Syncs with upstream dev (#116)

* Update versions in application files

* Update versions

* Parse GitHub vulnerability version (DefectDojo#9462)

* Fix SARIF parser with CodeQL rules (DefectDojo#9440)

* fix for sarif parser with codeql rules

* add check for extensions property

* flake8 comparsion

* Update dependency postcss from 8.4.34 to v8.4.35 (docs/package.json) (DefectDojo#9502)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Improve API endpoints for Risk Acceptances (DefectDojo#9415)

* finding sla expiration date field (part two) (DefectDojo#9494)

* finding sla expiration date field (part two)

* sla violation check updates

* clean up of finding violates_sla property

* flake8 fix

* Update dojo/models.py

Co-authored-by: Charles Neill <[email protected]>

* Update 0201_populate_finding_sla_expiration_date.py

---------

Co-authored-by: Charles Neill <[email protected]>

* Modifying Bugcrowd API Parser to align to vendor documentation on wha… (DefectDojo#9517)

* Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means.  It is now active == False and severity == 'Info'. [sc-4217]

* fixing Flake8 errors

* fixing Flake8 errors, part deux

* Jira Server/DataCenter: Update meta methods (DefectDojo#9512)

* Jira Webhook: Catch comments from other issue updates (DefectDojo#9513)

* Jira Webhook: Catch comments from other issue updates

* Accommodate redirect responses

* Update dojo/jira_link/views.py

Co-authored-by: Charles Neill <[email protected]>

* Fix syntax

---------

Co-authored-by: Charles Neill <[email protected]>

* add metrics page: "Product Tag Count" (fixes DefectDojo#9151) (DefectDojo#9152)

* add metrics page: "Product Tag Count"

It is fully based on "Product Type Count" metrics page.

* fixup! add metrics page: "Product Tag Count"

* Fix Flake8

* Update views.py

---------

Co-authored-by: Cody Maffucci <[email protected]>

* Release Drafter: Try validating inputs

* Disallow duplicate tool types (DefectDojo#9530)

* Disallow duplicate tool types

* Fix Flake8

* Only validate on new creations

* Force new name on tool type unit test

* Engagement Surveys: Add missing leading slash (DefectDojo#9531)

URL redirects were behaving strangely without this leading slash. it seems it was missed when all the others were added

* Update versions in application files

* Update versions in application files

* Update versions in application files

* Dojo_Group: Support for "RemoteUser" in model (DefectDojo#9405)

* Use correct name references

* fix db_mig

* Update and rename 0201_alter_dojo_group_social_provider.py to 0202_alter_dojo_group_social_provider.py

---------

Co-authored-by: Cody Maffucci <[email protected]>

* Fix "Overdue" tag still visible with closed issues (DefectDojo#9539)

* Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9535)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* remove flot-axis library (DefectDojo#9540)

* use full url for helm-repos and alias in renovate.json (DefectDojo#9525)

With this change, renovate will create PRs to update
the helm-dependencies, just as with docker-compose.

Note that only setting the repository to the full URL did not work,
I also had to add the registryAlias.

* Update Helm release redis from 16.12.3 to ~16.13.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9550)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9541)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update postgres Docker tag from 16.1 to v16.2 (docker-compose.yml) (DefectDojo#9536)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update Helm release mysql from 9.1.8 to ~9.19.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9545)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update Helm release rabbitmq from 11.2.2 to ~11.16.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9548)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update Helm release postgresql from 11.6.26 to ~11.9.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9546)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update Helm release postgresql-ha from 9.1.9 to ~9.4.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9547)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update google-sheets-sync.md with deprecation notice (DefectDojo#9495)

* Remove DD_USE_L10N (DefectDojo#9491)

* API: removal of drf_yasg (OpenAPI 2.0 Swagger) (DefectDojo#9108)

* Removal of drf_yasg

* Clean filterwarnings

* Drop filterwarnings "unclosed file" (DefectDojo#9498)

* 🐛 WFuzz: Generalize severity mapping (DefectDojo#9505)

* 🐛 fix wfuzz 301, issue 6182

* make severity mapper more robust

* unittest for missing response code

* update docs

* Remove useless noqa, be more specific for usefull noqa (DefectDojo#9510)

* ✨ add burp dastardly (DefectDojo#9514)

* ✨ add burp dastardly

* fix author names

* fix unittest

* add docs

* Remove filterwarnings for "invalid escape sequence" (DefectDojo#9496)

