.md (DefectDojo#9348) * Update and rename whitesource.md to mend.md * Update docs/content/en/integrations/parsers/file/mend.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * API: Remote v2 OpenAPI2 Docs from menu (DefectDojo#9469) * 🐛 fix migration (DefectDojo#9467) * finding sla expiration date field (part one) (DefectDojo#9473) * addition of sla expiration date field on the finding model * add migration and fix indentation issue * fix mitigated finding remaining sla days calculation * fix sla violation filter to return only active, sla violating findings * migration system settings fix * fix mitigation date vs datetime discrepancy * fix breaking unit test * move product save check to signal * fix unit test failure * make signal operations async, fix sla config delete 500 error * add unit tests to test sla expiration date functionality * restarting without signals * add async updating flags, redo migration * move signal logic to overriden save * fix errors for non-existing objects at creation * clean up comments and a few logical expressions * fix flake8 error * addition of new unit tests * fix unit test error * add message to form fields when async updating flag is true * fix save location, reword form messages, reword redirect messages * remove commented lines from unit tests * add a bit more description to API validation errors * migration fix * migration performance improvements * fix datetime - str comparison issue * clean up for part one of sla expiration date field * fix flake8 * Update dojo/db_migrations/0200_finding_sla_expiration_date_product_async_updating_and_more.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update versions in application files * Update versions in application files * Update release-drafter/release-drafter action from v5.25.0 to v6 (.github/workflows/release-drafter.yml) (DefectDojo#9460) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump pytz from 2023.4 to 2024.1 (DefectDojo#9465) Bumps [pytz](https://github.com/stub42/pytz) from 2023.4 to 2024.1. - [Release notes](https://github.com/stub42/pytz/releases) - [Commits](stub42/pytz@release_2023.4...release_2024.1) --- updated-dependencies: - dependency-name: pytz dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump django-debug-toolbar from 4.2.0 to 4.3.0 (DefectDojo#9466) Bumps [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/jazzband/django-debug-toolbar/releases) - [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/main/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@4.2...4.3) --- updated-dependencies: - dependency-name: django-debug-toolbar dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `d12e6f7` to `f2802c2` (DefectDojo#9477) Bumps nginx from `d12e6f7` to `f2802c2`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.33 to v8.4.34 (docs/package.json) (DefectDojo#9481) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9458) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * ⬆️ Bump boto3 from 1.34.32 to 1.34.35 (DefectDojo#9489) Bumps [boto3](https://github.com/boto/boto3) from 1.34.32 to 1.34.35. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](boto/boto3@1.34.32...1.34.35) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) (DefectDojo#9459) * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) * Fix ruff warning (DefectDojo#9461) * Update dependency ruff from 0.1.15 to v0.2.0 (requirements-lint.txt) * fix ruff warning --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * 🐛 fix defaulting severity, see last comments in DefectDojo#8778 (DefectDojo#9370) Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Add ruff for *tests (DefectDojo#9406) * Revert ":bug: fix dependencytrack deduplication (DefectDojo#9117)" (DefectDojo#9371) This reverts commit 0f55a7f. Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string should evaluate to "Info" (DefectDojo#9453) * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" #flake8_fix * Trivy Operator VulnerabilityReport Parser tweaks (DefectDojo#9452) * API: Check missing endpoints (DefectDojo#7618) * Rename unittest * Define exceptions for now * Announcement was implemented * Fix unittests with assertRaises + replace assertTrue/False with better checks (DefectDojo#9435) * Fix unittests with assertRaises * Replace assertTrue/False with better checks * Fixes * Optimize list of Maintenance in relase notes (DefectDojo#9492) * fix typo in docs (DefectDojo#9487) * 🐛 WFuzz: Add additional severity mappings (DefectDojo#9486) * 🐛 fix wfuzz, issue DefectDojo#7863 * add 302 * update docs * Be strict about Warnings during testing (DefectDojo#9490) * Set PYTHONWARNINGS=error * Add basic filterwarnings * Mute some warnings * Mute one more warning * 🐛 fix trufflehog3, issue DefectDojo#6999 (DefectDojo#9470) * 🐛 fix yarn_audit, DefectDojo#6495 (DefectDojo#9478) * Bump vulners from 2.1.2 to 2.1.5 (DefectDojo#9391) Bumps [vulners]() from 2.1.2 to 2.1.5. --- updated-dependencies: - dependency-name: vulners dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add support for DD_APPEND_SLASH (DefectDojo#9385) * Override default Django APPEND_SLASH * Update dojo/settings/settings.dist.py * 🎉 Improvements for wazuh importer (DefectDojo#9248) * improvement for wazuh importer * 🔧 change on dedupe for Wazuh * 🔧 change on dedupe for Wazuh * 📝 * ✏️ * 📝 * 📝 * flake8 * 🎉 recoded wazuh importer to support endpoints * ✅ adjusted unittests * 📝 * ✏️ * ✏️ --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9501) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.34 to v8.4.35 (docs/package.json) (DefectDojo#9502) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Improve API endpoints for Risk Acceptances (DefectDojo#9415) * Modifying Bugcrowd API Parser to align to vendor documentation on wha… (DefectDojo#9517) * Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means. It is now active == False and severity == 'Info'. [sc-4217] * fixing Flake8 errors * fixing Flake8 errors, part deux --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com>

