Merge pull request #12033 from DefectDojo/release/2.44.2

Release: Merge release into master from: release/2.44.2

Author: rossops

.github/ISSUE_TEMPLATE/feature_request.md

@@ -8,7 +8,7 @@ assignees: ''
 ---
 ## :warning: Note on feature completeness :warning:
 
-We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
+We are narrowing the scope of acceptable enhancements to DefectDojo. Learn more here:
 https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
 
 **Is your feature request related to a problem? Please describe**

README.md

@@ -107,9 +107,8 @@ our channel there, [#defectdojo](https://owasp.slack.com/channels/defectdojo). F
 
 ## Contributing
 
-:warning: We have instituted a [feature freeze](https://github.com/DefectDojo/django-DefectDojo/discussions/8002) on v2
-of DefectDojo as we begin work on v3. Please see our [contributing guidelines](readme-docs/CONTRIBUTING.md) for more
-information. Check out our latest update on v3 [here](https://github.com/DefectDojo/django-DefectDojo/discussions/11199).
+Please see our [contributing guidelines](readme-docs/CONTRIBUTING.md) for more
+information.
 
 ## Pro Edition
 [Upgrade to DefectDojo Pro](https://www.defectdojo.com/) today to take your DevSecOps to 11. DefectDojo Pro is

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.44.1",
+  "version": "2.44.2",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docker/entrypoint-unit-tests-devDocker.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # Run available unittests with a setup for local dev:
 # - Make migrations and apply any needed changes
 # - Leave container up after running tests to allow debugging, rerunning tests, etc.

docker/entrypoint-unit-tests.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # Run available unittests with a setup for CI/CD:
 # - Fail if migrations are not created
 # - Exit container after running tests to allow exit code to propagate as test result

docker/entrypoint-uwsgi-dev.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e  # needed to handle "exit" correctly
 

docker/entrypoint-uwsgi.sh

@@ -1,5 +1,4 @@
-#!/bin/sh
-
+#!/bin/bash
 set -e  # needed to handle "exit" correctly
 
 . /secret-file-loader.sh

docs/content/en/open_source/archived_docs/integrations/source-code-repositories.md

@@ -29,7 +29,7 @@ For CI/CD Engagement, where user could set commit hash, branch/tag and code line
 
 If user does not set commit hash or branch/tag in appropriate fields of CI/CD Engagement edit form, the URL should look like in Interactive Engagement edit form.
 
-SCM navigation URL is composed from Repo URL using SCM Type. Github/Gitlab SCM type is default, but user could set certain SCM type in Product custom field "scm-type".
+SCM navigation URL is composed from Repo URL using SCM Type. A specific SCM type can be set in Product custom field "scm-type". If no "scm-type" is set and the URL contains "https://github.com", a "github" SCM type is assumed.
 
 Product custom fields:
 

docs/content/en/open_source/upgrading/2.42.md

@@ -9,9 +9,9 @@ exclude_search: true
 **Hash Code changes**
 A few parsers have been updated to populate more fields. Some of these fields are part of the hash code calculation. To recalculate the hash code please execute the following command:
 
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Horusec Scan" --hash_code_only`
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Qualys Hacker Guardian Scan --hash_code_only"`
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Red Hat Satellite --hash_code_only"`
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Horusec Scan' --hash_code_only"
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Qualys Hacker Guardian Scan' --hash_code_only"
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Red Hat Satellite' --hash_code_only"
 
 This command has various command line arguments to tweak its behaviour, for example to trigger a run of the deduplication process.
 See [dedupe.py](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/management/commands/dedupe.py) for more information.

docs/content/en/open_source/upgrading/2.43.md

@@ -33,11 +33,11 @@ In the past, when DefectDojo supported different database and message brokers, `
 
 The Rusty Hog parser has been [updated](https://github.com/DefectDojo/django-DefectDojo/pull/11433) to populate more fields. Some of these fields are part of the hash code calculation. To recalculate the hash code and deduplicate existing Rusty Hog findings, please execute the following command:
 
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Rusty Hog Scan)" --hash_code_only`
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Choctaw Hog)" --hash_code_only`
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Duroc Hog)" --hash_code_only`
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Gottingen Hog)" --hash_code_only`
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Essex Hog)" --hash_code_only`
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Essex Hog Scan (Rusty Hog Scan)' --hash_code_only"
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Essex Hog Scan (Choctaw Hog)' --hash_code_only"
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Essex Hog Scan (Duroc Hog)' --hash_code_only"
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Essex Hog Scan (Gottingen Hog)' --hash_code_only"
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Essex Hog Scan (Essex Hog)' --hash_code_only"
 
 This command has various command line arguments to tweak its behaviour, for example to trigger a run of the deduplication process.
 See [dedupe.py](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/management/commands/dedupe.py) for more information.

docs/content/en/open_source/upgrading/2.44.md

@@ -1,5 +1,5 @@
 ---
-title: 'Upgrading to DefectDojo Version 2.44.x'
+title: 'Upgrading to DefectDojo Version 2.44.0'
 toc_hide: true
 weight: -20250203
 description: No special instructions.
@@ -9,7 +9,7 @@ description: No special instructions.
 