* Drop filterwarnings "invalid escape sequence"

* Fix SyntaxError for special_character_required

* Update dojo/utils.py

Co-authored-by: Charles Neill <[email protected]>

* Update settings.dist.py

Fix merge conflict fix

---------

Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Matt Tesauro <[email protected]>

* 🐛 fix mobsf deduplication and severity mapping (DefectDojo#9471)

* 🐛 fix DefectDojo#7936, fix severity mapping

* add warning

* remove multiple warning replacings

* remove replacing

* Remove filterwarnings for "DateTimeField - timezone" (DefectDojo#9497)

* Drop filterwarnings "DateTimeField - timezone"

* Fix some

* Fix of RA test + importers

* Fix RA

* Fix importers

* Fix Flake8

---------

Co-authored-by: Matt Tesauro <[email protected]>

* Update Helm release postgresql-ha from 9.4.11 to v13 (helm/defectdojo/Chart.yaml) (DefectDojo#9553)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Remove handling of broken unittests (DefectDojo#9504)

* 🎉 introducing EPSS score (DefectDojo#9516)

* WIP

* first draw

* fix migrations

* fix migrations

* add epss to findings UI

* added epss to finding list

* Delete unittests/scans/wazuh/one_endpoint_finding.json

* flake8

* add migration for ModelOptions

* Add null values for epss + validators

* updated findings detail page to display epss as percentage

* removed wazuh file

* update branch (#3)

* Update versions in application files

* Update jira-description.tpl (DefectDojo#9403)

* Update and rename whitesource.md to mend.md (DefectDojo#9348)

* Update and rename whitesource.md to mend.md

* Update docs/content/en/integrations/parsers/file/mend.md

Co-authored-by: Charles Neill <[email protected]>

---------

Co-authored-by: Charles Neill <[email protected]>

* API: Remote v2 OpenAPI2 Docs from menu (DefectDojo#9469)

* 🐛 fix migration (DefectDojo#9467)

* finding sla expiration date field (part one) (DefectDojo#9473)

* addition of sla expiration date field on the finding model

* add migration and fix indentation issue

* fix mitigated finding remaining sla days calculation

* fix sla violation filter to return only active, sla violating findings

* migration system settings fix

* fix mitigation date vs datetime discrepancy

* fix breaking unit test

* move product save check to signal

* fix unit test failure

* make signal operations async, fix sla config delete 500 error

* add unit tests to test sla expiration date functionality

* restarting without signals

* add async updating flags, redo migration

* move signal logic to overriden save

* fix errors for non-existing objects at creation

* clean up comments and a few logical expressions

* fix flake8 error

* addition of new unit tests

* fix unit test error

* add message to form fields when async updating flag is true

* fix save location, reword form messages, reword redirect messages

* remove commented lines from unit tests

* add a bit more description to API validation errors

* migration fix

* migration performance improvements

* fix datetime - str comparison issue

* clean up for part one of sla expiration date field

* fix flake8

* Update dojo/db_migrations/0200_finding_sla_expiration_date_product_async_updating_and_more.py

Co-authored-by: Charles Neill <[email protected]>

* Update dojo/models.py

Co-authored-by: Charles Neill <[email protected]>

---------

Co-authored-by: Charles Neill <[email protected]>

* Update versions in application files

* Update versions in application files

* Update release-drafter/release-drafter action from v5.25.0 to v6 (.github/workflows/release-drafter.yml) (DefectDojo#9460)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Bump pytz from 2023.4 to 2024.1 (DefectDojo#9465)

Bumps [pytz](https://github.com/stub42/pytz) from 2023.4 to 2024.1.
- [Release notes](https://github.com/stub42/pytz/releases)
- [Commits](stub42/pytz@release_2023.4...release_2024.1)

---
updated-dependencies:
- dependency-name: pytz
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump django-debug-toolbar from 4.2.0 to 4.3.0 (DefectDojo#9466)

Bumps [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/jazzband/django-debug-toolbar/releases)
- [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/main/docs/changes.rst)
- [Commits](django-commons/django-debug-toolbar@4.2...4.3)

---
updated-dependencies:
- dependency-name: django-debug-toolbar
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump nginx from `d12e6f7` to `f2802c2` (DefectDojo#9477)

Bumps nginx from `d12e6f7` to `f2802c2`.

