Merge pull request #9820 from DefectDojo/release/2.32.3

Release: Merge release into master from: release/2.32.3
DefectDojo · Mar 25, 2024 · aaf251b · aaf251b
2 parents c182e9c + 181b751
commit aaf251b
Show file tree

Hide file tree

Showing 58 changed files with 271 additions and 277 deletions.
diff --git a/.dryrunsecurity.yaml b/.dryrunsecurity.yaml
@@ -62,7 +62,7 @@ allowedAuthors:
     - grendel513
     - cneill
     - Maffooch
-    - blakeowens
+    - blakeaowens
     - kiblik
     - dsever
     - dogboat

diff --git a/.flake8 b/.flake8
@@ -20,12 +20,8 @@ ignore =
     F405
     # list comprehension redefines
     F812
-    # module level imports
-    E402
     E126
     E128
-    # line break after binary operator
-    W504
     # Line break occurred before a binary operator (conflicting with black)
     W503
     # undefined file name excpetion

diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
@@ -33,4 +33,4 @@ jobs:
         run: pip install -r requirements-lint.txt
 
       - name: Run Ruff Linter
-        run: ruff check .
+        run: ruff check --output-format=github .
diff --git a/components/package.json b/components/package.json
@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.32.2",
+  "version": "2.32.3",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

diff --git a/dojo/__init__.py b/dojo/__init__.py
@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = '2.32.2'
+__version__ = '2.32.3'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'https://documentation.defectdojo.com'
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -249,6 +249,8 @@ def __init__(self, **kwargs):
         self.pretty_print = pretty_print
 
     def to_internal_value(self, data):
+        if isinstance(data, list) and data == [''] and self.allow_empty:
+            return []
         if isinstance(data, six.string_types):
             if not data:
                 data = []
@@ -2106,7 +2108,7 @@ class ImportScanSerializer(serializers.Serializer):
         allow_null=True, default=None, queryset=User.objects.all()
     )
     tags = TagListSerializerField(
-        required=False, help_text="Add tags that help describe this scan."
+        required=False, allow_empty=True, help_text="Add tags that help describe this scan."
     )
     close_old_findings = serializers.BooleanField(
         required=False,
@@ -2434,6 +2436,7 @@ class ReImportScanSerializer(TaggitSerializer, serializers.Serializer):
     )
     tags = TagListSerializerField(
         required=False,
+        allow_empty=True,
         help_text="Modify existing tags that help describe this scan. (Existing test tags will be overwritten)",
     )
 

diff --git a/dojo/cred/queries.py b/dojo/cred/queries.py
@@ -45,7 +45,7 @@ def get_authorized_cred_mappings(permission, queryset=None):
         product__prod_type__authorized_group=Exists(authorized_product_type_groups),
         product__authorized_group=Exists(authorized_product_groups))
     cred_mappings = cred_mappings.filter(
-        Q(product__prod_type__member=True) | Q(product__member=True) |
-        Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
+        Q(product__prod_type__member=True) | Q(product__member=True)
+        | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
 
     return cred_mappings
diff --git a/dojo/endpoint/queries.py b/dojo/endpoint/queries.py
@@ -47,8 +47,8 @@ def get_authorized_endpoints(permission, queryset=None, user=None):
         product__prod_type__authorized_group=Exists(authorized_product_type_groups),
         product__authorized_group=Exists(authorized_product_groups))
     endpoints = endpoints.filter(
-        Q(product__prod_type__member=True) | Q(product__member=True) |
-        Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
+        Q(product__prod_type__member=True) | Q(product__member=True)
+        | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
 