 The Burp parser now has a custom deduplication configuration to make deduplication more accurate. To recalculate the hash code and deduplicate existing Burp findings, please execute the following command:
 
-    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Burp Scan" --hash_code_only`
+    docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser 'Burp Scan' --hash_code_only"
 
 This command has various command line arguments to tweak its behavior, for example to trigger a run of the deduplication process.
 See [dedupe.py](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/management/commands/dedupe.py) for more information.

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.44.1"
+__version__ = "2.44.2"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/importers/default_reimporter.py

@@ -131,7 +131,9 @@ def process_scan(
             self.test,
             updated_count,
             new_findings=new_findings,
+            findings_reactivated=reactivated_findings,
             findings_mitigated=closed_findings,
+            findings_untouched=untouched_findings,
         )
         # Update the test progress to reflect that the import has completed
         logger.debug("REIMPORT_SCAN: Updating Test progress")

dojo/settings/settings.dist.py

@@ -1815,6 +1815,7 @@ def saml2_attrib_map_format(din):
     "ELBA-": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
     "ELSA-": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
     "FEDORA-": "https://bodhi.fedoraproject.org/updates/",  # e.g. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-06aa7dc422
+    "FG-IR-": "https://www.fortiguard.com/psirt/",  # e.g. https://www.fortiguard.com/psirt/FG-IR-24-373
     "GHSA-": "https://github.com/advisories/",  # e.g. https://github.com/advisories/GHSA-58vj-cv5w-v4v6
     "GLSA": "https://security.gentoo.org/",  # e.g. https://security.gentoo.org/glsa/202409-32
     "JSDSERVER-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/JSDSERVER-14872

dojo/templates/dojo/profile.html

@@ -46,7 +46,7 @@ <h3>{% blocktrans with full_name=user.get_full_name %} User Profile - {{ full_na
                     <div class="clearfix">
                         <h4 class="pull-left">{% trans "Groups" %}</h4>
                         &nbsp;
-                        <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                        <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/about_perms_and_roles/#group-memberships" target="_blank">
                             <i class="fa-solid fa-circle-question"></i></a>
                         {% if request.user.is_superuser %}
                         <div class="dropdown pull-right">

dojo/templates/dojo/view_group.html

@@ -45,7 +45,7 @@ <h3 class="pull-left">Description</h3>
                 <div class="clearfix">
                     <h4 class="pull-left">Members of this Group</h4>
                     &nbsp;
-                    <a href="https://documentation.defectdojo.com/usage/permissions/#groups" target="_blank">
+                    <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/create_user_group/#manage-a-groups-users" target="_blank">
                         <i class="fa-solid fa-circle-question"></i></a>
                     {% if group|has_object_permission:"Group_Manage_Members" %}
                     <div class="dropdown pull-right">
@@ -118,7 +118,7 @@ <h4 class="pull-left">Members of this Group</h4>
                 <div class="clearfix">
                     <h4 class="pull-left">Product Types this Group can access</h4>
                     &nbsp;
-                    <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                    <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/create_user_group/#add-product-roles-or-product-type-roles-for-a-group" target="_blank">
                         <i class="fa-solid fa-circle-question"></i></a>
                     {% if request.user.is_superuser %}
                     <div class="dropdown pull-right">
@@ -192,7 +192,7 @@ <h4 class="pull-left">Product Types this Group can access</h4>
                 <div class="clearfix">
                     <h4 class="pull-left">Products this Group can access</h4>
                     &nbsp;
-                    <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                    <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/create_user_group/#add-product-roles-or-product-type-roles-for-a-group" target="_blank">
                         <i class="fa-solid fa-circle-question"></i></a>
                     {% if request.user.is_superuser %}
                     <div class="dropdown pull-right">

dojo/templates/dojo/view_product_details.html

@@ -277,7 +277,7 @@ <h3 class="panel-title"><span class ="fa-solid fa-scale-balanced" aria-hidden="t
             <div class="clearfix">
                 <h4 class="pull-left">{% trans "Members" %}</h4>
                 &nbsp;
-                <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/about_perms_and_roles/#productproduct-type-membership--roles" target="_blank">
                     <i class="fa-solid fa-circle-question"></i></a>
                 {% if prod|has_object_permission:"Product_Manage_Members" %}
                 <div class="dropdown pull-right">
@@ -374,7 +374,7 @@ <h4 class="pull-left">{% trans "Members" %}</h4>
               <div class="clearfix">
                   <h4 class="pull-left">{% trans "Groups" %}</h4>
                   &nbsp;
-                  <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                  <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/about_perms_and_roles/#group-memberships" target="_blank">
                       <i class="fa-solid fa-circle-question"></i></a>
                   {% if prod|has_object_permission:"Product_Group_Add" %}
                   <div class="dropdown pull-right">