* WIP * first draw * fix migrations * fix migrations * add epss to findings UI * added epss to finding list * Delete unittests/scans/wazuh/one_endpoint_finding.json * flake8 * add migration for ModelOptions * Add null values for epss + validators * updated findings detail page to display epss as percentage * removed wazuh file * update branch (#3) * Update versions in application files * Update jira-description.tpl (#9403) * Update and rename whitesource.md to mend.md (#9348) * Update and rename whitesource.md to mend.md * Update docs/content/en/integrations/parsers/file/mend.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * API: Remote v2 OpenAPI2 Docs from menu (#9469) * 🐛 fix migration (#9467) * finding sla expiration date field (part one) (#9473) * addition of sla expiration date field on the finding model * add migration and fix indentation issue * fix mitigated finding remaining sla days calculation * fix sla violation filter to return only active, sla violating findings * migration system settings fix * fix mitigation date vs datetime discrepancy * fix breaking unit test * move product save check to signal * fix unit test failure * make signal operations async, fix sla config delete 500 error * add unit tests to test sla expiration date functionality * restarting without signals * add async updating flags, redo migration * move signal logic to overriden save * fix errors for non-existing objects at creation * clean up comments and a few logical expressions * fix flake8 error * addition of new unit tests * fix unit test error * add message to form fields when async updating flag is true * fix save location, reword form messages, reword redirect messages * remove commented lines from unit tests * add a bit more description to API validation errors * migration fix * migration performance improvements * fix datetime - str comparison issue * clean up for part one of sla expiration date field * fix flake8 * Update dojo/db_migrations/0200_finding_sla_expiration_date_product_async_updating_and_more.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update versions in application files * Update versions in application files * Update release-drafter/release-drafter action from v5.25.0 to v6 (.github/workflows/release-drafter.yml) (#9460) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump pytz from 2023.4 to 2024.1 (#9465) Bumps [pytz](https://github.com/stub42/pytz) from 2023.4 to 2024.1. - [Release notes](https://github.com/stub42/pytz/releases) - [Commits](stub42/pytz@release_2023.4...release_2024.1) --- updated-dependencies: - dependency-name: pytz dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump django-debug-toolbar from 4.2.0 to 4.3.0 (#9466) Bumps [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/jazzband/django-debug-toolbar/releases) - [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/main/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@4.2...4.3) --- updated-dependencies: - dependency-name: django-debug-toolbar dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `d12e6f7` to `f2802c2` (#9477) Bumps nginx from `d12e6f7` to `f2802c2`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.33 to v8.4.34 (docs/package.json) (#9481) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (#9458) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * ⬆️ Bump boto3 from 1.34.32 to 1.34.35 (#9489) Bumps [boto3](https://github.com/boto/boto3) from 1.34.32 to 1.34.35. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](boto/boto3@1.34.32...1.34.35) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) (#9459) * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) * Fix ruff warning (#9461) * Update dependency ruff from 0.1.15 to v0.2.0 (requirements-lint.txt) * fix ruff warning --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * 🐛 fix defaulting severity, see last comments in #8778 (#9370) Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Add ruff for *tests (#9406) * Revert ":bug: fix dependencytrack deduplication (#9117)" (#9371) This reverts commit 0f55a7f. Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string should evaluate to "Info" (#9453) * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" #flake8_fix * Trivy Operator VulnerabilityReport Parser tweaks (#9452) * API: Check missing endpoints (#7618) * Rename unittest * Define exceptions for now * Announcement was implemented * Fix unittests with assertRaises + replace assertTrue/False with better checks (#9435) * Fix unittests with assertRaises * Replace assertTrue/False with better checks * Fixes * Optimize list of Maintenance in relase notes (#9492) * fix typo in docs (#9487) * 🐛 WFuzz: Add additional severity mappings (#9486) * 🐛 fix wfuzz, issue #7863 * add 302 * update docs * Be strict about Warnings during testing (#9490) * Set PYTHONWARNINGS=error * Add basic filterwarnings * Mute some warnings * Mute one more warning * 🐛 fix trufflehog3, issue #6999 (#9470) * 🐛 fix yarn_audit, #6495 (#9478) * Bump vulners from 2.1.2 to 2.1.5 (#9391) Bumps [vulners]() from 2.1.2 to 2.1.5. --- updated-dependencies: - dependency-name: vulners dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add support for DD_APPEND_SLASH (#9385) * Override default Django APPEND_SLASH * Update dojo/settings/settings.dist.py * 🎉 Improvements for wazuh importer (#9248) * improvement for wazuh importer * 🔧 change on dedupe for Wazuh * 🔧 change on dedupe for Wazuh * 📝 * ✏️ * 📝 * 📝 * flake8 * 🎉 recoded wazuh importer to support endpoints * ✅ adjusted unittests * 📝 * ✏️ * ✏️ --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (#9501) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.34 to v8.4.35 (docs/package.json) (#9502) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Improve API endpoints for Risk Acceptances (#9415) * Modifying Bugcrowd API Parser to align to vendor documentation on wha… (#9517) * Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means. It is now active == False and severity == 'Info'. [sc-4217] * fixing Flake8 errors * fixing Flake8 errors, part deux --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> * updated migrations * added percentage to findings_list * ✏️ tightening column title in findings detail page * flake8 * undo DT parser update * fix migrations * update migrations to changes in dev * merge dev into epss score * Update versions in application files * Update versions * Parse GitHub vulnerability version (#9462) * Fix SARIF parser with CodeQL rules (#9440) * fix for sarif parser with codeql rules * add check for extensions property * flake8 comparsion * finding sla expiration date field (part two) (#9494) * finding sla expiration date field (part two) * sla violation check updates * clean up of finding violates_sla property * flake8 fix * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update 0201_populate_finding_sla_expiration_date.py --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Jira Server/DataCenter: Update meta methods (#9512) * Jira Webhook: Catch comments from other issue updates (#9513) * Jira Webhook: Catch comments from other issue updates * Accommodate redirect responses * Update dojo/jira_link/views.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Fix syntax --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * add metrics page: "Product Tag Count" (fixes #9151) (#9152) * add metrics page: "Product Tag Count" It is fully based on "Product Type Count" metrics page. * fixup! add metrics page: "Product Tag Count" * Fix Flake8 * Update views.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Release Drafter: Try validating inputs * Disallow duplicate tool types (#9530) * Disallow duplicate tool types * Fix Flake8 * Only validate on new creations * Force new name on tool type unit test * Engagement Surveys: Add missing leading slash (#9531) URL redirects were behaving strangely without this leading slash. it seems it was missed when all the others were added * Update versions in application files * Update versions in application files * Dojo_Group: Support for "RemoteUser" in model (#9405) * Use correct name references * fix db_mig * Update and rename 0201_alter_dojo_group_social_provider.py to 0202_alter_dojo_group_social_provider.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (#9535) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * remove flot-axis library (#9540) * use full url for helm-repos and alias in renovate.json (#9525) With this change, renovate will create PRs to update the helm-dependencies, just as with docker-compose. Note that only setting the repository to the full URL did not work, I also had to add the registryAlias. * Update Helm release redis from 16.12.3 to ~16.13.0 (helm/defectdojo/Chart.yaml) (#9550) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (#9541) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update postgres Docker tag from 16.1 to v16.2 (docker-compose.yml) (#9536) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release mysql from 9.1.8 to ~9.19.0 (helm/defectdojo/Chart.yaml) (#9545) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> * update epss-score (#5) solve conflicts --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

