diff --git a/docker/entrypoint-initializer.sh b/docker/entrypoint-initializer.sh index c6f86970d8..08e77dc46c 100755 --- a/docker/entrypoint-initializer.sh +++ b/docker/entrypoint-initializer.sh @@ -154,7 +154,7 @@ EOD echo "Importing fixtures all at once" python3 manage.py loaddata system_settings initial_banner_conf product_type test_type \ development_environment benchmark_type benchmark_category benchmark_requirement \ - language_type objects_review regulation initial_surveys role + language_type objects_review regulation initial_surveys role sla_configurations echo "UPDATE dojo_system_settings SET jira_webhook_secret='$DD_JIRA_WEBHOOK_SECRET'" | python manage.py dbshell diff --git a/docs/content/en/getting_started/architecture.md b/docs/content/en/getting_started/architecture.md index 676d818402..fe53d0ef3f 100644 --- a/docs/content/en/getting_started/architecture.md +++ b/docs/content/en/getting_started/architecture.md @@ -20,8 +20,8 @@ dynamic content. ## Message Broker -The application server sends tasks to a [Message Broker](https://docs.celeryproject.org/en/stable/getting-started/brokers/index.html) -for asynchronous execution. +The application server sends tasks to a [Message Broker](https://docs.celeryq.dev/en/stable/getting-started/backends-and-brokers/index.html) +for asynchronous execution. Currently, only [Redis](https://github.com/redis/redis) is supported as a broker. ## Celery Worker diff --git a/docs/content/en/integrations/importing.md b/docs/content/en/integrations/importing.md index 20590ee1f7..127f642932 100644 --- a/docs/content/en/integrations/importing.md +++ b/docs/content/en/integrations/importing.md @@ -69,7 +69,7 @@ An import can be performed by specifying the names of these entities in the API } ``` -When `auto_create_context` is `True`, the product and engagement will be created if needed. Make sure your user has sufficient [permissions](../usage/permissions) to do this. +When `auto_create_context` is `True`, the product, engagement, and environment will be created if needed. Make sure your user has sufficient [permissions](../usage/permissions) to do this. A classic way of importing a scan is by specifying the ID of the engagement instead: diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index eed696a2c9..16e622178e 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -2046,7 +2046,7 @@ def get_findings_list(self, obj) -> list[int]: return obj.open_findings_list -class ImportScanSerializer(serializers.Serializer): +class CommonImportScanSerializer(serializers.Serializer): scan_date = serializers.DateField( required=False, help_text="Scan completion date will be used on all findings.", @@ -2063,6 +2063,7 @@ class ImportScanSerializer(serializers.Serializer): verified = serializers.BooleanField( help_text="Override the verified setting from the tool.", ) + scan_type = serializers.ChoiceField(choices=get_choices_sorted()) # TODO: why do we allow only existing endpoints? endpoint_to_add = serializers.PrimaryKeyRelatedField( @@ -2084,9 +2085,7 @@ class ImportScanSerializer(serializers.Serializer): required=False, help_text="Resource link to source code", ) - engagement = serializers.PrimaryKeyRelatedField( - queryset=Engagement.objects.all(), required=False, - ) + test_title = serializers.CharField(required=False) auto_create_context = serializers.BooleanField(required=False) deduplication_on_engagement = serializers.BooleanField(required=False) @@ -2146,9 +2145,6 @@ class ImportScanSerializer(serializers.Serializer): # extra fields populated in response # need to use the _id suffix as without the serializer framework gets # confused - test = serializers.IntegerField( - read_only=True, - ) # left for backwards compatibility test_id = serializers.IntegerField(read_only=True) engagement_id = serializers.IntegerField(read_only=True) product_id = serializers.IntegerField(read_only=True) @@ -2163,76 +2159,6 @@ class ImportScanSerializer(serializers.Serializer): required=False, ) - def set_context( - self, - data: dict, - ) -> dict: - """ - Process all of the user supplied inputs to massage them into the correct - format the importer is expecting to see - """ - context = dict(data) - # update some vars - context["scan"] = data.pop("file", None) - context["environment"] = Development_Environment.objects.get( - name=data.get("environment", "Development"), - ) - # Set the active/verified status based upon the overrides - if "active" in self.initial_data: - context["active"] = data.get("active") - else: - context["active"] = None - if "verified" in self.initial_data: - context["verified"] = data.get("verified") - else: - context["verified"] = None - # Change the way that endpoints are sent to the importer - if endpoints_to_add := data.get("endpoint_to_add"): - context["endpoints_to_add"] = [endpoints_to_add] - else: - context["endpoint_to_add"] = None - # Convert the tags to a list if needed. At this point, the - # TaggitListSerializer has already removed commas supplied - # by the user, so this operation will consistently return - # a list to be used by the importer - if tags := context.get("tags"): - if isinstance(tags, str): - context["tags"] = tags.split(", ") - # have to make the scan_date_time timezone aware otherwise uploads via - # the API would fail (but unit tests for api upload would pass...) - context["scan_date"] = ( - timezone.make_aware( - datetime.combine(context.get("scan_date"), datetime.min.time()), - ) - if context.get("scan_date") - else None - ) - # Process the auto create context inputs - self.process_auto_create_create_context(context) - - return context - - def process_auto_create_create_context( - self, - context: dict, - ) -> None: - """ - Extract all of the pertinent args used to auto create any product - types, products, or engagements. This function will also validate - those inputs for any required info that is not present. In the event - of an error, an exception will be raised and bubble up to the user - """ - auto_create = AutoCreateContextManager() - # Process the context to make an conversions needed. Catch any exceptions - # in this case and wrap them in a DRF exception - try: - auto_create.process_import_meta_data_from_dict(context) - # Attempt to create an engagement - context["engagement"] = auto_create.get_or_create_engagement(**context) - except (ValueError, TypeError) as e: - # Raise an explicit drf exception here - raise ValidationError(str(e)) - def get_importer( self, **kwargs: dict, @@ -2274,16 +2200,6 @@ def process_scan( except ValueError as ve: raise Exception(ve) - def save(self, push_to_jira=False): - # Go through the validate method - data = self.validated_data - # Extract the data from the form - context = self.set_context(data) - # set the jira option again as it was overridden - context["push_to_jira"] = push_to_jira - # Import the scan with all of the supplied data - self.process_scan(data, context) - def validate(self, data: dict) -> dict: scan_type = data.get("scan_type") file = data.get("file") @@ -2311,151 +2227,25 @@ def validate_scan_date(self, value: str) -> None: raise serializers.ValidationError(msg) return value - -class ReImportScanSerializer(TaggitSerializer, serializers.Serializer): - scan_date = serializers.DateField( - required=False, - help_text="Scan completion date will be used on all findings.", - ) - minimum_severity = serializers.ChoiceField( - choices=SEVERITY_CHOICES, - default="Info", - help_text="Minimum severity level to be imported", - ) - active = serializers.BooleanField( - help_text="Override the active setting from the tool.", - ) - verified = serializers.BooleanField( - help_text="Override the verified setting from the tool.", - ) - help_do_not_reactivate = "Select if the import should ignore active findings from the report, useful for triage-less scanners. Will keep existing findings closed, without reactivating them. For more information check the docs." - do_not_reactivate = serializers.BooleanField( - default=False, required=False, help_text=help_do_not_reactivate, - ) - scan_type = serializers.ChoiceField( - choices=get_choices_sorted(), required=True, - ) - endpoint_to_add = serializers.PrimaryKeyRelatedField( - queryset=Endpoint.objects.all(), - required=False, - default=None, - help_text="Enter the ID of an Endpoint that is associated with the target Product. New Findings will be added to that Endpoint.", - ) - file = serializers.FileField(allow_empty_file=True, required=False) - product_type_name = serializers.CharField(required=False) - product_name = serializers.CharField(required=False) - engagement_name = serializers.CharField(required=False) - engagement_end_date = serializers.DateField( - required=False, - help_text="End Date for Engagement. Default is current time + 365 days. Required format year-month-day", - ) - source_code_management_uri = serializers.URLField( - max_length=600, - required=False, - help_text="Resource