Merge pull request #11187 from DefectDojo/bugfix

Release 2.40.0: Merge Bugfix into Dev

docs/config.dev.toml

@@ -77,6 +77,12 @@ weight = 1
     pre = "<i class='fab fa-github'></i>"
     url = "https://github.com/DefectDojo/django-DefectDojo"
 
+[[menu.main]]
+    name = "Knowledge Base"
+    weight = 50
+    pre = "<i class='fas fa-atlas'></i>"
+    url = "https://support.defectdojo.com"
+
 [markup]
   [markup.goldmark]
     [markup.goldmark.renderer]

docs/config.master.toml

@@ -77,6 +77,12 @@ weight = 1
     pre = "<i class='fab fa-github'></i>"
     url = "https://github.com/DefectDojo/django-DefectDojo"
 
+[[menu.main]]
+    name = "Knowledge Base"
+    weight = 50
+    pre = "<i class='fas fa-atlas'></i>"
+    url = "https://support.defectdojo.com"
+
 [markup]
   [markup.goldmark]
     [markup.goldmark.renderer]

docs/content/en/contributing/how-to-write-a-parser.md

@@ -16,9 +16,9 @@ All commands assume that you're located at the root of the django-DefectDojo clo
 - It's advised that you create a dedicated branch for your development, such as `git checkout -b parser-name`.
 
 It is easiest to use the docker compose deployment as it has hot-reload capbility for uWSGI.
-Set up your environment to use the debug environment:
+Set up your environment to use the dev environment:
 
-`$ docker/setEnv.sh debug`
+`$ docker/setEnv.sh dev`
 
 Please have a look at [DOCKER.md](https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/DOCKER.md) for more details.
 
@@ -294,12 +294,24 @@ This local command will launch the unit test for your new parser
 $ docker compose exec uwsgi bash -c 'python manage.py test unittests.tools.<your_unittest_py_file>.<main_class_name> -v2'
 {{< /highlight >}}
 
+or like this:
+
+{{< highlight bash >}}
+$ ./dc-unittest.sh --test-case unittests.tools.<your_unittest_py_file>.<main_class_name>
+{{< /highlight >}}
+
 Example for the blackduck hub parser:
 
 {{< highlight bash >}}
 $ docker compose exec uwsgi bash -c 'python manage.py test unittests.tools.test_blackduck_csv_parser.TestBlackduckHubParser -v2'
 {{< /highlight >}}
 
+or like this:
+
+{{< highlight bash >}}
+$ ./dc-unittest.sh --test-case unittests.tools.test_blackduck_csv_parser.TestBlackduckHubParser
+{{< /highlight >}}
+
 {{% alert title="Information" color="info" %}}
 If you want to run all unit tests, simply run `$ docker compose exec uwsgi bash -c 'python manage.py test unittests -v2'`
 {{% /alert %}}

docs/content/en/getting_started/installation.md

@@ -14,11 +14,11 @@ See instructions in [DOCKER.md](<https://github.com/DefectDojo/django-DefectDojo
 
 ### SaaS (Includes Support & Supports the Project)
 
-[SaaS link](https://www.defectdojo.com/pricing)
+[SaaS link](https://defectdojo.com/platform)
 
 ### AWS AMI (Supports the Project)
 
-[Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-m2a25gr67xbzk), and complete [walkthrough](https://www.10security.com/defectdojo-aws-launch-guide)
+[Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-m2a25gr67xbzk), and complete [walkthrough](https://defectdojo.com/defectdojo-aws-launch-guide)
 
 ---
 ## **Options for the brave (not officially supported)**

dojo/api_v2/serializers.py

@@ -2257,6 +2257,13 @@ def setup_common_context(self, data: dict) -> dict:
             if context.get("scan_date")
             else None
         )
+
+        # engagement end date was not being used at all and so target_end would also turn into None
+        # in this case, do not want to change target_end unless engagement_end exists
+        eng_end_date = context.get("engagement_end_date", None)
+        if eng_end_date:
+            context["target_end"] = context.get("engagement_end_date")
+
         return context
 
 

dojo/settings/.settings.dist.py.sha256sum

@@ -1 +1 @@
-39cdd5dfe53499bfe201d3e5a0f55b20514272235e86db7d5238f2663b79f946
+6b9365d002880ae64ab54da905ede076db5a8661960f8f1e2793b7f4d25ff7e8

