Merge branch 'dev' into audit-log

.dryrunsecurity.yaml

@@ -68,6 +68,7 @@ allowedAuthors:
     - dsever
     - dogboat
     - hblankenship
+    - valentijnscholten
 notificationList:
   - '@mtesauro'
   - '@grendel513'

.github/workflows/gh-pages.yml

@@ -19,7 +19,7 @@ jobs:
           extended: true
 
       - name: Setup Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: '22.5.1'
 

.github/workflows/release-x-manual-helm-chart.yml

@@ -47,7 +47,7 @@ jobs:
           git config --global user.email "${{ env.GIT_EMAIL }}"
       
       - name: Set up Helm
-        uses: azure/[email protected]
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
 
       - name: Configure HELM repos
         run: |-

.github/workflows/test-helm-chart.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.9
 

.github/workflows/update-sample-data.yml

@@ -0,0 +1,53 @@
+name: Update Sample Data
+
+env:
+  GIT_USERNAME: "DefectDojo release bot"
+  GIT_EMAIL: "[email protected]"
+
+on:
+  workflow_dispatch: # Trigger manually
+  schedule:
+    # Run on the 1st day of January, April, July, and October at midnight UTC
+    - cron: '0 0 1 1,4,7,10 *'
+
+jobs:
+  run-binary-and-create-pr:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the repository
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name || 'dev'}}
+
+      - name: Run binary
+        run: |
+          ./fixture-updater dojo/fixtures/defect_dojo_sample_data.json
+          mv output.json dojo/fixtures/defect_dojo_sample_data.json
+
+      - name: Configure git
+        run: |
+          git config --global user.name "${{ env.GIT_USERNAME }}"
+          git config --global user.email "${{ env.GIT_EMAIL }}"
+
+      - name: Create and switch to a new branch
+        run: |
+          git checkout -b update-file-$(date +%Y%m%d%H%M%S)
+          git add dojo/fixtures/defect_dojo_sample_data.json
+          git commit -m "Update sample data"
+
+      - name: Push branch
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git push --set-upstream origin $(git rev-parse --abbrev-ref HEAD)
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "Update sample data"
+          branch: ${{ github.ref_name || 'dev'}}
+          base: dev
+          title: "Update sample data"
+          body: "This pull request updates the sample data."

Dockerfile.integration-tests-debian

@@ -1,7 +1,7 @@
 
 # code: language=Dockerfile
 
-FROM openapitools/openapi-generator-cli:v7.10.0@sha256:f2054a5a7908ad81017d0f0839514ba5eab06ae628914ff71554d46fac1bcf7a AS openapitools
+FROM openapitools/openapi-generator-cli:v7.11.0@sha256:a9e7091ac8808c6835cf8ec88252bca603f1f889ef1456b63d8add5781feeca7 AS openapitools
 FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS build
 WORKDIR /app
 RUN \

README.md

@@ -113,7 +113,7 @@ of DefectDojo as we begin work on v3. Please see our [contributing guidelines](r
 information. Check out our latest update on v3 [here](https://github.com/DefectDojo/django-DefectDojo/discussions/8974).
 
 ## Pro Edition
-[Upgrade to DefectDojo Pro](https://www.defectdojo.com/pricing) today to take your DevSecOps to 11. DefectDojo Pro is
+[Upgrade to DefectDojo Pro](https://www.defectdojo.com/) today to take your DevSecOps to 11. DefectDojo Pro is
 designed to meet you wherever you are on your security journey and help you scale, with enhanced dashboards, additional
 smart features, tunable deduplication, and support from DevSecOps experts.
 