     return endpoints
 
@@ -95,7 +95,7 @@ def get_authorized_endpoint_status(permission, queryset=None, user=None):
         endpoint__product__prod_type__authorized_group=Exists(authorized_product_type_groups),
         endpoint__product__authorized_group=Exists(authorized_product_groups))
     endpoint_status = endpoint_status.filter(
-        Q(endpoint__product__prod_type__member=True) | Q(endpoint__product__member=True) |
-        Q(endpoint__product__prod_type__authorized_group=True) | Q(endpoint__product__authorized_group=True))
+        Q(endpoint__product__prod_type__member=True) | Q(endpoint__product__member=True)
+        | Q(endpoint__product__prod_type__authorized_group=True) | Q(endpoint__product__authorized_group=True))
 
     return endpoint_status
diff --git a/dojo/endpoint/views.py b/dojo/endpoint/views.py
@@ -78,7 +78,6 @@ def process_endpoints_view(request, host_view=False, vulnerable=False):
             "filtered": endpoints,
             "name": view_name,
             "host_view": host_view,
-            "product_tab": product_tab
         })
 
 

diff --git a/dojo/engagement/queries.py b/dojo/engagement/queries.py
@@ -40,7 +40,7 @@ def get_authorized_engagements(permission):
         product__prod_type__authorized_group=Exists(authorized_product_type_groups),
         product__authorized_group=Exists(authorized_product_groups))
     engagements = engagements.filter(
-        Q(product__prod_type__member=True) | Q(product__member=True) |
-        Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
+        Q(product__prod_type__member=True) | Q(product__member=True)
+        | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
 
     return engagements
diff --git a/dojo/filters.py b/dojo/filters.py
@@ -1258,7 +1258,7 @@ class ApiFindingFilter(DojoFilter):
     not_tag = CharFilter(field_name='tags__name', lookup_expr='icontains', help_text='Not Tag name contains', exclude='True')
     not_tags = CharFieldInFilter(field_name='tags__name', lookup_expr='in',
                                  help_text='Comma separated list of exact tags not present on model', exclude='True')
-    not_test__tags = CharFieldInFilter(field_name='test__tags__name', lookup_expr='in', help_text='Comma separated list of exact tags present on test')
+    not_test__tags = CharFieldInFilter(field_name='test__tags__name', lookup_expr='in', exclude='True', help_text='Comma separated list of exact tags present on test')
     not_test__engagement__tags = CharFieldInFilter(field_name='test__engagement__tags__name', lookup_expr='in',
                                                    help_text='Comma separated list of exact tags not present on engagement',
                                                    exclude='True')

diff --git a/dojo/finding/queries.py b/dojo/finding/queries.py
@@ -61,10 +61,10 @@ def get_authorized_findings(permission, queryset=None, user=None):
         test__engagement__product__prod_type__authorized_group=Exists(authorized_product_type_groups),
         test__engagement__product__authorized_group=Exists(authorized_product_groups))
     findings = findings.filter(
-        Q(test__engagement__product__prod_type__member=True) |
-        Q(test__engagement__product__member=True) |
-        Q(test__engagement__product__prod_type__authorized_group=True) |
-        Q(test__engagement__product__authorized_group=True))
+        Q(test__engagement__product__prod_type__member=True)
+        | Q(test__engagement__product__member=True)
+        | Q(test__engagement__product__prod_type__authorized_group=True)
+        | Q(test__engagement__product__authorized_group=True))
 
     return findings
 
@@ -94,10 +94,10 @@ def get_authorized_stub_findings(permission):
         test__engagement__product__prod_type__authorized_group=Exists(authorized_product_type_groups),
         test__engagement__product__authorized_group=Exists(authorized_product_groups))
     findings = findings.filter(
-        Q(test__engagement__product__prod_type__member=True) |
-        Q(test__engagement__product__member=True) |
-        Q(test__engagement__product__prod_type__authorized_group=True) |
-        Q(test__engagement__product__authorized_group=True))
+        Q(test__engagement__product__prod_type__member=True)
+        | Q(test__engagement__product__member=True)
+        | Q(test__engagement__product__prod_type__authorized_group=True)
+        | Q(test__engagement__product__authorized_group=True))
 