dojo/settings/settings.dist.py

@@ -276,7 +276,7 @@
     DD_DELETE_PREVIEW=(bool, True),
     # List of acceptable file types that can be uploaded to a given object via arbitrary file upload
     DD_FILE_UPLOAD_TYPES=(list, [".txt", ".pdf", ".json", ".xml", ".csv", ".yml", ".png", ".jpeg",
-                                 ".sarif", ".xlsx", ".doc", ".html", ".js", ".nessus", ".zip"]),
+                                 ".sarif", ".xlsx", ".doc", ".html", ".js", ".nessus", ".zip", ".fpr"]),
     # Max file size for scan added via API in MB
     DD_SCAN_FILE_MAX_SIZE=(int, 100),
     # When disabled, existing user tokens will not be removed but it will not be
@@ -1742,6 +1742,7 @@ def saml2_attrib_map_format(dict):
     "USN": "https://ubuntu.com/security/notices/",  # e.g. https://ubuntu.com/security/notices/USN-6642-1
     "DLA": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/DLA-3917-1
     "ELSA": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
+    "ELBA": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
     "RXSA": "https://errata.rockylinux.org/",  # e.g. https://errata.rockylinux.org/RXSA-2024:4928
 }
 # List of acceptable file types that can be uploaded to a given object via arbitrary file upload

dojo/tools/tenable/csv_format.py

@@ -103,6 +103,9 @@ def get_findings(self, filename: str, test: Test):
             mitigation = str(row.get("Solution", row.get("definition.solution", row.get("Steps to Remediate", "N/A"))))
             impact = row.get("Description", row.get("definition.description", "N/A"))
             references = row.get("See Also", row.get("definition.see_also", "N/A"))
+            references += "\nTenable Plugin ID: " + row.get("Plugin", "N/A")
+            references += "\nPlugin Publication Date: " + row.get("Plugin Publication Date", "N/A")
+            references += "\nPlugin Modification Date: " + row.get("Plugin Modification Date", "N/A")
             # Determine if the current row has already been processed
             dupe_key = (
                 severity

dojo/tools/trivy_operator/checks_handler.py

@@ -10,8 +10,15 @@
 
 
 class TrivyChecksHandler:
-    def handle_checks(self, service, checks, test):
+    def handle_checks(self, labels, checks, test):
         findings = []
+        resource_namespace = labels.get("trivy-operator.resource.namespace", "")
+        resource_kind = labels.get("trivy-operator.resource.kind", "")
+        resource_name = labels.get("trivy-operator.resource.name", "")
+        container_name = labels.get("trivy-operator.container.name", "")
+        service = f"{resource_namespace}/{resource_kind}/{resource_name}"
+        if container_name != "":
+            service = f"{service}/{container_name}"
         for check in checks:
             check_title = check.get("title")
             check_severity = TRIVY_SEVERITIES[check.get("severity")]
@@ -23,6 +30,10 @@ def handle_checks(self, service, checks, test):
                     + check_id.lower()
                 )
             check_description = check.get("description", "")
+            check_description += "\n**container.name:** " + container_name
+            check_description += "\n**resource.kind:** " + resource_kind
+            check_description += "\n**resource.name:** " + resource_name
+            check_description += "\n**resource.namespace:** " + resource_namespace
             title = f"{check_id} - {check_title}"
             finding = Finding(
                 test=test,
@@ -33,6 +44,7 @@ def handle_checks(self, service, checks, test):
                 static_finding=True,
                 dynamic_finding=False,
                 service=service,
+                tags=[resource_namespace],
             )
             if check_id:
                 finding.unsaved_vulnerability_ids = [check_id]

dojo/tools/trivy_operator/parser.py

@@ -25,7 +25,15 @@ def get_findings(self, scan_file, test):
             data = json.loads(str(scan_data, "utf-8"))
         except Exception:
             data = json.loads(scan_data)
+        findings = []
+        if type(data) is list:
+            for listitems in data:
+                findings += self.output_findings(listitems, test)
+        else:
+            findings += self.output_findings(data, test)
+        return findings
 
+    def output_findings(self, data, test):
         if data is None:
             return []
         metadata = data.get("metadata", None)
@@ -40,24 +48,15 @@ def get_findings(self, scan_file, test):
             benchmarkreport = benchmark.get("detailReport", None)
         findings = []
         if report is not None:
-            resource_namespace = labels.get(
-                "trivy-operator.resource.namespace", "",
-            )
-            resource_kind = labels.get("trivy-operator.resource.kind", "")
-            resource_name = labels.get("trivy-operator.resource.name", "")
-            container_name = labels.get("trivy-operator.container.name", "")
-            service = f"{resource_namespace}/{resource_kind}/{resource_name}"
-            if container_name != "":
-                service = f"{service}/{container_name}"
             vulnerabilities = report.get("vulnerabilities", None)
             if vulnerabilities is not None:
-                findings += TrivyVulnerabilityHandler().handle_vulns(service, vulnerabilities, test)
+                findings += TrivyVulnerabilityHandler().handle_vulns(labels, vulnerabilities, test)
             checks = report.get("checks", None)
             if checks is not None:
-                findings += TrivyChecksHandler().handle_checks(service, checks, test)
+                findings += TrivyChecksHandler().handle_checks(labels, checks, test)
             secrets = report.get("secrets", None)
             if secrets is not None:
-                findings += TrivySecretsHandler().handle_secrets(service, secrets, test)
+                findings += TrivySecretsHandler().handle_secrets(labels, secrets, test)
         elif benchmarkreport is not None:
             findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test)
         return findings

