1.1.1

Bug fixes from 1.1.0

1.1.0

Version 1.1.0 Released

What's new?

1. Deduplication of Findings
2. Docker Images
3. CI Testing
4. Tags
5. Metadata
6. Images for Findings
7. Improved Controls on Scanner Imports
8. Added AppSpider Support
9. URL Prefix Support

v1.0.5

This new version includes the following fixes and improvements:

1. Metrics view fixes, capturing correct product type from GET and modified the top ten query.
2. Updated bower components as well as some python dependencies. Updated some templates to reflect new bower components.
3. Added vobject for new iCalendar features in tests and engagements.
4. Fixes #45 - Endpoints are missing on findings when form fails to validate
5. Changed they way you add/remove endpoints from findings to address #46
6. Fixes #49 - django-audit log 0.3.2 breaks install
7. Fixes #46 - Can't Remove Endpoints
8. Address enhancement #50: Added ability to sort listing tables by clicking on TH. Added page size pull down to pagination widget.
9. Adds ability to "touch" Findings to clear alerts.
10. Added new upload/import of Nexpose XML 2.0 report. Refactored Burp upload.
11. Addresses #47 - Capture user who closes findings
12. Addresses #50 - Improving Sort for all table listing.
13. Added fundtionality to upload and re-upload Burp XML, Nessus (CSV, XML), Nexpose XML 2.0, Veracode XML, and ZAP XML scan results.
14. New documentation now at http://defectdojo.readthedocs.org
15. Added initial fixtures for Test_Type, Development_Evironment and Product_Type. New DefectDojo installs will have initial stub data.
16. Side menu, List filtering, and menu enhancements.
17. Finding, Product, and Test information is better displayed.
18. Alert item now has a count badge letting you know how many alerts you have pending. It will also disappear when all alerts have been cleared.
19. Breadcrumbs are more intuitive and offer better historical navigation.
20. Easier way to reopen closed findings - no need to fully Edit finding any more.
21. Finding quick add, all that is needed is a title. This will trigger a new alert to remind you to complete the findings details.
22. Endpoints are no longer required to add a finding since not all defects are endpoint related.
23. Finding field Endpoint has been DEPRECATED - makemigrations is needed.
24. Moved all views and urls into corresponding modules: development_environment, endpoint, engagement, finding, home, metrics, product, product_type, reports, scan, search, test, test_type, and user. urls.py now imports from each module to get urls and views defined.
25. Endpoints are now listed by main host only, port, path and other information is now collapsed under the main host.
26. Simple search now using django-watson see: https://github.com/etianen/django-watson/wiki for documenations. Must add watson to your INSTALLED_APPS setting and run ./manage.py migrate , ./manage.py installwatson and ./manage.py buildwatson.
27. Changed term highlighter to jquery-highlight (https://github.com/knownasilya/jquery-highlight) - simple and lightweight. Other js library introduced bug where text could not be selected for copy and paste.
28. Brand new Finding Template CRUD functionality. Listing, Add, Edit, Delete in order to make Finding Templates more effective/efficient.
29. Major Report functionality overhaul. Celery and wkhtmltopdf are now needed to generate PDF reports. See documentation at http://defectdojo.readthedocs.org/en/latest/features.html#reports
30. Other minor fixes and tweaks.

This version requires the following manage.py command to be executed:

./manage.py makemigrations
./manage.py migrate
./manage.py migrate_finding_templates
./manage.py stamp_finding_last_reviewed

v1.0.4

• Increased version to 1.0.4
  • Django 1.8+ is now required
  • Python 2.7+ is now required
• Bower package clean up
  • Removed jquery.tablesorter - no longer used
• Rearranged installed apps for template override purposes
• Now using static from staticfiles for static file references in templates
• Fixed Add Endpoint bug related to pop up
• Optimized Metrics queries and simplified logic
• Simplified Metrics menu items
• Added new metrics page to report on simple Product Type counts
• Updated setup.bash to reflect new Django and Python requirements
• Cleaned up install_requires with updated python packages

v1.0.3

• Manage Users
  • Add - By default all users are created with an unusable password. If a password is needed it can be set using the Admin interface .
  • Edit - Update the user data to allow for active, staff, username, first name, last name, email and a multi-select of authorized products.
  • Delete - Deleting this User will remove any related objects associated with it. These relationships are listed in confirmation page.
• Added "history" to models to track/log changes over time. Using django-auditlog (https://github.com/jjkester/django-auditlog) for logging purposes.
  • Changes to models.py to register models for automatic logging
  • Changes to settings.dist.py:
  • Add auditlog to list of INSTALLED_APPS
• Added additional block in side navigation to allow apps to append to menu list - {% block sidebar-items %}
• Fixed metrics monthly interval to start on first day of month and end on last day of month.
• Fixed view add_temp_finding to correctly include the product id to be able to add endpoints correctly. This fixes #42
• Added icons to pulldown menus.
• Minor html, css, and content updates to provide consistency across pages.

This release requires database table updates if upgrading from previous version. This can be accomplished with:

./manage.py makemigrations
./manage.py migrate

v1.0.2

• Added Endpoint as a model with add, edit, delete, report, and metrics.
  • A Django management script has been added to aid in the migration from text based endpoints to model based ones.
  • You can run ./manage.py migrate_endpoints
  • The script will look for endpoints in the endpoint and description fields and convert them to and instance of the Endpoint model.
  • Before you run the script you can add host names, ip addresses, domains, etc that should be excluded to the exclude list on line 24.
  • The legacy endpoint field will be removed in version 1.0.3
• Added ability to delete Products and Engagements
• Improved functionality for Product Authorized Users (non staff users), can now:
  • View Products
  • View Endpoints
  • View Findings
  • Generate reports for endpoints, products
  • Set up port scan for product
    • View scan results
    • Kickoff on demand scans
    • Edit scan settings
  • View Metrics
  • Add finding notes
• Finding reports now use the finding id as a reference rather than the foor loop counter.
• Improved Ansible install script.
  • More fault-tolerant, and provides better information on failures.
• tastypie_swagger fixes
• Minor CSS and HTML updates
• New BSD License

This release requires database table updates if upgrading from previous version. This can be accomplished with:
./manage.py makemigrations dojo
./manage.py migrate

Reporting Improvements

• Added finding reports at the Product_Type, Product, Engagement and Test level. Reports can be generated in Asciidoc and PDF formats.
  • Since models.py changed makemigrations/migrate is needed.
  • For PDF reports the following must be installed via pip:
  • django-easy-pdf
  • xhtml2pdf>=0.0.6
  • reportlab
• Added ability to upload Veracode XML export.
• Added ability to upload Burp XML reports from Scanner.
• For Nessus, Veracode and Burp uploads added the ability to select minimum severity level to import.
• For Change Password form, added csrf tokend and autocomplete off.
• Added Content-Type to download views download_risk and view_threatmodel.
• Added CSRF_COOKIE_HTTPONLY = True, SESSION_COOKIE_SECURE = True and CSRF_COOKIE_SECURE = True to settings.dist.py and instructions on these in the setup.bash script.
• Minor css tweaks, and corrected typos.