     return findings
 
@@ -144,9 +144,9 @@ def get_authorized_vulnerability_ids(permission, queryset=None, user=None):
         finding__test__engagement__product__prod_type__authorized_group=Exists(authorized_product_type_groups),
         finding__test__engagement__product__authorized_group=Exists(authorized_product_groups))
     vulnerability_ids = vulnerability_ids.filter(
-        Q(finding__test__engagement__product__prod_type__member=True) |
-        Q(finding__test__engagement__product__member=True) |
-        Q(finding__test__engagement__product__prod_type__authorized_group=True) |
-        Q(finding__test__engagement__product__authorized_group=True))
+        Q(finding__test__engagement__product__prod_type__member=True)
+        | Q(finding__test__engagement__product__member=True)
+        | Q(finding__test__engagement__product__prod_type__authorized_group=True)
+        | Q(finding__test__engagement__product__authorized_group=True))
 
     return vulnerability_ids
diff --git a/dojo/finding_group/queries.py b/dojo/finding_group/queries.py
@@ -47,9 +47,9 @@ def get_authorized_finding_groups(permission, queryset=None, user=None):
         test__engagement__product__prod_type__authorized_group=Exists(authorized_product_type_groups),
         test__engagement__product__authorized_group=Exists(authorized_product_groups))
     finding_groups = finding_groups.filter(
-        Q(test__engagement__product__prod_type__member=True) |
-        Q(test__engagement__product__member=True) |
-        Q(test__engagement__product__prod_type__authorized_group=True) |
-        Q(test__engagement__product__authorized_group=True))
+        Q(test__engagement__product__prod_type__member=True)
+        | Q(test__engagement__product__member=True)
+        | Q(test__engagement__product__prod_type__authorized_group=True)
+        | Q(test__engagement__product__authorized_group=True))
 
     return finding_groups
diff --git a/dojo/forms.py b/dojo/forms.py
@@ -195,8 +195,8 @@ def __init__(self, *args, **kwargs):
         super(Add_Product_Type_MemberForm, self).__init__(*args, **kwargs)
         current_members = Product_Type_Member.objects.filter(product_type=self.initial["product_type"]).values_list('user', flat=True)
         self.fields['users'].queryset = Dojo_User.objects.exclude(
-            Q(is_superuser=True) |
-            Q(id__in=current_members)).exclude(is_active=False).order_by('first_name', 'last_name')
+            Q(is_superuser=True)
+            | Q(id__in=current_members)).exclude(is_active=False).order_by('first_name', 'last_name')
         self.fields['product_type'].disabled = True
 
     class Meta:
@@ -342,8 +342,8 @@ def __init__(self, *args, **kwargs):
         self.fields['product'].disabled = True
         current_members = Product_Member.objects.filter(product=self.initial["product"]).values_list('user', flat=True)
         self.fields['users'].queryset = Dojo_User.objects.exclude(
-            Q(is_superuser=True) |
-            Q(id__in=current_members)).exclude(is_active=False).order_by('first_name', 'last_name')
+            Q(is_superuser=True)
+            | Q(id__in=current_members)).exclude(is_active=False).order_by('first_name', 'last_name')
 
     class Meta:
         model = Product_Member
@@ -836,8 +836,8 @@ class Meta:
 class EngForm(forms.ModelForm):
     name = forms.CharField(
         max_length=300, required=False,
-        help_text="Add a descriptive name to identify this engagement. " +
-                  "Without a name the target start date will be set.")
+        help_text="Add a descriptive name to identify this engagement. "
+                  + "Without a name the target start date will be set.")
     description = forms.CharField(widget=forms.Textarea(attrs={}),
                                   required=False, help_text="Description of the engagement and details regarding the engagement.")
     product = forms.ModelChoiceField(label='Product',
@@ -1785,8 +1785,8 @@ def __init__(self, *args, **kwargs):
                                                  hour=0, minute=0, second=0)
 
             wmf_options.append((end_of_period.strftime("%b %d %Y %H %M %S %Z"),
-                                start_of_period.strftime("%b %d") +
-                                " - " + end_of_period.strftime("%b %d")))
+                                start_of_period.strftime("%b %d")
+                                + " - " + end_of_period.strftime("%b %d")))
 
         wmf_options = tuple(wmf_options)
 