docker-compose.override.dev.yml

@@ -54,4 +54,4 @@ services:
         protocol: tcp
         mode: host
   "webhook.endpoint":
-    image: mccutchen/go-httpbin:v2.15.0@sha256:24528cf5229d0b70065ac27e6c9e4d96f5452a84a3ce4433e56573c18d96827a
+    image: mccutchen/go-httpbin:v2.16.0@sha256:2b02b8844eab42d432d9c4bbd96a20d7ff348292097eeee4546e79252f72c70e

docker-compose.override.unit_tests.yml

@@ -52,7 +52,7 @@ services:
     image: busybox:1.37.0-musl
     entrypoint: ['echo', 'skipping', 'redis']
   "webhook.endpoint":
-    image: mccutchen/go-httpbin:v2.15.0@sha256:24528cf5229d0b70065ac27e6c9e4d96f5452a84a3ce4433e56573c18d96827a
+    image: mccutchen/go-httpbin:v2.16.0@sha256:2b02b8844eab42d432d9c4bbd96a20d7ff348292097eeee4546e79252f72c70e
 volumes:
   defectdojo_postgres_unit_tests: {}
   defectdojo_media_unit_tests: {}

docker-compose.override.unit_tests_cicd.yml

@@ -51,7 +51,7 @@ services:
     image: busybox:1.37.0-musl
     entrypoint: ['echo', 'skipping', 'redis']
   "webhook.endpoint":
-    image: mccutchen/go-httpbin:v2.15.0@sha256:24528cf5229d0b70065ac27e6c9e4d96f5452a84a3ce4433e56573c18d96827a
+    image: mccutchen/go-httpbin:v2.16.0@sha256:2b02b8844eab42d432d9c4bbd96a20d7ff348292097eeee4546e79252f72c70e
 volumes:
   defectdojo_postgres_unit_tests: {}
   defectdojo_media_unit_tests: {}

docker/entrypoint-initializer.sh

@@ -16,7 +16,7 @@ initialize_data()
     python3 manage.py initialize_permissions
 }
 
-create_announcement_banner() 
+create_announcement_banner()
 {
 # Load the announcement banner
 if [ -z "$DD_CREATE_CLOUD_BANNER" ]; then
@@ -103,8 +103,26 @@ then
   exit 47
 fi
 
-echo "Making migrations"
-python3 manage.py makemigrations dojo
+
+python3 manage.py makemigrations --no-input --check --dry-run --verbosity 3 || {
+    cat <<-EOF
+
+********************************************************************************
+
+You made changes to the models without creating a DB migration for them.
+
+**NEVER** change existing migrations, create a new one.
+
+If you're not familiar with migrations in Django, please read the
+great documentation thoroughly:
+https://docs.djangoproject.com/en/5.0/topics/migrations/
+
+********************************************************************************
+
+EOF
+    exit 1
+}
+
 echo "Migrating"
 python3 manage.py migrate
 
@@ -139,7 +157,7 @@ fi
 if [ -z "${ADMIN_EXISTS}" ]
 then
   . /entrypoint-first-boot.sh
-    
+
   create_announcement_banner
   initialize_data
 fi

docker/entrypoint-unit-tests-devDocker.sh

@@ -18,7 +18,25 @@ unset DD_CELERY_BROKER_URL
 
 wait_for_database_to_be_reachable
 
-python3 manage.py makemigrations dojo
+python3 manage.py makemigrations --no-input --check --dry-run --verbosity 3 || {
+    cat <<-EOF
+
+********************************************************************************
+
+You made changes to the models without creating a DB migration for them.
+
+**NEVER** change existing migrations, create a new one.
+
+If you're not familiar with migrations in Django, please read the
+great documentation thoroughly:
+https://docs.djangoproject.com/en/5.0/topics/migrations/
+
+********************************************************************************
+
+EOF
+    exit 1
+}
+
 python3 manage.py migrate
 
 # do the check with Django stack
@@ -56,10 +74,10 @@ echo "------------------------------------------------------------"
 
 # Removing parallel and shuffle for now to maintain stability
 python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag="non-parallel" || {
-    exit 1; 
+    exit 1;
 }
 python3 manage.py test unittests -v 3 --keepdb --no-input --tag="non-parallel" || {
-    exit 1; 
+    exit 1;
 }
 
 # you can select a single file to "test" unit tests

docker/entrypoint-unit-tests.sh

@@ -64,7 +64,7 @@ You made changes to the models without creating a DB migration for them.
 