---
updated-dependencies:
- dependency-name: nginx
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update dependency postcss from 8.4.33 to v8.4.34 (docs/package.json) (DefectDojo#9481)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9458)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* ⬆️ Bump boto3 from 1.34.32 to 1.34.35 (DefectDojo#9489)

Bumps [boto3](https://github.com/boto/boto3) from 1.34.32 to 1.34.35.
- [Release notes](https://github.com/boto/boto3/releases)
- [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst)
- [Commits](boto/boto3@1.34.32...1.34.35)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt) (DefectDojo#9459)

* Update dependency ruff from 0.1.15 to v0.2.1 (requirements-lint.txt)

* Fix ruff warning (DefectDojo#9461)

* Update dependency ruff from 0.1.15 to v0.2.0 (requirements-lint.txt)

* fix ruff warning

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Charles Neill <[email protected]>

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kiblik <[email protected]>
Co-authored-by: Charles Neill <[email protected]>

* 🐛 fix defaulting severity, see last comments in DefectDojo#8778 (DefectDojo#9370)

Co-authored-by: Cody Maffucci <[email protected]>

* Add ruff for *tests (DefectDojo#9406)

* Revert ":bug: fix dependencytrack deduplication (DefectDojo#9117)" (DefectDojo#9371)

This reverts commit 0f55a7f.

Co-authored-by: Cody Maffucci <[email protected]>

* dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string should evaluate to "Info" (DefectDojo#9453)

* dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info"

* dojo/importers/importer/importer.py - Change "None" string to "Info" from cvss module when a CVSS vector string evaluates to "Info" #flake8_fix

* Trivy Operator VulnerabilityReport Parser tweaks (DefectDojo#9452)

* API: Check missing endpoints (DefectDojo#7618)

* Rename unittest

* Define exceptions for now

* Announcement was implemented

* Fix unittests with assertRaises + replace  assertTrue/False with better checks (DefectDojo#9435)

* Fix unittests with assertRaises

* Replace assertTrue/False with better checks

* Fixes

* Optimize list of Maintenance in relase notes (DefectDojo#9492)

* fix typo in docs (DefectDojo#9487)

* 🐛 WFuzz: Add additional severity mappings (DefectDojo#9486)

* 🐛 fix wfuzz, issue DefectDojo#7863

* add 302

* update docs

* Be strict about Warnings during testing (DefectDojo#9490)

* Set PYTHONWARNINGS=error

* Add basic filterwarnings

* Mute some warnings

* Mute one more warning

* 🐛 fix trufflehog3, issue DefectDojo#6999 (DefectDojo#9470)

* 🐛 fix yarn_audit, DefectDojo#6495 (DefectDojo#9478)

* Bump vulners from 2.1.2 to 2.1.5 (DefectDojo#9391)

Bumps [vulners]() from 2.1.2 to 2.1.5.

---
updated-dependencies:
- dependency-name: vulners
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add support for DD_APPEND_SLASH (DefectDojo#9385)

* Override default Django APPEND_SLASH

* Update dojo/settings/settings.dist.py

* 🎉 Improvements for wazuh importer (DefectDojo#9248)

* improvement for wazuh importer

* 🔧 change on dedupe for Wazuh

* 🔧 change on dedupe for Wazuh

* 📝

* ✏️

* 📝

* 📝

* flake8

* 🎉 recoded wazuh importer to support endpoints

* ✅ adjusted unittests

* 📝

* ✏️

* ✏️

---------

Co-authored-by: Cody Maffucci <[email protected]>

* Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9501)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update dependency postcss from 8.4.34 to v8.4.35 (docs/package.json) (DefectDojo#9502)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Improve API endpoints for Risk Acceptances (DefectDojo#9415)

* Modifying Bugcrowd API Parser to align to vendor documentation on wha… (DefectDojo#9517)

* Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means.  It is now active == False and severity == 'Info'. [sc-4217]

* fixing Flake8 errors

* fixing Flake8 errors, part deux

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: DefectDojo release bot <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: kiblik <[email protected]>
Co-authored-by: manuelsommer <[email protected]>
Co-authored-by: Blake Owens <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Robert Kiss <[email protected]>
Co-authored-by: ninp0 <[email protected]>
Co-authored-by: Raouf HADDADA <[email protected]>
Co-authored-by: Felix Hernandez <[email protected]>
Co-authored-by: Jay Paz <[email protected]>