@@ -1872,8 +1872,8 @@ def __init__(self, *args, **kwargs):
         self.fields['group'].disabled = True
         current_members = Dojo_Group_Member.objects.filter(group=self.initial['group']).values_list('user', flat=True)
         self.fields['users'].queryset = Dojo_User.objects.exclude(
-            Q(is_superuser=True) |
-            Q(id__in=current_members)).exclude(is_active=False).order_by('first_name', 'last_name')
+            Q(is_superuser=True)
+            | Q(id__in=current_members)).exclude(is_active=False).order_by('first_name', 'last_name')
         self.fields['role'].queryset = get_group_member_roles()
 
     class Meta:
@@ -2773,7 +2773,7 @@ def __init__(self, *args, **kwargs):
                 # we have to check that we are not in a POST request where jira project config data is posted
                 # this is because initial values will overwrite the actual values entered by the user
                 # makes no sense, but seems to be accepted behaviour: https://code.djangoproject.com/ticket/30407
-                if jira_project_product and not (self.prefix + '-jira_instance') in self.data:
+                if jira_project_product and (self.prefix + '-jira_instance') not in self.data:
                     logger.debug('setting jira project fields from product2')
                     self.initial['jira_instance'] = jira_project_product.jira_instance.id if jira_project_product.jira_instance else None
                     self.initial['project_key'] = jira_project_product.project_key

diff --git a/dojo/importers/importer/importer.py b/dojo/importers/importer/importer.py
@@ -98,8 +98,8 @@ def process_parsed_findings(self, test, parsed_findings, scan_type, user, active
 
             item.numerical_severity = Finding.get_numerical_severity(item.severity)
 
-            if minimum_severity and (Finding.SEVERITIES[item.severity] >
-                    Finding.SEVERITIES[minimum_severity]):
+            if minimum_severity and (Finding.SEVERITIES[item.severity]
+                    > Finding.SEVERITIES[minimum_severity]):
                 # finding's severity is below the configured threshold : ignoring the finding
                 continue
 
@@ -140,8 +140,8 @@ def process_parsed_findings(self, test, parsed_findings, scan_type, user, active
                     else:
                         group_names_to_findings_dict[name] = [item]
 
-            if (hasattr(item, 'unsaved_req_resp') and
-                    len(item.unsaved_req_resp) > 0):
+            if (hasattr(item, 'unsaved_req_resp')
+                    and len(item.unsaved_req_resp) > 0):
                 for req_resp in item.unsaved_req_resp:
                     burp_rr = BurpRawRequestResponse(
                         finding=item,
@@ -150,8 +150,8 @@ def process_parsed_findings(self, test, parsed_findings, scan_type, user, active
                     burp_rr.clean()
                     burp_rr.save()
 
-            if (item.unsaved_request is not None and
-                    item.unsaved_response is not None):
+            if (item.unsaved_request is not None
+                    and item.unsaved_response is not None):
                 burp_rr = BurpRawRequestResponse(
                     finding=item,
                     burpRequestBase64=base64.b64encode(item.unsaved_request.encode()),

diff --git a/dojo/importers/reimporter/utils.py b/dojo/importers/reimporter/utils.py
@@ -35,8 +35,8 @@ def match_new_finding_to_existing_finding(new_finding, test, deduplication_algor
     elif deduplication_algorithm == 'unique_id_from_tool_or_hash_code':
         query = Finding.objects.filter(
             Q(test=test),
-            (Q(hash_code__isnull=False) & Q(hash_code=new_finding.hash_code)) |
-            (Q(unique_id_from_tool__isnull=False) & Q(unique_id_from_tool=new_finding.unique_id_from_tool))).order_by('id')
+            (Q(hash_code__isnull=False) & Q(hash_code=new_finding.hash_code))
+            | (Q(unique_id_from_tool__isnull=False) & Q(unique_id_from_tool=new_finding.unique_id_from_tool))).order_by('id')
         deduplicationLogger.debug(query.query)
         return query
     elif deduplication_algorithm == 'legacy':