* WIP * first draw * fix migrations * fix migrations * add epss to findings UI * added epss to finding list * Delete unittests/scans/wazuh/one_endpoint_finding.json * flake8 * add migration for ModelOptions * Add null values for epss + validators * updated findings detail page to display epss as percentage * removed wazuh file * update branch (#3) * Update versions in application files * Update jira-description.tpl (DefectDojo#9403) * Update and rename whitesource.md to mend.md (DefectDojo#9348) * Update and rename whitesource.md to mend.md * Update docs/content/en/integrations/parsers/file/mend.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * API: Remote v2 OpenAPI2 Docs from menu (DefectDojo#9469) * 🐛 fix migration (DefectDojo#9467) * finding sla expiration date field (part one) (DefectDojo#9473) * addition of sla expiration date field on the finding model * add migration and fix indentation issue * fix mitigated finding remaining sla days calculation * fix sla violation filter to return only active, sla violating findings * migration system settings fix * fix mitigation date vs datetime discrepancy * fix breaking unit test * move product save check to signal * fix unit test failure * make signal operations async, fix sla config delete 500 error * add unit tests to test sla expiration date functionality * restarting without signals * add async updating flags, redo migration * move signal logic to overriden save * fix errors for non-existing objects at creation * clean up comments and a few logical expressions * fix flake8 error * addition of new unit tests * fix unit test error * add message to form fields when async updating flag is true * fix save location, reword form messages, reword redirect messages * remove commented lines from unit tests * add a bit more description to API validation errors * migration fix * migration performance improvements * fix datetime - str comparison issue * clean up for part one of sla expiration date field * fix flake8 * Update dojo/db_migrations/0200_finding_sla_expiration_date_product_async_updating_and_more.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update versions in application files * Update versions in application files * Update release-drafter/release-drafter action from v5.25.0 to v6 (.github/workflows/release-drafter.yml) (DefectDojo#9460) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump pytz from 2023.4 to 2024.1 (DefectDojo#9465) Bumps [pytz](https://github.com/stub42/pytz) from 2023.4 to 2024.1. - [Release notes](https://github.com/stub42/pytz/releases) - [Commits](stub42/pytz@release_2023.4...release_2024.1) --- updated-dependencies: - dependency-name: pytz dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump django-debug-toolbar from 4.2.0 to 4.3.0 (DefectDojo#9466) Bumps [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/jazzband/django-debug-toolbar/releases) - [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/main/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@4.2...4.3) --- updated-dependencies: - dependency-name: django-debug-toolbar dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `d12e6f7` to `f2802c2` (DefectDojo#9477) Bumps nginx from `d12e6f7` to `f2802c2`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.33 to v8.4.34 (docs/package.json) (DefectDojo#9481) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9458) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * ⬆️ Bump boto3 from 1.34.32 to 1.34.35 (DefectDojo#9489) Bumps [boto3](https://github.com/boto/boto3) from 1.34.32 to 1.34.35. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](boto/boto3@1.34.32...1.34.35) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) (DefectDojo#9459) * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) * Fix ruff warning (DefectDojo#9461) * Update dependency ruff from 0.1.15 to v0.2.0 (requirements-lint.txt) * fix ruff warning --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * 🐛 fix defaulting severity, see last comments in DefectDojo#8778 (DefectDojo#9370) Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Add ruff for *tests (DefectDojo#9406) * Revert ":bug: fix dependencytrack deduplication (DefectDojo#9117)" (DefectDojo#9371) This reverts commit 0f55a7f. Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string should evaluate to "Info" (DefectDojo#9453) * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" #flake8_fix * Trivy Operator VulnerabilityReport Parser tweaks (DefectDojo#9452) * API: Check missing endpoints (DefectDojo#7618) * Rename unittest * Define exceptions for now * Announcement was implemented * Fix unittests with assertRaises + replace assertTrue/False with better checks (DefectDojo#9435) * Fix unittests with assertRaises * Replace assertTrue/False with better checks * Fixes * Optimize list of Maintenance in relase notes (DefectDojo#9492) * fix typo in docs (DefectDojo#9487) * 🐛 WFuzz: Add additional severity mappings (DefectDojo#9486) * 🐛 fix wfuzz, issue DefectDojo#7863 * add 302 * update docs * Be strict about Warnings during testing (DefectDojo#9490) * Set PYTHONWARNINGS=error * Add basic filterwarnings * Mute some warnings * Mute one more warning * 🐛 fix trufflehog3, issue DefectDojo#6999 (DefectDojo#9470) * 🐛 fix yarn_audit, DefectDojo#6495 (DefectDojo#9478) * Bump vulners from 2.1.2 to 2.1.5 (DefectDojo#9391) Bumps [vulners]() from 2.1.2 to 2.1.5. --- updated-dependencies: - dependency-name: vulners dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add support for DD_APPEND_SLASH (DefectDojo#9385) * Override default Django APPEND_SLASH * Update dojo/settings/settings.dist.py * 🎉 Improvements for wazuh importer (DefectDojo#9248) * improvement for wazuh importer * 🔧 change on dedupe for Wazuh * 🔧 change on dedupe for Wazuh * 📝 * ✏️ * 📝 * 📝 * flake8 * 🎉 recoded wazuh importer to support endpoints * ✅ adjusted unittests * 📝 * ✏️ * ✏️ --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9501) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.34 to v8.4.35 (docs/package.json) (DefectDojo#9502) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Improve API endpoints for Risk Acceptances (DefectDojo#9415) * Modifying Bugcrowd API Parser to align to vendor documentation on wha… (DefectDojo#9517) * Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means. It is now active == False and severity == 'Info'. [sc-4217] * fixing Flake8 errors * fixing Flake8 errors, part deux --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> * updated migrations * added percentage to findings_list * ✏️ tightening column title in findings detail page * flake8 * undo DT parser update * fix migrations * update migrations to changes in dev * merge dev into epss score * Update versions in application files * Update versions * Parse GitHub vulnerability version (DefectDojo#9462) * Fix SARIF parser with CodeQL rules (DefectDojo#9440) * fix for sarif parser with codeql rules * add check for extensions property * flake8 comparsion * finding sla expiration date field (part two) (DefectDojo#9494) * finding sla expiration date field (part two) * sla violation check updates * clean up of finding violates_sla property * flake8 fix * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update 0201_populate_finding_sla_expiration_date.py --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Jira Server/DataCenter: Update meta methods (DefectDojo#9512) * Jira Webhook: Catch comments from other issue updates (DefectDojo#9513) * Jira Webhook: Catch comments from other issue updates * Accommodate redirect responses * Update dojo/jira_link/views.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Fix syntax --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * add metrics page: "Product Tag Count" (fixes DefectDojo#9151) (DefectDojo#9152) * add metrics page: "Product Tag Count" It is fully based on "Product Type Count" metrics page. * fixup! add metrics page: "Product Tag Count" * Fix Flake8 * Update views.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Release Drafter: Try validating inputs * Disallow duplicate tool types (DefectDojo#9530) * Disallow duplicate tool types * Fix Flake8 * Only validate on new creations * Force new name on tool type unit test * Engagement Surveys: Add missing leading slash (DefectDojo#9531) URL redirects were behaving strangely without this leading slash. it seems it was missed when all the others were added * Update versions in application files * Update versions in application files * Dojo_Group: Support for "RemoteUser" in model (DefectDojo#9405) * Use correct name references * fix db_mig * Update and rename 0201_alter_dojo_group_social_provider.py to 0202_alter_dojo_group_social_provider.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9535) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * remove flot-axis library (DefectDojo#9540) * use full url for helm-repos and alias in renovate.json (DefectDojo#9525) With this change, renovate will create PRs to update the helm-dependencies, just as with docker-compose. Note that only setting the repository to the full URL did not work, I also had to add the registryAlias. * Update Helm release redis from 16.12.3 to ~16.13.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9550) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9541) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update postgres Docker tag from 16.1 to v16.2 (docker-compose.yml) (DefectDojo#9536) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release mysql from 9.1.8 to ~9.19.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9545) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> * update epss-score (#5) solve conflicts --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