* updated migrations

* added percentage to findings_list

* ✏️ tightening column title in findings detail page

* flake8

* undo DT parser update

* fix migrations

* update migrations to changes in dev

* merge dev into epss score

* Update versions in application files

* Update versions

* Parse GitHub vulnerability version (DefectDojo#9462)

* Fix SARIF parser with CodeQL rules (DefectDojo#9440)

* fix for sarif parser with codeql rules

* add check for extensions property

* flake8 comparsion

* finding sla expiration date field (part two) (DefectDojo#9494)

* finding sla expiration date field (part two)

* sla violation check updates

* clean up of finding violates_sla property

* flake8 fix

* Update dojo/models.py

Co-authored-by: Charles Neill <[email protected]>

* Update 0201_populate_finding_sla_expiration_date.py

---------

Co-authored-by: Charles Neill <[email protected]>

* Jira Server/DataCenter: Update meta methods (DefectDojo#9512)

* Jira Webhook: Catch comments from other issue updates (DefectDojo#9513)

* Jira Webhook: Catch comments from other issue updates

* Accommodate redirect responses

* Update dojo/jira_link/views.py

Co-authored-by: Charles Neill <[email protected]>

* Fix syntax

---------

Co-authored-by: Charles Neill <[email protected]>

* add metrics page: "Product Tag Count" (fixes DefectDojo#9151) (DefectDojo#9152)

* add metrics page: "Product Tag Count"

It is fully based on "Product Type Count" metrics page.

* fixup! add metrics page: "Product Tag Count"

* Fix Flake8

* Update views.py

---------

Co-authored-by: Cody Maffucci <[email protected]>

* Release Drafter: Try validating inputs

* Disallow duplicate tool types (DefectDojo#9530)

* Disallow duplicate tool types

* Fix Flake8

* Only validate on new creations

* Force new name on tool type unit test

* Engagement Surveys: Add missing leading slash (DefectDojo#9531)

URL redirects were behaving strangely without this leading slash. it seems it was missed when all the others were added

* Update versions in application files

* Update versions in application files

* Dojo_Group: Support for "RemoteUser" in model (DefectDojo#9405)

* Use correct name references

* fix db_mig

* Update and rename 0201_alter_dojo_group_social_provider.py to 0202_alter_dojo_group_social_provider.py

---------

Co-authored-by: Cody Maffucci <[email protected]>

* Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9535)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* remove flot-axis library (DefectDojo#9540)

* use full url for helm-repos and alias in renovate.json (DefectDojo#9525)

With this change, renovate will create PRs to update
the helm-dependencies, just as with docker-compose.

Note that only setting the repository to the full URL did not work,
I also had to add the registryAlias.

* Update Helm release redis from 16.12.3 to ~16.13.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9550)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update rabbitmq:3.12.12-alpine Docker digest from 3.12.12 to 3.12.12-alpine (docker-compose.yml) (DefectDojo#9541)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update postgres Docker tag from 16.1 to v16.2 (docker-compose.yml) (DefectDojo#9536)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update Helm release mysql from 9.1.8 to ~9.19.0 (helm/defectdojo/Chart.yaml) (DefectDojo#9545)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

---------

Co-authored-by: DefectDojo release bot <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Co-authored-by: Colm O hEigeartaigh <[email protected]>
Co-authored-by: Andrei Serebriakov <[email protected]>
Co-authored-by: Blake Owens <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: tomaszn <[email protected]>
Co-authored-by: kiblik <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Felix Hernandez <[email protected]>
Co-authored-by: Sebastian Gumprich <[email protected]>

* update epss-score (#5)

solve conflicts

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: DefectDojo release bot <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: kiblik <[email protected]>
Co-authored-by: manuelsommer <[email protected]>
Co-authored-by: Blake Owens <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Robert Kiss <[email protected]>
Co-authored-by: ninp0 <[email protected]>
Co-authored-by: Raouf HADDADA <[email protected]>
Co-authored-by: Felix Hernandez <[email protected]>
Co-authored-by: Jay Paz <[email protected]>
Co-authored-by: Colm O hEigeartaigh <[email protected]>
Co-authored-by: Andrei Serebriakov <[email protected]>
Co-authored-by: tomaszn <[email protected]>
Co-authored-by: Sebastian Gumprich <[email protected]>

* 🎉 importing epss score from DependencyTrack output (DefectDojo#9521)

* improved Sonatype parser (DefectDojo#9519)

* Sonatype parser improved

* Blank line at end of file removed.