link to source code", - ) - test = serializers.PrimaryKeyRelatedField( - required=False, queryset=Test.objects.all(), - ) - test_title = serializers.CharField(required=False) - auto_create_context = serializers.BooleanField(required=False) - deduplication_on_engagement = serializers.BooleanField(required=False) - - push_to_jira = serializers.BooleanField(default=False) - # Close the old findings if the parameter is not provided. This is to - # mentain the old API behavior after reintroducing the close_old_findings parameter - # also for ReImport. - close_old_findings = serializers.BooleanField( - required=False, - default=True, - help_text="Select if old findings no longer present in the report get closed as mitigated when importing.", - ) - close_old_findings_product_scope = serializers.BooleanField( - required=False, - default=False, - help_text="Select if close_old_findings applies to all findings of the same type in the product. " - "By default, it is false meaning that only old findings of the same type in the engagement are in scope. " - "Note that this only applies on the first call to reimport-scan.", - ) - version = serializers.CharField( - required=False, - help_text="Version that will be set on existing Test object. Leave empty to leave existing value in place.", - ) - build_id = serializers.CharField( - required=False, help_text="ID of the build that was scanned.", - ) - branch_tag = serializers.CharField( - required=False, help_text="Branch or Tag that was scanned.", - ) - commit_hash = serializers.CharField( - required=False, help_text="Commit that was scanned.", - ) - api_scan_configuration = serializers.PrimaryKeyRelatedField( - allow_null=True, - default=None, - queryset=Product_API_Scan_Configuration.objects.all(), - ) - service = serializers.CharField( - required=False, - help_text="A service is a self-contained piece of functionality within a Product. " - "This is an optional field which is used in deduplication and closing of old findings when set. " - "This affects the whole engagement/product depending on your deduplication scope.", - ) - environment = serializers.CharField(required=False) - lead = serializers.PrimaryKeyRelatedField( - allow_null=True, default=None, queryset=User.objects.all(), - ) - tags = TagListSerializerField( - required=False, - allow_empty=True, - help_text="Modify existing tags that help describe this scan. (Existing test tags will be overwritten)", - ) - - group_by = serializers.ChoiceField( - required=False, - choices=Finding_Group.GROUP_BY_OPTIONS, - help_text="Choose an option to automatically group new findings by the chosen option.", - ) - create_finding_groups_for_all_findings = serializers.BooleanField( - help_text="If set to false, finding groups will only be created when there is more than one grouped finding", - required=False, - default=True, - ) - - # extra fields populated in response - # need to use the _id suffix as without the serializer framework gets - # confused - test_id = serializers.IntegerField(read_only=True) - engagement_id = serializers.IntegerField( - read_only=True, - ) # need to use the _id suffix as without the serializer framework gets confused - product_id = serializers.IntegerField(read_only=True) - product_type_id = serializers.IntegerField(read_only=True) - - statistics = ImportStatisticsSerializer(read_only=True, required=False) - apply_tags_to_findings = serializers.BooleanField( - help_text="If set to True, the tags will be applied to the findings", - required=False, - ) - apply_tags_to_endpoints = serializers.BooleanField( - help_text="If set to True, the tags will be applied to the endpoints", - required=False, - ) - - def set_context( - self, - data: dict, - ) -> dict: + def setup_common_context(self, data: dict) -> dict: """ Process all of the user supplied inputs to massage them into the correct format the importer is expecting to see """ context = dict(data) # update some vars - context["scan"] = data.get("file", None) - context["environment"] = Development_Environment.objects.get( - name=data.get("environment", "Development"), - ) + context["scan"] = data.pop("file", None) + + if context.get("auto_create_context"): + environment = Development_Environment.objects.get_or_create(name=data.get("environment", "Development"))[0] + else: + try: + environment = Development_Environment.objects.get(name=data.get("environment", "Development")) + except: + msg = "Environment named " + data.get("environment") + " does not exist." + raise ValidationError(msg) + + context["environment"] = environment # Set the active/verified status based upon the overrides if "active" in self.initial_data: context["active"] = data.get("active") @@ -2486,9 +2276,81 @@ def set_context( if context.get("scan_date") else None ) + return context + + +class ImportScanSerializer(CommonImportScanSerializer): + + engagement = serializers.PrimaryKeyRelatedField( + queryset=Engagement.objects.all(), required=False, + ) + + # extra fields populated in response + # need to use the _id suffix as without the serializer framework gets + # confused + test = serializers.IntegerField( + read_only=True, + ) # left for backwards compatibility + + def set_context( + self, + data: dict, + ) -> dict: + context = self.setup_common_context(data) + # Process the auto create context inputs + self.process_auto_create_create_context(context) return context + def process_auto_create_create_context( + self, + context: dict, + ) -> None: + """ + Extract all of the pertinent args used to auto create any product + types, products, or engagements. This function will also validate + those inputs for any required info that is not present. In the event + of an error, an exception will be raised and bubble up to the user + """ + auto_create = AutoCreateContextManager() + # Process the context to make an conversions needed. Catch any exceptions + # in this case and wrap them in a DRF exception + try: + auto_create.process_import_meta_data_from_dict(context) + # Attempt to create an engagement + context["engagement"] = auto_create.get_or_create_engagement(**context) + except (ValueError, TypeError) as e: + # Raise an explicit drf exception here + raise ValidationError(str(e)) + + def save(self, push_to_jira=False): + # Go through the validate method + data = self.validated_data + # Extract the data from the form + context = self.set_context(data) + # set the jira option again as it was overridden + context["push_to_jira"] = push_to_jira + # Import the scan with all of the supplied data + self.process_scan(data, context) + + +class ReImportScanSerializer(TaggitSerializer, CommonImportScanSerializer): + + help_do_not_reactivate = "Select if the import should ignore active findings from the report, useful for triage-less scanners. Will keep existing findings closed, without reactivating them. For more information check the docs." + do_not_reactivate = serializers.BooleanField( + default=False, required=False, help_text=help_do_not_reactivate, + ) + test = serializers.PrimaryKeyRelatedField( + required=False, queryset=Test.objects.all(), + ) + + def set_context( + self, + data: dict, + ) -> dict: + + return self.setup_common_context(data) + def process_auto_create_create_context( self, auto_create_manager: AutoCreateContextManager, @@ -2511,16 +2373,6 @@ def process_auto_create_create_context( # Raise an explicit drf exception here raise ValidationError(str(e)) - def get_importer( - self, - **kwargs: dict, - ) -> BaseImporter: - """ - Returns a new instance of an importer that extends - the BaseImporter class - """ - return DefaultImporter(**kwargs) - def get_reimporter( self, **kwargs: dict, @@ -2599,33 +2451,6 @@ def save(self, push_to_jira=False): # Import the scan with all of the supplied data self.process_scan(auto_create_manager, data, context) - def validate(self, data): - scan_type = data.get("scan_type") - file = data.get("file") - if not file and requires_file(scan_type): - msg = f"Uploading a Report File is required for {scan_type}" - raise serializers.ValidationError(msg) - if file and is_scan_file_too_large(file): - msg = f"Report file is too large. Maximum supported size is {settings.SCAN_FILE_MAX_SIZE} MB" - raise serializers.ValidationError(msg) - tool_type = requires_tool_type(scan_type) - if tool_type: - api_scan_configuration = data.get("api_scan_configuration") - if ( - api_scan_configuration - and tool_type - != api_scan_configuration.tool_configuration.tool_type.name - ): - msg = f"API scan configuration must be of tool type {tool_type}" - raise serializers.ValidationError(msg) - return data - - def validate_scan_date(self, value): - if value and value > timezone.localdate(): - msg = "The scan_date cannot be in the future!" - raise serializers.ValidationError(msg) - return value - class EndpointMetaImporterSerializer(serializers.Serializer): file = serializers.FileField(required=True) diff --git