* Update versions in application files * Update versions * Parse GitHub vulnerability version (DefectDojo#9462) * Fix SARIF parser with CodeQL rules (DefectDojo#9440) * fix for sarif parser with codeql rules * add check for extensions property * flake8 comparsion * finding sla expiration date field (part two) (DefectDojo#9494) * finding sla expiration date field (part two) * sla violation check updates * clean up of finding violates_sla property * flake8 fix * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update 0201_populate_finding_sla_expiration_date.py --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Jira Server/DataCenter: Update meta methods (DefectDojo#9512) * Jira Webhook: Catch comments from other issue updates (DefectDojo#9513) * Jira Webhook: Catch comments from other issue updates * Accommodate redirect responses * Update dojo/jira_link/views.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Fix syntax --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Release Drafter: Try validating inputs * Disallow duplicate tool types (DefectDojo#9530) * Disallow duplicate tool types * Fix Flake8 * Only validate on new creations * Force new name on tool type unit test * Engagement Surveys: Add missing leading slash (DefectDojo#9531) URL redirects were behaving strangely without this leading slash. it seems it was missed when all the others were added * Update versions in application files * Update versions in application files * Update versions in application files * Dojo_Group: Support for "RemoteUser" in model (DefectDojo#9405) * Use correct name references * fix db_mig * Update and rename 0201_alter_dojo_group_social_provider.py to 0202_alter_dojo_group_social_provider.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Fix "Overdue" tag still visible with closed issues (DefectDojo#9539) * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9535) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * remove flot-axis library (DefectDojo#9540) * use full url for helm-repos and alias in renovate.json (DefectDojo#9525) With this change, renovate will create PRs to update the helm-dependencies, just as with docker-compose. Note that only setting the repository to the full URL did not work, I also had to add the registryAlias. * Update Helm release redis from 16.12.3 to ~16.13.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9550) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9541) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update postgres Docker tag from 16.1 to v16.2 (docker-compose.yml) (DefectDojo#9536) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release mysql from 9.1.8 to ~9.19.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9545) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release rabbitmq from 11.2.2 to ~11.16.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9548) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release postgresql from 11.6.26 to ~11.9.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9546) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release postgresql-ha from 9.1.9 to ~9.4.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9547) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update google-sheets-sync.md with deprecation notice (DefectDojo#9495) * Remove DD_USE_L10N (DefectDojo#9491) * API: removal of drf_yasg (OpenAPI 2.0 Swagger) (DefectDojo#9108) * Removal of drf_yasg * Clean filterwarnings * Drop filterwarnings "unclosed file" (DefectDojo#9498) * 🐛 WFuzz: Generalize severity mapping (DefectDojo#9505) * 🐛 fix wfuzz 301, issue 6182 * make severity mapper more robust * unittest for missing response code * update docs * Remove useless noqa, be more specific for usefull noqa (DefectDojo#9510) * ✨ add burp dastardly (DefectDojo#9514) * ✨ add burp dastardly * fix author names * fix unittest * add docs * Remove filterwarnings for "invalid escape sequence" (DefectDojo#9496) * Drop filterwarnings "invalid escape sequence" * Fix SyntaxError for special_character_required * Update dojo/utils.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update settings.dist.py Fix merge conflict fix --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: Matt Tesauro <mtesauro@gmail.com> * 🐛 fix mobsf deduplication and severity mapping (DefectDojo#9471) * 🐛 fix DefectDojo#7936, fix severity mapping * add warning * remove multiple warning replacings * remove replacing * Remove filterwarnings for "DateTimeField - timezone" (DefectDojo#9497) * Drop filterwarnings "DateTimeField - timezone" * Fix some * Fix of RA test + importers * Fix RA * Fix importers * Fix Flake8 --------- Co-authored-by: Matt Tesauro <mtesauro@gmail.com> * Update Helm release postgresql-ha from 9.4.11 to v13 (helm/defectdojo/Chart.yaml) (DefectDojo#9553) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Remove handling of broken unittests (DefectDojo#9504) * 🎉 introducing EPSS score (DefectDojo#9516) * WIP * first draw * fix migrations * fix migrations * add epss to findings UI * added epss to finding list * Delete unittests/scans/wazuh/one_endpoint_finding.json * flake8 * add migration for ModelOptions * Add null values for epss + validators * updated findings detail page to display epss as percentage * removed wazuh file * update branch (#3) * Update versions in application files * Update jira-description.tpl (DefectDojo#9403) * Update and rename whitesource.md to mend.md (DefectDojo#9348) * Update and rename whitesource.md to mend.md * Update docs/content/en/integrations/parsers/file/mend.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * API: Remote v2 OpenAPI2 Docs from menu (DefectDojo#9469) * 🐛 fix migration (DefectDojo#9467) * finding sla expiration date field (part one) (DefectDojo#9473) * addition of sla expiration date field on the finding model * add migration and fix indentation issue * fix mitigated finding remaining sla days calculation * fix sla violation filter to return only active, sla violating findings * migration system settings fix * fix mitigation date vs datetime discrepancy * fix breaking unit test * move product save check to signal * fix unit test failure * make signal operations async, fix sla config delete 500 error * add unit tests to test sla expiration date functionality * restarting without signals * add async updating flags, redo migration * move signal logic to overriden save * fix errors for non-existing objects at creation * clean up comments and a few logical expressions * fix flake8 error * addition of new unit tests * fix unit test error * add message to form fields when async updating flag is true * fix save location, reword form messages, reword redirect messages * remove commented lines from unit tests * add a bit more description to API validation errors * migration fix * migration performance improvements * fix datetime - str comparison issue * clean up for part one of sla expiration date field * fix flake8 * Update dojo/db_migrations/0200_finding_sla_expiration_date_product_async_updating_and_more.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update versions in application files * Update versions in application files * Update release-drafter/release-drafter action from v5.25.0 to v6 (.github/workflows/release-drafter.yml) (DefectDojo#9460) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump pytz from 2023.4 to 2024.1 (DefectDojo#9465) Bumps [pytz](https://github.com/stub42/pytz) from 2023.4 to 2024.1. - [Release notes](https://github.com/stub42/pytz/releases) - [Commits](stub42/pytz@release_2023.4...release_2024.1) --- updated-dependencies: - dependency-name: pytz dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump django-debug-toolbar from 4.2.0 to 4.3.0 (DefectDojo#9466) Bumps [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/jazzband/django-debug-toolbar/releases) - [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/main/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@4.2...4.3) --- updated-dependencies: - dependency-name: django-debug-toolbar dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `d12e6f7` to `f2802c2` (DefectDojo#9477) Bumps nginx from `d12e6f7` to `f2802c2`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.33 to v8.4.34 (docs/package.json) (DefectDojo#9481) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9458) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * ⬆️ Bump boto3 from 1.34.32 to 1.34.35 (DefectDojo#9489) Bumps [boto3](https://github.com/boto/boto3) from 1.34.32 to 1.34.35. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](boto/boto3@1.34.32...1.34.35) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) (DefectDojo#9459) * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) * Fix ruff warning (DefectDojo#9461) * Update dependency ruff from 0.1.15 to v0.2.0 (requirements-lint.txt) * fix ruff warning --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * 🐛 fix defaulting severity, see last comments in DefectDojo#8778 (DefectDojo#9370) Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Add ruff for *tests (DefectDojo#9406) * Revert ":bug: fix dependencytrack deduplication (DefectDojo#9117)" (DefectDojo#9371) This reverts commit 0f55a7f. Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string should evaluate to "Info" (DefectDojo#9453) * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" #flake8_fix * Trivy Operator VulnerabilityReport Parser tweaks (DefectDojo#9452) * API: Check missing endpoints (DefectDojo#7618) * Rename unittest * Define exceptions for now * Announcement was implemented * Fix unittests with assertRaises + replace assertTrue/False with better checks (DefectDojo#9435) * Fix unittests with assertRaises * Replace assertTrue/False with better checks * Fixes * Optimize list of Maintenance in relase notes (DefectDojo#9492) * fix typo in docs (DefectDojo#9487) * 🐛 WFuzz: Add additional severity mappings (DefectDojo#9486) * 🐛 fix wfuzz, issue DefectDojo#7863 * add 302 * update docs * Be strict about Warnings during testing (DefectDojo#9490) * Set PYTHONWARNINGS=error * Add basic filterwarnings * Mute some warnings * Mute one more warning * 🐛 fix trufflehog3, issue DefectDojo#6999 (DefectDojo#9470) * 🐛 fix yarn_audit, DefectDojo#6495 (DefectDojo#9478) * Bump vulners from 2.1.2 to 2.1.5 (DefectDojo#9391) Bumps [vulners]() from 2.1.2 to 2.1.5. --- updated-dependencies: - dependency-name: vulners dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add support for DD_APPEND_SLASH (DefectDojo#9385) * Override default Django APPEND_SLASH * Update dojo/settings/settings.dist.py * 🎉 Improvements for wazuh importer (DefectDojo#9248) * improvement for wazuh importer * 🔧 change on dedupe for Wazuh * 🔧 change on dedupe for Wazuh * 📝 * ✏️ * 📝 * 📝 * flake8 * 🎉 recoded wazuh importer to support endpoints * ✅ adjusted unittests * 📝 * ✏️ * ✏️ --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9501) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.34 to v8.4.35 (docs/package.json) (DefectDojo#9502) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Improve API endpoints for Risk Acceptances (DefectDojo#9415) * Modifying Bugcrowd API Parser to align to vendor documentation on wha… (DefectDojo#9517) * Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means. It is now active == False and severity == 'Info'. [sc-4217] * fixing Flake8 errors * fixing Flake8 errors, part deux --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> * updated migrations * added percentage to findings_list * ✏️ tightening column title in findings detail page * flake8 * undo DT parser update * fix migrations * update migrations to changes in dev * merge dev into epss score * Update versions in application files * Update versions * Parse GitHub vulnerability version (DefectDojo#9462) * Fix SARIF parser with CodeQL rules (DefectDojo#9440) * fix for sarif parser with codeql rules * add check for extensions property * flake8 comparsion * finding sla expiration date field (part two) (DefectDojo#9494) * finding sla expiration date field (part two) * sla violation check updates * clean up of finding violates_sla property * flake8 fix * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update 0201_populate_finding_sla_expiration_date.py --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Jira Server/DataCenter: Update meta methods (DefectDojo#9512) * Jira Webhook: Catch comments from other issue updates (DefectDojo#9513) * Jira Webhook: Catch comments from other issue updates * Accommodate redirect responses * Update dojo/jira_link/views.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Fix syntax --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * add metrics page: "Product Tag Count" (fixes DefectDojo#9151) (DefectDojo#9152) * add metrics page: "Product Tag Count" It is fully based on "Product Type Count" metrics page. * fixup! add metrics page: "Product Tag Count" * Fix Flake8 * Update views.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Release Drafter: Try validating inputs * Disallow duplicate tool types (DefectDojo#9530) * Disallow duplicate tool types * Fix Flake8 * Only validate on new creations * Force new name on tool type unit test * Engagement Surveys: Add missing leading slash (DefectDojo#9531) URL redirects were behaving strangely without this leading slash. it seems it was missed when all the others were added * Update versions in application files * Update versions in application files * Dojo_Group: Support for "RemoteUser" in model (DefectDojo#9405) * Use correct name references * fix db_mig * Update and rename 0201_alter_dojo_group_social_provider.py to 0202_alter_dojo_group_social_provider.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9535) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * remove flot-axis library (DefectDojo#9540) * use full url for helm-repos and alias in renovate.json (DefectDojo#9525) With this change, renovate will create PRs to update the helm-dependencies, just as with docker-compose. Note that only setting the repository to the full URL did not work, I also had to add the registryAlias. * Update Helm release redis from 16.12.3 to ~16.13.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9550) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9541) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update postgres Docker tag from 16.1 to v16.2 (docker-compose.yml) (DefectDojo#9536) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release mysql from 9.1.8 to ~9.19.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9545) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> * update epss-score (#5) solve conflicts --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> * 🎉 importing epss score from DependencyTrack output (DefectDojo#9521) * improved Sonatype parser (DefectDojo#9519) * Sonatype parser improved * Blank line at end of file removed. * Sonatype status evaluation removed. * fix clair docs according to PR DefectDojo#9355 (DefectDojo#9523) * fix clair docs according to PR DefectDojo#9355 * remove clair_klar * update * start to implement unittest to test if a parser exists for a md file * unittest to test if parser exists to a documented parser * add edgescan and codeql to skip this test * 🎉 works fine, removed asfd * ⬆️ Bump openapitools/openapi-generator-cli from v7.2.0 to v7.3.0 (DefectDojo#9526) Bumps openapitools/openapi-generator-cli from v7.2.0 to v7.3.0. --- updated-dependencies: - dependency-name: openapitools/openapi-generator-cli dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🎉 Importing EPSS score from AWS Inspector via AWS SecHub (DefectDojo#9529) * 🎉 epss score for AWS SecHub * 🎉 adjusted aws sechub parser to import inspector epss scores * flake8 * 🐛 fix kics, DefectDojo#7966 (DefectDojo#9542) * 🐛 fix kics, DefectDojo#7966 * 🐛 fix unittests * add hashcode according to review * update to retrigger failed pipeline * Fix handling of incorrect if test import fail (DefectDojo#9544) * 🐛 fix nessus severity (DefectDojo#9549) * 🐛 fix nessus severity * add unittest * flake8 * ✨ Documentation for managing files (DefectDojo#9557) * ✨ add docs for issue DefectDojo#8597 * update according to review * Labeler: Add sync-labels (DefectDojo#9565) * Update rabbitmq Docker tag from 3.12.12 to v3.12.13 (docker-compose.yml) (DefectDojo#9573) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Questionnaires: Correct nested object deletions (DefectDojo#9574) * Questionnaires: Correct nested object deletions * Fix Flake8 * Jira: Append labels and respect priority on update (DefectDojo#9571) A couple fields are overwritten by DefectDojo when findings are pushed to an existing jira ticket. This can be destructive for developers in the following ways: - Priority: This field often reflects the timeline a particular issue may be fixed. Developers may have more specific context for why a vulnerability may not be as severe as initially thought. - Labels: Labels could be used to sort issues in a given queue to determine who works on a given ticket. When a finding is pushed to jira again after creation, these new labels should not be overwritten These fields should be respected to avoid stomping on any changes/process set by developers * Bump nginx from 1.25.3-alpine to 1.25.4-alpine (DefectDojo#9580) Bumps nginx from 1.25.3-alpine to 1.25.4-alpine. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Correct Endpoint "Hosts" views when the host field is `None` (DefectDojo#9560) * Endpoints: Force object validation on save * Prevent str concatenation with None type * Remove forced clean on save * Deduplication: Do not reopen original finding (DefectDojo#9558) * Update versions in application files * Update versions in application files * Ignore warnings from polymorphic * Fix Flake8 * More warning handling * Fix Flake8 again... * Update dependency ruff from 0.2.1 to v0.2.2 (requirements-lint.txt) (DefectDojo#9576) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Matt Tesauro <mtesauro@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: Andreas Reichert <70580399+reichertan@users.noreply.github.com> Co-authored-by: kiblik <kiblik@gjh.sk>