* Sonatype status evaluation removed.

* fix clair docs according to PR DefectDojo#9355 (DefectDojo#9523)

* fix clair docs according to PR DefectDojo#9355

* remove clair_klar

* update

* start to implement unittest to test if a parser exists for a md file

* unittest to test if parser exists to a documented parser

* add edgescan and codeql to skip this test

* 🎉 works fine, removed asfd

* ⬆️ Bump openapitools/openapi-generator-cli from v7.2.0 to v7.3.0 (DefectDojo#9526)

Bumps openapitools/openapi-generator-cli from v7.2.0 to v7.3.0.

---
updated-dependencies:
- dependency-name: openapitools/openapi-generator-cli
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* 🎉 Importing EPSS score from AWS Inspector via AWS SecHub (DefectDojo#9529)

* 🎉 epss score for AWS SecHub

* 🎉 adjusted aws sechub parser to import inspector epss scores

* flake8

* 🐛 fix kics, DefectDojo#7966 (DefectDojo#9542)

* 🐛 fix kics, DefectDojo#7966

* 🐛 fix unittests

* add hashcode according to review

* update to retrigger failed pipeline

* Fix handling of incorrect if test import fail (DefectDojo#9544)

* 🐛 fix nessus severity (DefectDojo#9549)

* 🐛 fix nessus severity

* add unittest

* flake8

* ✨ Documentation for managing files (DefectDojo#9557)

* ✨ add docs for issue DefectDojo#8597

* update according to review

* Labeler: Add sync-labels (DefectDojo#9565)

* Update rabbitmq Docker tag from 3.12.12 to v3.12.13 (docker-compose.yml) (DefectDojo#9573)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Questionnaires: Correct nested object deletions (DefectDojo#9574)

* Questionnaires: Correct nested object deletions

* Fix Flake8

* Jira: Append labels and respect priority on update (DefectDojo#9571)

A couple fields are overwritten by DefectDojo when findings are pushed to an existing jira ticket. This can be destructive for developers in the following ways:
- Priority: This field often reflects the timeline a particular issue may be fixed. Developers may have more specific context for why a vulnerability may not be as severe as initially thought.
- Labels: Labels could be used to sort issues in a given queue to determine who works on a given ticket. When a finding is pushed to jira again after creation, these new labels should not be overwritten

These fields should be respected to avoid stomping on any changes/process set by developers

* Bump nginx from 1.25.3-alpine to 1.25.4-alpine (DefectDojo#9580)

Bumps nginx from 1.25.3-alpine to 1.25.4-alpine.

---
updated-dependencies:
- dependency-name: nginx
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Correct Endpoint "Hosts" views when the host field is `None` (DefectDojo#9560)

* Endpoints: Force object validation on save

* Prevent str concatenation with None type

* Remove forced clean on save

* Deduplication: Do not reopen original finding (DefectDojo#9558)

* Update versions in application files

* Update versions in application files

* Ignore warnings from polymorphic

* Fix Flake8

* More warning handling

* Fix Flake8 again...

* Update dependency ruff from 0.2.1 to v0.2.2 (requirements-lint.txt) (DefectDojo#9576)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* ✨ AWS Security Hub: Add GuardDuty (DefectDojo#9524)

* ✨ fix guardduty, issue DefectDojo#7813

* advance unittests

* add mitigation

* provide more information

* uniqueidfromtool not in description

* flake8

* update docs

* update docs

* update docs

* update according to review

* adapt docs

* 🐛 fix according to comment

* 🐛 fix wrong merge conflict resolal

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: DefectDojo release bot <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Co-authored-by: Colm O hEigeartaigh <[email protected]>
Co-authored-by: Andrei Serebriakov <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Felix Hernandez <[email protected]>
Co-authored-by: Blake Owens <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Jay Paz <[email protected]>
Co-authored-by: tomaszn <[email protected]>
Co-authored-by: kiblik <[email protected]>
Co-authored-by: Sebastian Gumprich <[email protected]>
Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: manuelsommer <[email protected]>
Co-authored-by: Matt Tesauro <[email protected]>
Co-authored-by: Quirin Hardy Zießler <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Robert Kiss <[email protected]>
Co-authored-by: ninp0 <[email protected]>
Co-authored-by: Raouf HADDADA <[email protected]>
Co-authored-by: Andreas Reichert <[email protected]>
Co-authored-by: Quirin Hardy Zießler <[email protected]>
Co-authored-by: kiblik <[email protected]>