a/dojo/fixtures/sla_configurations.json b/dojo/fixtures/sla_configurations.json new file mode 100644 index 0000000000..f90d022581 --- /dev/null +++ b/dojo/fixtures/sla_configurations.json @@ -0,0 +1,35 @@ +[ + { + "model": "dojo.sla_configuration", + "pk": 1, + "fields": { + "name": "Default", + "description": "The Default SLA Configuration. Products not using an explicit SLA Configuration will use this one.", + "critical": 7, + "enforce_critical": true, + "high": 30, + "enforce_high": true, + "medium": 90, + "enforce_medium": true, + "low": 120, + "enforce_low": true, + "async_updating": false + } + }, + { + "model": "dojo.sla_configuration", + "fields": { + "name": "No SLA Enforced", + "description": "No SLA is enforced for a product which uses this SLA configuration.", + "critical": 7, + "enforce_critical": false, + "high": 30, + "enforce_high": false, + "medium": 90, + "enforce_medium": false, + "low": 120, + "enforce_low": false, + "async_updating": false + } + } +] diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index b26b379a22..476d3116d4 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -4d3e91f176b73278750dc2f46d27cd4fe2b47d24682ad06d6267880bbdec599c +42026ac47884ee26fe742e59fb7dc621b5f927ee6ee3c92daf09b97f2a740163 diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 39e033010d..1493afadd9 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1735,6 +1735,7 @@ def saml2_attrib_map_format(dict): "ALSA": "https://osv.dev/vulnerability/", # e.g. https://osv.dev/vulnerability/ALSA-2024:0827 "USN": "https://ubuntu.com/security/notices/", # e.g. https://ubuntu.com/security/notices/USN-6642-1 "DLA": "https://security-tracker.debian.org/tracker/", # e.g. https://security-tracker.debian.org/tracker/DLA-3917-1 + "ELSA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html } # List of acceptable file types that can be uploaded to a given object via arbitrary file upload FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES") diff --git a/dojo/templatetags/display_tags.py b/dojo/templatetags/display_tags.py index e00603f9ee..7b634febf6 100644 --- a/dojo/templatetags/display_tags.py +++ b/dojo/templatetags/display_tags.py @@ -780,6 +780,8 @@ def vulnerability_url(vulnerability_id): for key in settings.VULNERABILITY_URLS: if vulnerability_id.upper().startswith(key): + if "&&" in settings.VULNERABILITY_URLS[key]: + return settings.VULNERABILITY_URLS[key].split("&&")[0] + str(vulnerability_id) + settings.VULNERABILITY_URLS[key].split("&&")[1] return settings.VULNERABILITY_URLS[key] + str(vulnerability_id) return "" diff --git a/dojo/tools/sonarqube/sonarqube_restapi_json.py b/dojo/tools/sonarqube/sonarqube_restapi_json.py index 9a8e3bab22..3caf725c4e 100644 --- a/dojo/tools/sonarqube/sonarqube_restapi_json.py +++ b/dojo/tools/sonarqube/sonarqube_restapi_json.py @@ -115,6 +115,7 @@ def get_json_items(self, json_content, test, mode): component_version=component_version, cwe=cwe, cvssv3_score=cvss, + file_path=component, tags=["vulnerability"], ) vulnids = [] @@ -183,6 +184,7 @@ def get_json_items(self, json_content, test, mode): severity=self.severitytranslator(issue.get("severity")), static_finding=True, dynamic_finding=False, + file_path=component, tags=["code_smell"], ) items.append(item) @@ -225,6 +227,7 @@ def get_json_items(self, json_content, test, mode): severity=self.severitytranslator(hotspot.get("vulnerabilityProbability")), static_finding=True, dynamic_finding=False, + file_path=component, tags=["hotspot"], ) items.append(item) diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index a0cabd6bb3..ae1c256e0e 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.40.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.155-dev +version: 1.6.156-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap diff --git a/unittests/tools/test_sonarqube_parser.py b/unittests/tools/test_sonarqube_parser.py index ffb05fb14d..16b80aa9eb 100644 --- a/unittests/tools/test_sonarqube_parser.py +++ b/unittests/tools/test_sonarqube_parser.py @@ -642,6 +642,7 @@ def test_parse_json_file_from_api_with_multiple_findings_zip(self): item = findings[0] self.assertEqual(str, type(item.description)) self.assertEqual("OWASP:UsingComponentWithKnownVulnerability_fjioefjwoefijo", item.title) + self.assertEqual("testapplication", item.file_path) self.assertEqual("Medium", item.severity) item = findings[3] self.assertEqual("OWASP:UsingComponentWithKnownVulnerability_fjioefjwo1123efijo", item.title)