dojo/tools/trivy_operator/secrets_handler.py

@@ -15,8 +15,15 @@
 
 
 class TrivySecretsHandler:
-    def handle_secrets(self, service, secrets, test):
+    def handle_secrets(self, labels, secrets, test):
         findings = []
+        resource_namespace = labels.get("trivy-operator.resource.namespace", "")
+        resource_kind = labels.get("trivy-operator.resource.kind", "")
+        resource_name = labels.get("trivy-operator.resource.name", "")
+        container_name = labels.get("trivy-operator.container.name", "")
+        service = f"{resource_namespace}/{resource_kind}/{resource_name}"
+        if container_name != "":
+            service = f"{service}/{container_name}"
         for secret in secrets:
             secret_title = secret.get("title")
             secret_category = secret.get("category")
@@ -31,7 +38,10 @@ def handle_secrets(self, service, secrets, test):
                 category=secret_category,
                 match=secret_match,
             )
-
+            secret_description += "\n**container.name:** " + container_name
+            secret_description += "\n**resource.kind:** " + resource_kind
+            secret_description += "\n**resource.name:** " + resource_name
+            secret_description += "\n**resource.namespace:** " + resource_namespace
             finding = Finding(
                 test=test,
                 title=title,
@@ -42,6 +52,7 @@ def handle_secrets(self, service, secrets, test):
                 static_finding=True,
                 dynamic_finding=False,
                 service=service,
+                tags=[resource_namespace],
             )
             if secret_rule_id:
                 finding.unsaved_vulnerability_ids = [secret_rule_id]

dojo/tools/trivy_operator/vulnerability_handler.py

@@ -14,8 +14,15 @@
 
 
 class TrivyVulnerabilityHandler:
-    def handle_vulns(self, service, vulnerabilities, test):
+    def handle_vulns(self, labels, vulnerabilities, test):
         findings = []
+        resource_namespace = labels.get("trivy-operator.resource.namespace", "")
+        resource_kind = labels.get("trivy-operator.resource.kind", "")
+        resource_name = labels.get("trivy-operator.resource.name", "")
+        container_name = labels.get("trivy-operator.container.name", "")
+        service = f"{resource_namespace}/{resource_kind}/{resource_name}"
+        if container_name != "":
+            service = f"{service}/{container_name}"
         for vulnerability in vulnerabilities:
             vuln_id = vulnerability.get("vulnerabilityID", "0")
             severity = TRIVY_SEVERITIES[vulnerability.get("severity")]
@@ -24,8 +31,7 @@ def handle_vulns(self, service, vulnerabilities, test):
             package_name = vulnerability.get("resource")
             package_version = vulnerability.get("installedVersion")
             cvssv3_score = vulnerability.get("score")
-
-            finding_tags = []
+            finding_tags = [resource_namespace]
             target_target = None
             target_class = None
             package_path = None
@@ -57,7 +63,10 @@ def handle_vulns(self, service, vulnerabilities, test):
             description = DESCRIPTION_TEMPLATE.format(
                 title=vulnerability.get("title"), fixed_version=mitigation,
             )
-
+            description += "\n**container.name:** " + container_name
+            description += "\n**resource.kind:** " + resource_kind
+            description += "\n**resource.name:** " + resource_name
+            description += "\n**resource.namespace:** " + resource_namespace
             title = f"{vuln_id} {package_name} {package_version}"
             finding = Finding(
                 test=test,

helm/defectdojo/templates/configmap.yaml

@@ -18,7 +18,7 @@ data:
   DD_CELERY_BROKER_SCHEME: {{ if eq .Values.celery.broker "redis" }}{{ template "redis.scheme" . }}{{ end }}
   DD_CELERY_BROKER_USER: ''
   DD_CELERY_BROKER_HOST: {{ if eq .Values.celery.broker "redis" }}{{ template "redis.hostname" . }}{{ end }}
-  DD_CELERY_BROKER_PORT: '{{ if eq .Values.celery.broker "redis" }}{{ .Values.redis.master.service.ports.redis | default "6379" }}{{ end }}'
+  DD_CELERY_BROKER_PORT: '{{ if eq .Values.celery.broker "redis" }}{{- if ( hasKey .Values.redis "master" ) -}}{{ .Values.redis.master.service.ports.redis }}{{ else }}6379{{ end }}{{- end -}}'
   DD_CELERY_BROKER_PARAMS: '{{ if eq .Values.celery.broker "redis" }}{{- if .Values.redis.transportEncryption.enabled -}}{{ .Values.redis.transportEncryption.params | default "ssl_cert_reqs=optional" }}{{ end }}{{ end }}'
   DD_CELERY_BROKER_PATH: '{{ .Values.celery.path | default "//" }}'
   DD_CELERY_LOG_LEVEL: {{ .Values.celery.logLevel }}