Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.43.1 #11786

Merged
merged 10 commits into from
Feb 10, 2025
Merged

Release: Merge release into master from: release/2.43.1 #11786

merged 10 commits into from
Feb 10, 2025

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 10 commits February 3, 2025 16:06
Update versions in application files
9d9929b
@rossops
Merge pull request #11725 from DefectDojo/master-into-bugfix/2.43.0-2…
9fc2035 
….44.0-dev

Release: Merge back 2.43.0 into bugfix from: master-into-bugfix/2.43.0-2.44.0-dev
@valentijnscholten
apispec: sla_days_remainig can be null (#11701)
db71641
@valentijnscholten
dashboard: last 7 days should be 7 days (#11702)
fc33d95 
* dashboard: last 7 days should be 7 days

* unit test update

* unit test update

* unit test update
@manuel-sommer
🎉 add MGASA vulnid (#11668)
5adeb0b
@catshapednoodles @haans1
render config value to string instead of an object (#11764)
597778f 
Co-authored-by: Sicco de Haan <s.dehaan1@dictu.nl>
@valentijnscholten
fix broken links (#11762)
54c4a9c
@Maffooch
Sample Data: Remove audit logs entries (#11752)
17f0c38
@cneill
Fixing call to date_parser in AWS Inspector2 parser (#11767)
605ccf0 
* Fixing call to date_parser in AWS Inspector parser

* Tweaked unit test

* Linter fix
Update versions in application files
78f6c63
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Feb 10, 2025
edited
Loading

DryRun Security Summary

The pull request upgrades DefectDojo to version 2.43.1 and reveals multiple security vulnerabilities, primarily in the Linux Kernel and libxml2, along with concerns about unpinned dependencies and sensitive information exposure in AWS Inspector2.

Expand for full summary

The pull request updates DefectDojo from version 2.43.0 to 2.43.1, involving multiple files with documentation link updates, version increments, and minor code adjustments. Security findings include:

Vulnerabilities found in the AWS Inspector2 scan test data:

  1. CVE-2021-3744 (Linux Kernel, MEDIUM severity)
  2. CVE-2024-37021 (Linux Kernel, UNTRIAGED)
  3. CVE-2021-3640 (Linux Kernel, HIGH severity)
  4. CVE-2022-29824 (libxml2, MEDIUM severity)
  5. CVE-2023-42753 (Linux Kernel, HIGH severity)
  6. CVE-2020-27170 (Linux Kernel, MEDIUM severity)
  7. CVE-2015-8035 (libxml2, LOW severity)

Additional security observations:

  • Potential security risk in components/package.json with unpinned GitHub dependencies
  • Sensitive information exposure in AWS Inspector2 parser
  • Multiple Linux kernel vulnerabilities with confirmed exploits

Code Analysis

We ran 9 analyzers against 15 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 1 finding
Sensitive Files Analyzer 1 finding

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@rossops rossops closed this Feb 10, 2025
@rossops rossops reopened this Feb 10, 2025
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests parser helm labels Feb 10, 2025
@rossops rossops merged commit f9e98a7 into master Feb 10, 2025
70 of 71 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 docs helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rossops @valentijnscholten @manuel-sommer @catshapednoodles @Maffooch @cneill