* Update versions in application files * Update versions * Parse GitHub vulnerability version (DefectDojo#9462) * Fix SARIF parser with CodeQL rules (DefectDojo#9440) * fix for sarif parser with codeql rules * add check for extensions property * flake8 comparsion * Update dependency postcss from 8.4.34 to v8.4.35 (docs/package.json) (DefectDojo#9502) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Improve API endpoints for Risk Acceptances (DefectDojo#9415) * finding sla expiration date field (part two) (DefectDojo#9494) * finding sla expiration date field (part two) * sla violation check updates * clean up of finding violates_sla property * flake8 fix * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update 0201_populate_finding_sla_expiration_date.py --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Modifying Bugcrowd API Parser to align to vendor documentation on wha… (DefectDojo#9517) * Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means. It is now active == False and severity == 'Info'. [sc-4217] * fixing Flake8 errors * fixing Flake8 errors, part deux * Jira Server/DataCenter: Update meta methods (DefectDojo#9512) * Jira Webhook: Catch comments from other issue updates (DefectDojo#9513) * Jira Webhook: Catch comments from other issue updates * Accommodate redirect responses * Update dojo/jira_link/views.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Fix syntax --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * add metrics page: "Product Tag Count" (fixes DefectDojo#9151) (DefectDojo#9152) * add metrics page: "Product Tag Count" It is fully based on "Product Type Count" metrics page. * fixup! add metrics page: "Product Tag Count" * Fix Flake8 * Update views.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Release Drafter: Try validating inputs * Disallow duplicate tool types (DefectDojo#9530) * Disallow duplicate tool types * Fix Flake8 * Only validate on new creations * Force new name on tool type unit test * Engagement Surveys: Add missing leading slash (DefectDojo#9531) URL redirects were behaving strangely without this leading slash. it seems it was missed when all the others were added * Update versions in application files * Update versions in application files * Update versions in application files * Dojo_Group: Support for "RemoteUser" in model (DefectDojo#9405) * Use correct name references * fix db_mig * Update and rename 0201_alter_dojo_group_social_provider.py to 0202_alter_dojo_group_social_provider.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Fix "Overdue" tag still visible with closed issues (DefectDojo#9539) * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9535) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * remove flot-axis library (DefectDojo#9540) * use full url for helm-repos and alias in renovate.json (DefectDojo#9525) With this change, renovate will create PRs to update the helm-dependencies, just as with docker-compose. Note that only setting the repository to the full URL did not work, I also had to add the registryAlias. * Update Helm release redis from 16.12.3 to ~16.13.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9550) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9541) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update postgres Docker tag from 16.1 to v16.2 (docker-compose.yml) (DefectDojo#9536) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release mysql from 9.1.8 to ~9.19.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9545) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release rabbitmq from 11.2.2 to ~11.16.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9548) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release postgresql from 11.6.26 to ~11.9.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9546) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release postgresql-ha from 9.1.9 to ~9.4.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9547) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update google-sheets-sync.md with deprecation notice (DefectDojo#9495) * Remove DD_USE_L10N (DefectDojo#9491) * API: removal of drf_yasg (OpenAPI 2.0 Swagger) (DefectDojo#9108) * Removal of drf_yasg * Clean filterwarnings * Drop filterwarnings "unclosed file" (DefectDojo#9498) * 🐛 WFuzz: Generalize severity mapping (DefectDojo#9505) * 🐛 fix wfuzz 301, issue 6182 * make severity mapper more robust * unittest for missing response code * update docs * Remove useless noqa, be more specific for usefull noqa (DefectDojo#9510) * ✨ add burp dastardly (DefectDojo#9514) * ✨ add burp dastardly * fix author names * fix unittest * add docs * Remove filterwarnings for "invalid escape sequence" (DefectDojo#9496) * Drop filterwarnings "invalid escape sequence" * Fix SyntaxError for special_character_required * Update dojo/utils.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update settings.dist.py Fix merge conflict fix --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: Matt Tesauro <mtesauro@gmail.com> * 🐛 fix mobsf deduplication and severity mapping (DefectDojo#9471) * 🐛 fix DefectDojo#7936, fix severity mapping * add warning * remove multiple warning replacings * remove replacing * Remove filterwarnings for "DateTimeField - timezone" (DefectDojo#9497) * Drop filterwarnings "DateTimeField - timezone" * Fix some * Fix of RA test + importers * Fix RA * Fix importers * Fix Flake8 --------- Co-authored-by: Matt Tesauro <mtesauro@gmail.com> * Update Helm release postgresql-ha from 9.4.11 to v13 (helm/defectdojo/Chart.yaml) (DefectDojo#9553) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Remove handling of broken unittests (DefectDojo#9504) * 🎉 introducing EPSS score (DefectDojo#9516) * WIP * first draw * fix migrations * fix migrations * add epss to findings UI * added epss to finding list * Delete unittests/scans/wazuh/one_endpoint_finding.json * flake8 * add migration for ModelOptions * Add null values for epss + validators * updated findings detail page to display epss as percentage * removed wazuh file * update branch (#3) * Update versions in application files * Update jira-description.tpl (DefectDojo#9403) * Update and rename whitesource.md to mend.md (DefectDojo#9348) * Update and rename whitesource.md to mend.md * Update docs/content/en/integrations/parsers/file/mend.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * API: Remote v2 OpenAPI2 Docs from menu (DefectDojo#9469) * 🐛 fix migration (DefectDojo#9467) * finding sla expiration date field (part one) (DefectDojo#9473) * addition of sla expiration date field on the finding model * add migration and fix indentation issue * fix mitigated finding remaining sla days calculation * fix sla violation filter to return only active, sla violating findings * migration system settings fix * fix mitigation date vs datetime discrepancy * fix breaking unit test * move product save check to signal * fix unit test failure * make signal operations async, fix sla config delete 500 error * add unit tests to test sla expiration date functionality * restarting without signals * add async updating flags, redo migration * move signal logic to overriden save * fix errors for non-existing objects at creation * clean up comments and a few logical expressions * fix flake8 error * addition of new unit tests * fix unit test error * add message to form fields when async updating flag is true * fix save location, reword form messages, reword redirect messages * remove commented lines from unit tests * add a bit more description to API validation errors * migration fix * migration performance improvements * fix datetime - str comparison issue * clean up for part one of sla expiration date field * fix flake8 * Update dojo/db_migrations/0200_finding_sla_expiration_date_product_async_updating_and_more.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update versions in application files * Update versions in application files * Update release-drafter/release-drafter action from v5.25.0 to v6 (.github/workflows/release-drafter.yml) (DefectDojo#9460) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump pytz from 2023.4 to 2024.1 (DefectDojo#9465) Bumps [pytz](https://github.com/stub42/pytz) from 2023.4 to 2024.1. - [Release notes](https://github.com/stub42/pytz/releases) - [Commits](stub42/pytz@release_2023.4...release_2024.1) --- updated-dependencies: - dependency-name: pytz dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump django-debug-toolbar from 4.2.0 to 4.3.0 (DefectDojo#9466) Bumps [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/jazzband/django-debug-toolbar/releases) - [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/main/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@4.2...4.3) --- updated-dependencies: - dependency-name: django-debug-toolbar dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `d12e6f7` to `f2802c2` (DefectDojo#9477) Bumps nginx from `d12e6f7` to `f2802c2`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.33 to v8.4.34 (docs/package.json) (DefectDojo#9481) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9458) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * ⬆️ Bump boto3 from 1.34.32 to 1.34.35 (DefectDojo#9489) Bumps [boto3](https://github.com/boto/boto3) from 1.34.32 to 1.34.35. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](boto/boto3@1.34.32...1.34.35) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) (DefectDojo#9459) * Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) * Fix ruff warning (DefectDojo#9461) * Update dependency ruff from 0.1.15 to v0.2.0 (requirements-lint.txt) * fix ruff warning --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * 🐛 fix defaulting severity, see last comments in DefectDojo#8778 (DefectDojo#9370) Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Add ruff for *tests (DefectDojo#9406) * Revert ":bug: fix dependencytrack deduplication (DefectDojo#9117)" (DefectDojo#9371) This reverts commit 0f55a7f. Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string should evaluate to "Info" (DefectDojo#9453) * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" * dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" #flake8_fix * Trivy Operator VulnerabilityReport Parser tweaks (DefectDojo#9452) * API: Check missing endpoints (DefectDojo#7618) * Rename unittest * Define exceptions for now * Announcement was implemented * Fix unittests with assertRaises + replace assertTrue/False with better checks (DefectDojo#9435) * Fix unittests with assertRaises * Replace assertTrue/False with better checks * Fixes * Optimize list of Maintenance in relase notes (DefectDojo#9492) * fix typo in docs (DefectDojo#9487) * 🐛 WFuzz: Add additional severity mappings (DefectDojo#9486) * 🐛 fix wfuzz, issue DefectDojo#7863 * add 302 * update docs * Be strict about Warnings during testing (DefectDojo#9490) * Set PYTHONWARNINGS=error * Add basic filterwarnings * Mute some warnings * Mute one more warning * 🐛 fix trufflehog3, issue DefectDojo#6999 (DefectDojo#9470) * 🐛 fix yarn_audit, DefectDojo#6495 (DefectDojo#9478) * Bump vulners from 2.1.2 to 2.1.5 (DefectDojo#9391) Bumps [vulners]() from 2.1.2 to 2.1.5. --- updated-dependencies: - dependency-name: vulners dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add support for DD_APPEND_SLASH (DefectDojo#9385) * Override default Django APPEND_SLASH * Update dojo/settings/settings.dist.py * 🎉 Improvements for wazuh importer (DefectDojo#9248) * improvement for wazuh importer * 🔧 change on dedupe for Wazuh * 🔧 change on dedupe for Wazuh * 📝 * ✏️ * 📝 * 📝 * flake8 * 🎉 recoded wazuh importer to support endpoints * ✅ adjusted unittests * 📝 * ✏️ * ✏️ --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9501) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update dependency postcss from 8.4.34 to v8.4.35 (docs/package.json) (DefectDojo#9502) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Improve API endpoints for Risk Acceptances (DefectDojo#9415) * Modifying Bugcrowd API Parser to align to vendor documentation on wha… (DefectDojo#9517) * Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means. It is now active == False and severity == 'Info'. [sc-4217] * fixing Flake8 errors * fixing Flake8 errors, part deux --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> * updated migrations * added percentage to findings_list * ✏️ tightening column title in findings detail page * flake8 * undo DT parser update * fix migrations * update migrations to changes in dev * merge dev into epss score * Update versions in application files * Update versions * Parse GitHub vulnerability version (DefectDojo#9462) * Fix SARIF parser with CodeQL rules (DefectDojo#9440) * fix for sarif parser with codeql rules * add check for extensions property * flake8 comparsion * finding sla expiration date field (part two) (DefectDojo#9494) * finding sla expiration date field (part two) * sla violation check updates * clean up of finding violates_sla property * flake8 fix * Update dojo/models.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update 0201_populate_finding_sla_expiration_date.py --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Jira Server/DataCenter: Update meta methods (DefectDojo#9512) * Jira Webhook: Catch comments from other issue updates (DefectDojo#9513) * Jira Webhook: Catch comments from other issue updates * Accommodate redirect responses * Update dojo/jira_link/views.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Fix syntax --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * add metrics page: "Product Tag Count" (fixes DefectDojo#9151) (DefectDojo#9152) * add metrics page: "Product Tag Count" It is fully based on "Product Type Count" metrics page. * fixup! add metrics page: "Product Tag Count" * Fix Flake8 * Update views.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Release Drafter: Try validating inputs * Disallow duplicate tool types (DefectDojo#9530) * Disallow duplicate tool types * Fix Flake8 * Only validate on new creations * Force new name on tool type unit test * Engagement Surveys: Add missing leading slash (DefectDojo#9531) URL redirects were behaving strangely without this leading slash. it seems it was missed when all the others were added * Update versions in application files * Update versions in application files * Dojo_Group: Support for "RemoteUser" in model (DefectDojo#9405) * Use correct name references * fix db_mig * Update and rename 0201_alter_dojo_group_social_provider.py to 0202_alter_dojo_group_social_provider.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9535) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * remove flot-axis library (DefectDojo#9540) * use full url for helm-repos and alias in renovate.json (DefectDojo#9525) With this change, renovate will create PRs to update the helm-dependencies, just as with docker-compose. Note that only setting the repository to the full URL did not work, I also had to add the registryAlias. * Update Helm release redis from 16.12.3 to ~16.13.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9550) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9541) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update postgres Docker tag from 16.1 to v16.2 (docker-compose.yml) (DefectDojo#9536) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update Helm release mysql from 9.1.8 to ~9.19.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9545) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> * update epss-score (#5) solve conflicts --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> * 🎉 importing epss score from DependencyTrack output (DefectDojo#9521) * improved Sonatype parser (DefectDojo#9519) * Sonatype parser improved * Blank line at end of file removed. * Sonatype status evaluation removed. * fix clair docs according to PR DefectDojo#9355 (DefectDojo#9523) * fix clair docs according to PR DefectDojo#9355 * remove clair_klar * update * start to implement unittest to test if a parser exists for a md file * unittest to test if parser exists to a documented parser * add edgescan and codeql to skip this test * 🎉 works fine, removed asfd * ⬆️ Bump openapitools/openapi-generator-cli from v7.2.0 to v7.3.0 (DefectDojo#9526) Bumps openapitools/openapi-generator-cli from v7.2.0 to v7.3.0. --- updated-dependencies: - dependency-name: openapitools/openapi-generator-cli dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🎉 Importing EPSS score from AWS Inspector via AWS SecHub (DefectDojo#9529) * 🎉 epss score for AWS SecHub * 🎉 adjusted aws sechub parser to import inspector epss scores * flake8 * 🐛 fix kics, DefectDojo#7966 (DefectDojo#9542) * 🐛 fix kics, DefectDojo#7966 * 🐛 fix unittests * add hashcode according to review * update to retrigger failed pipeline * Fix handling of incorrect if test import fail (DefectDojo#9544) * 🐛 fix nessus severity (DefectDojo#9549) * 🐛 fix nessus severity * add unittest * flake8 * ✨ Documentation for managing files (DefectDojo#9557) * ✨ add docs for issue DefectDojo#8597 * update according to review * Labeler: Add sync-labels (DefectDojo#9565) * Update rabbitmq Docker tag from 3.12.12 to v3.12.13 (docker-compose.yml) (DefectDojo#9573) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Questionnaires: Correct nested object deletions (DefectDojo#9574) * Questionnaires: Correct nested object deletions * Fix Flake8 * Jira: Append labels and respect priority on update (DefectDojo#9571) A couple fields are overwritten by DefectDojo when findings are pushed to an existing jira ticket. This can be destructive for developers in the following ways: - Priority: This field often reflects the timeline a particular issue may be fixed. Developers may have more specific context for why a vulnerability may not be as severe as initially thought. - Labels: Labels could be used to sort issues in a given queue to determine who works on a given ticket. When a finding is pushed to jira again after creation, these new labels should not be overwritten These fields should be respected to avoid stomping on any changes/process set by developers * Bump nginx from 1.25.3-alpine to 1.25.4-alpine (DefectDojo#9580) Bumps nginx from 1.25.3-alpine to 1.25.4-alpine. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Correct Endpoint "Hosts" views when the host field is `None` (DefectDojo#9560) * Endpoints: Force object validation on save * Prevent str concatenation with None type * Remove forced clean on save * Deduplication: Do not reopen original finding (DefectDojo#9558) * Update versions in application files * Update versions in application files * Ignore warnings from polymorphic * Fix Flake8 * More warning handling * Fix Flake8 again... * Update dependency ruff from 0.2.1 to v0.2.2 (requirements-lint.txt) (DefectDojo#9576) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * ✨ AWS Security Hub: Add GuardDuty (DefectDojo#9524) * ✨ fix guardduty, issue DefectDojo#7813 * advance unittests * add mitigation * provide more information * uniqueidfromtool not in description * flake8 * update docs * update docs * update docs * update according to review * adapt docs * 🐛 fix according to comment * 🐛 fix wrong merge conflict resolal --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: Andrei Serebriakov <ansereb@toloka.ai> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Felix Hernandez <ffhg_920522@hotmail.com> Co-authored-by: Blake Owens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: Jay Paz <jay.paz@gmail.com> Co-authored-by: tomaszn <tomaszn@users.noreply.github.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Matt Tesauro <mtesauro@gmail.com> Co-authored-by: Quirin Hardy Zießler <quirin.ziessler@outlook.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Robert Kiss <kepten@gmail.com> Co-authored-by: ninp0 <jake.hoopes@gmail.com> Co-authored-by: Raouf HADDADA <22875897+raouf-haddada@users.noreply.github.com> Co-authored-by: Andreas Reichert <70580399+reichertan@users.noreply.github.com> Co-authored-by: Quirin Hardy Zießler <quirin.ziessler@tradebyte.com> Co-authored-by: kiblik <kiblik@gjh.sk>