 If you're not familiar with migrations in Django, please read the
 great documentation thoroughly:
-https://docs.djangoproject.com/en/1.11/topics/migrations/
+https://docs.djangoproject.com/en/5.0/topics/migrations/
 
 ********************************************************************************
 
@@ -82,8 +82,8 @@ echo "------------------------------------------------------------"
 
 # Removing parallel and shuffle for now to maintain stability
 python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag="non-parallel" || {
-    exit 1; 
+    exit 1;
 }
 python3 manage.py test unittests -v 3 --keepdb --no-input --tag="non-parallel" || {
-    exit 1; 
+    exit 1;
 }

docs/content/en/changelog/changelog.md

@@ -7,6 +7,14 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](../../open_source/upgrading/upgrading_guide).
 
+## Jan 21, 2025: v2.42.2
+
+- **(Classic UI)** Corrected link to Smart Upload form.
+- **(CLI Tools)** Fixed issue with .exe extensions not getting added to Windows binaries
+- **(Findings)** `Mitigated` filter now uses datetime instead of date for filtering.
+- **(OAuth)** Clarified Azure AD labels to better align with Azure's language.  Default value for Azure Resource is now set. <span style="background-color:rgba(242, 86, 29, 0.5)">(Pro)</span>
+- **(RBAC)** Request Review now applies RBAC properly with regard to User Groups.
+
 ## Jan 13, 2025: v2.42.1
 
 - **(API)** Pro users can now specify the fields they want to return in a given API payload.  For example, this request will only return the title, severity and description fields for each Finding.  <span style="background-color:rgba(242, 86, 29, 0.5)">(Pro)</span>
@@ -15,6 +23,10 @@ curl -X 'GET' \
   'https://localhost/api/v2/findings/?response_fields=title,severity,description' \
   -H 'accept: application/json'
 ```
+- **(Findings)** Excel and CSV exports now include tags.
+- **(Reports)** Reports now exclude unenforced SLAs from Executive Summary to avoid confusion.
+- **(Risk Acceptance)** Simple Risk Acceptances now have a 'paper trail' created - when they are added or removed, a note will be added to the Finding to log the action.
+- **(Tools)** ImageTags are now included with AWS SecurityHub and AWS inspector parsers.
 
 ## Jan 6, 2025: v2.42.0
 

docs/content/en/open_source/api-v2-docs.md

@@ -5,13 +5,10 @@ draft: false
 weight: 2
 ---
 
-
-
-
 DefectDojo\'s API is created using [Django Rest
 Framework](http://www.django-rest-framework.org/). The documentation of
 each endpoint is available within each DefectDojo installation at
-[`/api/v2/doc/`](https://demo.defectdojo.org/api/v2/) and can be accessed by choosing the API v2
+[`/api/v2/oa3/swagger-ui`](https://demo.defectdojo.org/api/v2/oa3/swagger-ui/)) and can be accessed by choosing the API v2
 Docs link on the user drop down menu in the header. 
 
 ![image](../../images/api_v2_1.png)
@@ -45,7 +42,7 @@ For example: :
 
 ### Alternative authentication method
 
-If you use [an alternative authentication method](../social-authentication/) for users, you may want to disable DefectDojo API tokens because it could bypass your authentication concept. \
+If you use [an alternative authentication method](../archived_docs/integrations/social-authentication/) for users, you may want to disable DefectDojo API tokens because it could bypass your authentication concept. \
 Using of DefectDojo API tokens can be disabled by specifying the environment variable `DD_API_TOKENS_ENABLED` to `False`.
 Or only `api/v2/api-token-auth/` endpoint can be disabled by setting `DD_API_TOKEN_AUTH_ENDPOINT_ENABLED` to `False`.
 
@@ -128,7 +125,7 @@ The json object result is: :
 {{< /highlight >}}
 
 See [Django Rest Framework\'s documentation on interacting with an
-API](http://www.django-rest-framework.org/topics/api-clients/) for
+API](https://www.django-rest-framework.org/) for
 additional examples and tips.
 
 ## Manually calling the API

docs/content/en/open_source/ldap-authentication.md

@@ -17,7 +17,7 @@ We will need to modify a grand total of 4-5 files, depending on how you want to
  - Dockerfile.django-*
  - Dockerfile.nginx-*
  - requirements.txt
- - settings.dist.py
+ - local_settings.py
  - docker-compose.yml *(Optional)*
 
 
@@ -36,8 +36,8 @@ ldap-utils \
 
 Please check for the latest version of these requirements at the time of implementation on pypi.org and use those if you can.
 
-- [https://pypi.org/project/python-ldap/](python-ldap)
-- [https://pypi.org/project/django-auth-ldap/](django-auth-ldap)
+- [python-ldap](https://pypi.org/project/python-ldap/)
+- [django-auth-ldap](https://pypi.org/project/django-auth-ldap/)
 
 Otherwise add the following to requirements.txt:
 
@@ -47,9 +47,9 @@ django-auth-ldap==4.1.0
 ```
 