diff --git a/dojo/jira_link/queries.py b/dojo/jira_link/queries.py
@@ -64,14 +64,14 @@ def get_authorized_jira_projects(permission, user=None):
         product__prod_type__authorized_group=Exists(product_authorized_product_type_groups),
         product__authorized_group=Exists(product_authorized_product_groups))
     jira_projects = jira_projects.filter(
-        Q(engagement__product__prod_type__member=True) |
-        Q(engagement__product__member=True) |
-        Q(engagement__product__prod_type__authorized_group=True) |
-        Q(engagement__product__authorized_group=True) |
-        Q(product__prod_type__member=True) |
-        Q(product__member=True) |
-        Q(product__prod_type__authorized_group=True) |
-        Q(product__authorized_group=True))
+        Q(engagement__product__prod_type__member=True)
+        | Q(engagement__product__member=True)
+        | Q(engagement__product__prod_type__authorized_group=True)
+        | Q(engagement__product__authorized_group=True)
+        | Q(product__prod_type__member=True)
+        | Q(product__member=True)
+        | Q(product__prod_type__authorized_group=True)
+        | Q(product__authorized_group=True))
 
     return jira_projects
 
@@ -153,17 +153,17 @@ def get_authorized_jira_issues(permission):
         finding__test__engagement__product__prod_type__authorized_group=Exists(finding_authorized_product_type_groups),
         finding__test__engagement__product__authorized_group=Exists(finding_authorized_product_groups))
     jira_issues = jira_issues.filter(
-        Q(engagement__product__prod_type__member=True) |
-        Q(engagement__product__member=True) |
-        Q(engagement__product__prod_type__authorized_group=True) |
-        Q(engagement__product__authorized_group=True) |
-        Q(finding_group__test__engagement__product__prod_type__member=True) |
-        Q(finding_group__test__engagement__product__member=True) |
-        Q(finding_group__test__engagement__product__prod_type__authorized_group=True) |
-        Q(finding_group__test__engagement__product__authorized_group=True) |
-        Q(finding__test__engagement__product__prod_type__member=True) |
-        Q(finding__test__engagement__product__member=True) |
-        Q(finding__test__engagement__product__prod_type__authorized_group=True) |
-        Q(finding__test__engagement__product__authorized_group=True))
+        Q(engagement__product__prod_type__member=True)
+        | Q(engagement__product__member=True)
+        | Q(engagement__product__prod_type__authorized_group=True)
+        | Q(engagement__product__authorized_group=True)
+        | Q(finding_group__test__engagement__product__prod_type__member=True)
+        | Q(finding_group__test__engagement__product__member=True)
+        | Q(finding_group__test__engagement__product__prod_type__authorized_group=True)
+        | Q(finding_group__test__engagement__product__authorized_group=True)
+        | Q(finding__test__engagement__product__prod_type__member=True)
+        | Q(finding__test__engagement__product__member=True)
+        | Q(finding__test__engagement__product__prod_type__authorized_group=True)
+        | Q(finding__test__engagement__product__authorized_group=True))
 
     return jira_issues
diff --git a/dojo/metrics/views.py b/dojo/metrics/views.py
@@ -874,8 +874,8 @@ def engineer_metrics(request):
 @vary_on_cookie
 def view_engineer(request, eid):
     user = get_object_or_404(Dojo_User, pk=eid)
-    if not (request.user.is_superuser or
-            request.user.username == user.username):
+    if not (request.user.is_superuser
+            or request.user.username == user.username):
         raise PermissionDenied()
     now = timezone.now()