.github/renovate.json

@@ -12,5 +12,8 @@
     "commitMessageExtra": "from {{currentVersion}} to {{#if isMajor}}v{{{newMajor}}}{{else}}{{#if isSingleVersion}}v{{{toVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",
     "commitMessageSuffix": "({{packageFile}})",
     "labels": ["dependencies"]
-  }]
+  }],
+  "registryAliases": {
+    "bitnami": "https://charts.bitnami.com/bitnami"
+  }
 }

.github/workflows/fetch-oas.yml

@@ -10,6 +10,9 @@ on:
           This will override any version calculated by the release-drafter.
         required: true
 
+env:
+  release_version: ${{ github.event.inputs.version || github.event.inputs.release_number }}
+
 jobs:
   oas_fetch:
     name: Fetch OpenAPI Specifications
@@ -21,19 +24,19 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.inputs.version }}
+          ref: release/${{ env.release_version }}
 
       - name: Load docker images
         run: |-
-             docker pull defectdojo/defectdojo-django:${{ github.event.inputs.version }}-alpine
-             docker pull defectdojo/defectdojo-nginx:${{ github.event.inputs.version }}-alpine
+             docker pull defectdojo/defectdojo-django:${{ env.release_version }}-alpine
+             docker pull defectdojo/defectdojo-nginx:${{ env.release_version }}-alpine
              docker images
 
       - name: Start Dojo
         run: docker-compose --profile postgres-redis --env-file ./docker/environments/postgres-redis.env up --no-deps -d postgres nginx uwsgi
         env:
-          DJANGO_VERSION: ${{ github.event.inputs.version }}-alpine
-          NGINX_VERSION: ${{ github.event.inputs.version }}-alpine
+          DJANGO_VERSION: ${{ env.release_version }}-alpine
+          NGINX_VERSION: ${{ env.release_version }}-alpine
 
       - name: Download OpenAPI Specifications
         run: |-

.github/workflows/pr-labeler.yml

@@ -18,3 +18,4 @@ jobs:
       - uses: actions/labeler@v5
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          sync-labels: true

Dockerfile.integration-tests-debian

@@ -1,7 +1,7 @@
 
 # code: language=Dockerfile
 
-FROM openapitools/openapi-generator-cli:v7.2.0@sha256:9eab779faa2525b1474c4159ec335d913ee3cee00f641552a2305b0a4d7db8f7 as openapitools
+FROM openapitools/openapi-generator-cli:v7.3.0@sha256:74b9992692c836e42a02980db4b76bee94e17075e4487cd80f5c540dd57126b9 as openapitools
 FROM python:3.11.4-slim-bullseye@sha256:40319d0a897896e746edf877783ef39685d44e90e1e6de8d964d0382df0d4952 as build
 WORKDIR /app
 RUN \

Dockerfile.nginx-alpine

@@ -140,7 +140,7 @@ COPY manage.py ./
 COPY dojo/ ./dojo/
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.25.3-alpine@sha256:f2802c2a9d09c7aa3ace27445dfc5656ff24355da28e7b958074a0111e3fc076
+FROM nginx:1.25.4-alpine@sha256:6a2f8b28e45c4adea04ec207a251fd4a2df03ddc930f782af51e315ebc76e9a9
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

Dockerfile.nginx-debian

@@ -75,7 +75,7 @@ COPY dojo/ ./dojo/
 
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.25.3-alpine@sha256:f2802c2a9d09c7aa3ace27445dfc5656ff24355da28e7b958074a0111e3fc076
+FROM nginx:1.25.4-alpine@sha256:6a2f8b28e45c4adea04ec207a251fd4a2df03ddc930f782af51e315ebc76e9a9
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

