Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.39.2 #11110

Merged
merged 8 commits into from
Oct 21, 2024
Merged

Release: Merge release into master from: release/2.39.2 #11110

merged 8 commits into from
Oct 21, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 8 commits October 15, 2024 16:09
Update versions in application files
543da36
@rossops
Merge pull request #11075 from DefectDojo/master-into-bugfix/2.39.1-2…
6b79840 
….40.0-dev

Release: Merge back 2.39.1 into bugfix from: master-into-bugfix/2.39.1-2.40.0-dev
@manuel-sommer @cneill
💄 Advance architecture docs (#11074)
77c7d98 
* 💄 Advance architecture docs

* update

* Update docs/content/en/getting_started/architecture.md

Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com>

* Update docs/content/en/getting_started/architecture.md

Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com>

---------

Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com>
@manuel-sommer
🎉 add file_path to SonarQube findings (#11078)
150c7d5 
* 🎉 add file_path to SonarQube findings

* fix unittest
@manuel-sommer
🎉 ADD ELSA errata (#11069)
05faab6 
* 🎉 ADD ELSA errata

* ruff

* rebase
@hblankenship
Fix for issue #10207 non-existent env import (#11053)
c310a1f 
* get or create environment

* honor auto_create_context, update docs

* case of not providing environment

* create base class, re-use code import, reimport

* put common context code in base

* mistyped dict for data
@Maffooch
SLA Config: Add new config that does not enforce SLA (#11086)
9a24fe3 
* SLA Config: Add new config that does not enforce SLA

* Update sla_configurations.json
Update versions in application files
864da41
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 21, 2024
edited
Loading

DryRun Security Summary

The GitHub pull request covers a wide range of updates to the DefectDojo application, including improvements to the initialization and setup process, documentation updates, dependency version updates, and enhancements to the import and parsing functionality, with a few areas requiring careful review and consideration, such as the removal of the order placement check, user input sanitization, hardcoded constants and external libraries, and dependency updates.

Expand for full summary

Summary:

The changes in this GitHub pull request cover a wide range of updates to the DefectDojo application, including improvements to the initialization and setup process, documentation updates, dependency version updates, and enhancements to the import and parsing functionality. From an application security perspective, the changes generally do not introduce any obvious security vulnerabilities, but there are a few areas that require careful review and consideration:

  1. Removal of Order Placement Check: The changes in the Gift.php and GiftBlanket.php files remove the check for whether the customer has placed an order before. This could potentially allow the post-checkout ad to be displayed to customers who have not yet placed an order, which may have business and user experience implications that should be considered.

  2. User Input Sanitization: The changes include updates to the PostCheckoutAd.php file, which uses a raw SQL query with user-supplied input. This could potentially lead to SQL injection vulnerabilities if the input is not properly sanitized. Additionally, the handling of tracking parameters and AB testing functionality should be reviewed to ensure that user input is properly validated.

  3. Hardcoded Constants and External Libraries: The changes include the use of hardcoded constants and dependencies on external libraries, such as the JIRA webhook secret and the FpClient, FpEvent\FpEventABSKStore, and Common\FPCustomer libraries. These should be reviewed to ensure that they are properly defined, managed, and up-to-date to prevent potential security vulnerabilities.

  4. Dependency Updates: The changes include updates to various dependencies, such as datatables.net, jquery, and pdfmake. It's important to review the release notes or change logs for these dependencies to ensure that any security vulnerabilities have been addressed in the new versions.

Files Changed:

  1. docker/entrypoint-initializer.sh: This file has been updated to include the import of additional fixtures, update the JIRA webhook secret, and handle the audit log feature. The changes focus on improving the initialization and setup process, with a strong emphasis on security-related configurations and settings.

  2. docs/content/en/getting_started/architecture.md: The documentation has been updated to clarify the use of Redis as the Message Broker for asynchronous task execution, and to provide a link to the Celery documentation.

  3. components/package.json: The version of the "defectdojo" project has been updated from "2.39.1" to "2.39.2", which includes updates to several dependencies.

  4. docs/content/en/integrations/importing.md: The documentation for the "Importing" feature has been updated, highlighting the auto-creation of entities, the reimport functionality, and the handling of triage-less scanners.

  5. dojo/templatetags/display_tags.py: The vulnerability_url function has been updated to handle more complex URL structures defined in the VULNERABILITY_URLS setting.

  6. dojo/fixtures/sla_configurations.json: New SLA configurations have been added, including a "Default" configuration and a "No SLA Enforced" configuration.

  7. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash value in this file has been updated, indicating a change in the settings.dist.py file, which should be reviewed for any potential security implications.

  8. dojo/api_v2/serializers.py: The serializers used in the API version 2 have been refactored and updated to include new fields and options for the import process, with a focus on security-related validations.

  9. dojo/settings/settings.dist.py: The saml2_attrib_map_format function has been updated to include a new mapping for the "ELSA" vulnerability ID type.

  10. helm/defectdojo/Chart.yaml: The Helm chart for the DefectDojo application has been updated to version "1.6.155", reflecting changes to the underlying application.

  11. dojo/tools/sonarqube/sonarqube_restapi_json.py: The code changes enhance the processing of the SonarQube API response, adding the file_path field and the cvssv3_score field to the Finding object.

  12. dojo/__init__.py: The __version__ attribute has been updated from "2.39.1" to "2.39.

Code Analysis

We ran 9 analyzers against 13 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 1 finding
Sensitive Files Analyzer 1 finding

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@rossops rossops closed this Oct 21, 2024
@rossops rossops reopened this Oct 21, 2024
@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests ui parser helm labels Oct 21, 2024
@rossops rossops merged commit 5c7de81 into master Oct 21, 2024
70 of 71 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 docker docs helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rossops @manuel-sommer @hblankenship @Maffooch