 
-#### settings.dist.py
+#### local_settings.py
 
-Find the settings file (hint: `/dojo/settings/settings.dist.py`) and add the following:
+Find the settings file (hint: check in `/dojo/settings/settings.py` for instructions for how to use `/dojo/settings/local_settings.py`, if the file does not already exist) and add the following:
 
 At the top of the file:
 ```python
@@ -116,7 +116,7 @@ Read the docs for Django Authentication with LDAP here: https://django-auth-ldap
 
 #### docker-compose.yml
 
-In order to pass the variables to the settings.dist.py file via docker, it's a good idea to add these to the docker compose file.
+In order to pass the variables to the local_settings.py file via docker, it's a good idea to add these to the docker compose file.
 
 You can do this by adding the following variables to the environment section for the uwsgi image:
 ```yaml

docs/content/en/open_source/upgrading/2.42.md

@@ -4,4 +4,16 @@ toc_hide: true
 weight: -20241202
 description: No special instructions.
 ---
-There are no special instructions for upgrading to 2.42.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.42.0) for the contents of the release.
+
+**Hash Code changes**
+A few parsers have been updated to populate more fields. Some of these fields are part of the hash code calculation. To recalculate the hash code please execute the following command:
+
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Horusec Scan" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Qualys Hacker Guardian Scan --hash_code_only"`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Red Hat Satellite --hash_code_only"`
+
+This command has various command line arguments to tweak its behaviour, for example to trigger a run of the deduplication process.
+See [dedupe.py](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/management/commands/dedupe.py) for more information.
+
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.42.0) for the contents of the release.
+

docs/content/en/open_source/upgrading/2.43.md

@@ -5,8 +5,7 @@ weight: -20250106
 description: Disclaimer field renamed/split.
 ---
 
-Audit log migration
----
+### Audit log migration
 
 As part of the upgrade to django-auditlog 3.x, there is a migration of
 existing records from json-text to json. Depending on the number of
@@ -17,7 +16,23 @@ for making this migration a two step process.
 
 ---
 
+### Diversification of Disclaimers
+
 [Pull request #10902](https://github.com/DefectDojo/django-DefectDojo/pull/10902) introduced different kinds of disclaimers within the DefectDojo instance. The original content of the disclaimer was copied to all new fields where it had been used until now (so this change does not require any action on the user's side). However, if users were managing the original disclaimer via API (endpoint `/api/v2/system_settings/1/`, field `disclaimer`), be aware that the fields are now called `disclaimer_notifications` and `disclaimer_reports` (plus there is one additional, previously unused field called `disclaimer_notes`).
 
-But there are no other special instructions for upgrading to 2.43.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.43.0) for the contents of the release.
+---
+
+### Hash Code changes
+
+The Rusty Hog parser has been [updated](https://github.com/DefectDojo/django-DefectDojo/pull/11433) to populate more fields. Some of these fields are part of the hash code calculation. To recalculate the hash code and deduplicate existing Rusty Hog findings, please execute the following command:
+
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Rusty Hog Scan)" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Choctaw Hog)" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Duroc Hog)" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Gottingen Hog)" --hash_code_only`
+    `docker compose exec uwsgi /bin/bash -c "python manage.py dedupe.py --parser "Essex Hog Scan (Essex Hog)" --hash_code_only`
+
+This command has various command line arguments to tweak its behaviour, for example to trigger a run of the deduplication process.
+See [dedupe.py](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/management/commands/dedupe.py) for more information.
 
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.43.0) for the contents of the release.