NOTICE

@@ -3910,49 +3910,6 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 
-drf-yasg
-1.20.0
-BSD License
-.. |br| raw:: html
-
-   <br />
-
-#######
-License
-#######
-
-********************
-BSD 3-Clause License
-********************
-
-Copyright (c) 2017 - 2019, Cristian V. <[email protected]> |br|\ All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this
-  list of conditions and the following disclaimer.
-
-* Redistributions in binary form must reproduce the above copyright notice,
-  this list of conditions and the following disclaimer in the documentation
-  and/or other materials provided with the distribution.
-
-* Neither the name of the copyright holder nor the names of its
-  contributors may be used to endorse or promote products derived from
-  this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
 ecdsa
 0.17.0
 MIT

docker-compose.yml

@@ -138,7 +138,7 @@ services:
     volumes:
       - defectdojo_data:/var/lib/mysql
   postgres:
-    image: postgres:16.1-alpine@sha256:17eb369d9330fe7fbdb2f705418c18823d66322584c77c2b43cc0e1851d01de7
+    image: postgres:16.2-alpine@sha256:bbd7346fab25b7e0b25f214829d6ebfb78ef0465059492e46dee740ce8fcd844
     profiles: 
       - postgres-rabbitmq
       - postgres-redis
@@ -149,7 +149,7 @@ services:
     volumes:
       - defectdojo_postgres:/var/lib/postgresql/data
   rabbitmq:
-    image: rabbitmq:3.12.12-alpine@sha256:fcd6a66524be55c15c81011dc87cc4b6e4405130fbb950c21ad1d31e8f6322dd
+    image: rabbitmq:3.12.13-alpine@sha256:9566fdabd43c946af6d3fe3b41f4237a8f3afb4aada499a9f3b41934cf40f761
     profiles: 
       - mysql-rabbitmq
       - postgres-rabbitmq

docker/entrypoint-unit-tests-devDocker.sh

@@ -51,13 +51,9 @@ EOF
     python3 manage.py spectacular > /dev/null
 }
 
-echo "Swagger Schema Tests - Broken"
-echo "------------------------------------------------------------"
-python3 manage.py test unittests -v 3 --keepdb --no-input --tag broken && true
-
 echo "Unit Tests"
 echo "------------------------------------------------------------"
-python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag broken
+python3 manage.py test unittests -v 3 --keepdb --no-input
 
 # you can select a single file to "test" unit tests
 # python3 manage.py test unittests.tools.test_npm_audit_scan_parser.TestNpmAuditParser --keepdb -v 3

docker/entrypoint-unit-tests.sh

@@ -77,10 +77,6 @@ python3 manage.py migrate
 # --parallel fails on GitHub Actions
 #python3 manage.py test unittests -v 3 --no-input --parallel
 
-echo "Swagger Schema Tests - Broken"
-echo "------------------------------------------------------------"
-python3 manage.py test unittests -v 3 --keepdb --no-input --tag broken && true
-
 echo "Unit Tests"
 echo "------------------------------------------------------------"
-python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag broken
+python3 manage.py test unittests -v 3 --keepdb --no-input

docs/content/en/getting_started/upgrading/2.32.md

@@ -2,6 +2,13 @@
 title: 'Upgrading to DefectDojo Version 2.32.x'
 toc_hide: true
 weight: -20240205
-description: No special instructions.
+description: Breaking change: Removal of OpenAPI 2.0 Swagger
 ---
 There are no special instructions for upgrading to 2.32.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.32.0) for the contents of the release.
+
+**Removal**
+
+The OpenAPI 2.0 Swagger API documentation was removed in favor of the existing
+OpenAPI 3.0 API documentation page.
+
+*Note*: The API has not changed in any way and behaves the same between OAPI2 and OAPI3

docs/content/en/integrations/api-v2-docs.md

@@ -16,11 +16,8 @@ Docs link on the user drop down menu in the header.
 
 ![image](../../images/api_v2_1.png)
 
-The documentation is generated using [Django Rest Framework
-Yet Another Swagger Generator](https://github.com/axnsan12/drf-yasg/), and is
-interactive. On the top of API v2 docs is a link that generates an OpenAPI v2 spec.
-
-As a preparation to move to OpenAPIv3, we have added an compatible spec and documentation at [`/api/v2/oa3/swagger-ui/`](https://demo.defectdojo.org/api/v2/oa3/swagger-ui/)
+The documentation is generated using [drf-spectacular](https://drf-spectacular.readthedocs.io/) at [`/api/v2/oa3/swagger-ui/`](https://demo.defectdojo.org/api/v2/oa3/swagger-ui/), and is
+interactive. On the top of API v2 docs is a link that generates an OpenAPI v3 spec.
 