dojo/templates/dojo/view_product_type.html

@@ -135,7 +135,7 @@ <h4 class="pull-left">{% trans "Products" %}</h4>
                         <div class="clearfix">
                             <h4 class="pull-left">{% trans "Members" %}</h4>
                             &nbsp;
-                            <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                            <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/about_perms_and_roles/#productproduct-type-membership--roles" target="_blank">
                                 <i class="fa-solid fa-circle-question"></i></a>
                             {% if pt|has_object_permission:"Product_Type_Manage_Members" %}
                             <div class="dropdown pull-right">
@@ -216,7 +216,7 @@ <h4 class="pull-left">{% trans "Members" %}</h4>
                     <div class="clearfix">
                         <h4 class="pull-left">{% trans "Groups" %}</h4>
                         &nbsp;
-                        <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                        <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/about_perms_and_roles/#group-memberships" target="_blank">
                             <i class="fa-solid fa-circle-question"></i></a>
                         {% if pt|has_object_permission:"Product_Type_Group_Add" %}
                         <div class="dropdown pull-right">

dojo/templates/dojo/view_user.html

@@ -106,7 +106,7 @@ <h4 class="pull-left">{% trans "Contact Information" %}</h4>
                 <div class="clearfix">
                     <h4 class="pull-left">{% trans "Product Types this User can access" %}</h4>
                     &nbsp;
-                    <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                    <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/about_perms_and_roles/#productproduct-type-membership--roles" target="_blank">
                         <i class="fa-solid fa-circle-question"></i></a>
                     {% if request.user.is_superuser %}
                     <div class="dropdown pull-right">
@@ -179,7 +179,7 @@ <h4 class="pull-left">{% trans "Product Types this User can access" %}</h4>
                 <div class="clearfix">
                     <h4 class="pull-left">{% trans "Products this User can access" %}</h4>
                     &nbsp;
-                    <a href="https://documentation.defectdojo.com/usage/permissions/" target="_blank">
+                    <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/about_perms_and_roles/#productproduct-type-membership--roles" target="_blank">
                         <i class="fa-solid fa-circle-question"></i></a>
                     {% if request.user.is_superuser %}
                     <div class="dropdown pull-right">
@@ -253,7 +253,7 @@ <h4 class="pull-left">{% trans "Products this User can access" %}</h4>
                 <div class="clearfix">
                     <h4 class="pull-left">{% trans "Groups this User is a member of" %}</h4>
                     &nbsp;
-                    <a href="https://documentation.defectdojo.com/usage/permissions/#groups" target="_blank">
+                    <a href="https://docs.defectdojo.com/en/customize_dojo/user_management/about_perms_and_roles/#group-memberships" target="_blank">
                         <i class="fa-solid fa-circle-question"></i></a>
                     {% if request.user.is_superuser %}
                     <div class="dropdown pull-right">

dojo/tools/openvas/csv_parser.py

@@ -118,8 +118,9 @@ def __init__(self):
     def map_column_value(self, finding, column_value):
         if not finding.unsaved_endpoints[
             0
-        ].host:  # process only if host is not already defined (by field hostname)
-            finding.unsaved_endpoints[0].host = column_value
+        ].host and column_value is not None:  # process only if host is not already defined (by field hostname)
+            # strip due to https://github.com/greenbone/gvmd/issues/2378
+            finding.unsaved_endpoints[0].host = column_value.strip()
 
 
 class HostnameColumnMappingStrategy(ColumnMappingStrategy):
@@ -129,7 +130,8 @@ def __init__(self):
 
     def map_column_value(self, finding, column_value):
         if column_value:  # do not override IP if hostname is empty
-            finding.unsaved_endpoints[0].host = column_value
+            # strip due to https://github.com/greenbone/gvmd/issues/2378
+            finding.unsaved_endpoints[0].host = column_value.strip()
 
 
 class SeverityColumnMappingStrategy(ColumnMappingStrategy):
@@ -278,13 +280,21 @@ def get_findings(self, filename, test):
             finding = Finding(test=test)
             finding.unsaved_vulnerability_ids = []
             finding.unsaved_endpoints = [Endpoint()]
+            ip = None
             if row_number == 0:
                 column_names = self.read_column_names(row)
                 continue
             for column_number, column in enumerate(row):
                 chain.process_column(
                     column_names[column_number], column, finding,
                 )
+                # due to the way this parser is implemented we have to do this stuff to retrieve a value for later use
+                if column_names[column_number].lower() == "ip":
+                    ip = column
+
+            if ip:
+                finding.description += f"\n**IP**: {ip}"
+
             if finding is not None and row_number > 0:
                 if finding.title is None:
                     finding.title = ""