kmouzoul23 added the enhancement label Oct 3, 2023

kmouzoul23 changed the title ~~Dependency Track Hash Code computation: Add severity in the hash code calculation of the finding~~ Dependency-Track Hash Code computation: Add severity in the hash code calculation of the finding Oct 3, 2023

mtesauro closed this as completed Jan 10, 2024

manuel-sommer added a commit to manuel-sommer/django-DefectDojo that referenced this issue Jan 19, 2024

🐛 fix defaulting severity, see last comments in DefectDojo#8778

0fb70fc

manuel-sommer mentioned this issue Jan 19, 2024

Dependencytrack default severity #9370

Merged

kepten mentioned this issue Jan 19, 2024

Revert adding severity to Dependency Track hash_code calculation #9371

Merged

mtesauro pushed a commit that referenced this issue Feb 6, 2024

🐛 fix defaulting severity, see last comments in #8778 (#9370)

d015e36

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependency-Track Hash Code computation: Add severity in the hash code calculation of the finding #8778

Dependency-Track Hash Code computation: Add severity in the hash code calculation of the finding #8778

kmouzoul23 commented Oct 3, 2023

quirinziessler commented Oct 23, 2023

manuel-sommer commented Jan 10, 2024

kepten commented Jan 10, 2024

manuel-sommer commented Jan 10, 2024

kepten commented Jan 11, 2024

manuel-sommer commented Jan 11, 2024 •

edited

Loading

kepten commented Jan 12, 2024 •

edited

Loading

manuel-sommer commented Jan 19, 2024

kepten commented Jan 19, 2024

manuel-sommer commented Jan 19, 2024

Dependency-Track Hash Code computation: Add severity in the hash code calculation of the finding #8778

Dependency-Track Hash Code computation: Add severity in the hash code calculation of the finding #8778

Comments

kmouzoul23 commented Oct 3, 2023

quirinziessler commented Oct 23, 2023

manuel-sommer commented Jan 10, 2024

kepten commented Jan 10, 2024

manuel-sommer commented Jan 10, 2024

kepten commented Jan 11, 2024

Why I think #9117 should be reverted asap?

manuel-sommer commented Jan 11, 2024 • edited Loading

kepten commented Jan 12, 2024 • edited Loading

manuel-sommer commented Jan 19, 2024

kepten commented Jan 19, 2024

manuel-sommer commented Jan 19, 2024

manuel-sommer commented Jan 11, 2024 •

edited

Loading

kepten commented Jan 12, 2024 •

edited

Loading