 To interact with the documentation, a valid Authorization header value
 is needed. Visit the `/api/key-v2` view to generate your

docs/content/en/integrations/google-sheets-sync.md

@@ -5,6 +5,7 @@ draft: false
 weight: 7
 ---
 
+**Please note - the Google Sheets feature has been deprecated as of DefectDojo version 2.21.0 - these documents are for reference only.**
 
 With the Google Sheets sync feature, DefectDojo allow the users to
 export all the finding details of each test into a separate Google
@@ -112,4 +113,4 @@ If a Google Spreadsheet is already created for the Test:
 After creating a Google Spreadsheet, users can review and edit Finding
 details using the Google Sheet. If any change is done in the Google
 Sheet users can click the **Sync Google Sheet** button to get those
-changes into DefectDojo.
+changes into DefectDojo.

docs/content/en/integrations/parsers/file/awssecurityhub.md

@@ -3,86 +3,17 @@ title: "AWS Security Hub"
 toc_hide: true
 ---
 ### File Types
-DefectDojo parser accepts a .json file. 
+This DefectDojo parser accepts JSON files from AWS Security Hub. The JSON reports can be created from the [AWS Security Hub CLI](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-findings.html) using the following command: `aws securityhub get-findings`.
 
-JSON reports can be created from the [AWS Security Hub CLI](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-findings.html) using the following command: `aws securityhub get-findings`.
+AWS Security Hub integrates with multiple AWS Tools. Thus, you can retrieve findings from various AWS sources through AWS Security Hub. This parser is able to handle the following findings retrieved over AWS Security Hub:
+- AWS Security Hub Compliance Checks 
+- AWS Security Hub GuardDuty
+- AWS Security Hub Inspector
 
-### Acceptable JSON Format
-Parser expects a .json file, with an array of Findings contained within a single JSON object.  All properties are strings and are required by the parser.
-
-~~~
-{
-    "findings": [
-            {
-                "SchemaVersion": "2018-10-08",
-                "Id": "arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1",
-                "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
-                "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/IAM.5",
-                "AwsAccountId": "012345678912",
-                "Types": [
-                    "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
-                ],
-                "FirstObservedAt": "2020-06-08T14:33:07.560Z",
-                "LastObservedAt": "2020-06-14T21:02:53.940Z",
-                "CreatedAt": "2020-06-08T14:33:07.560Z",
-                "UpdatedAt": "2020-06-14T21:02:53.454Z",
-                "Severity": {
-                    "Product": 0,
-                    "Label": "INFORMATIONAL",
-                    "Normalized": 0,
-                    "Original": "INFORMATIONAL"
-                },
-                "Title": "IAM.5 MFA should be enabled for all IAM users that have console password",
-                "Description": "This AWS control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.",
-                "Remediation": {
-                    "Recommendation": {
-                        "Text": "For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.",
-                        "Url": "https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation"
-                    }
-                },
-                "ProductFields": {
-                    "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0",
-                    "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0",
-                    "ControlId": "IAM.5",
-                    "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation",
-                    "RelatedAWSResources:0/name": "securityhub-mfa-enabled-for-iam-console-access-9ae73a2f",
-                    "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
-                    "StandardsControlArn": "arn:aws:securityhub:us-east-1:012345678912:control/aws-foundational-security-best-practices/v/1.0.0/IAM.5",
-                    "aws/securityhub/SeverityLabel": "INFORMATIONAL",
-                    "aws/securityhub/ProductName": "Security Hub",
-                    "aws/securityhub/CompanyName": "AWS",
-                    "aws/securityhub/annotation": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.",
-                    "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1"
-                },
-                "Resources": [
-                    {
-                        "Type": "AwsAccount",
-                        "Id": "AWS::::Account:012345678912",
-                        "Partition": "aws",
-                        "Region": "us-east-1"
-                    }
-                ],
-                "Compliance": {
-                    "Status": "PASSED",
-                    "StatusReasons": [
-                        {
-                            "ReasonCode": "CONFIG_EVALUATIONS_EMPTY",
-                            "Description": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted."
-                        }
-                    ]
-                },
-                "WorkflowState": "NEW",
-                "Workflow": {
-                    "Status": "NEW"
-                },
-                "RecordState": "ACTIVE"
-            },
-        ...
-    ]
-}
-
-
-~~~
+### Example Commands to retrieve JSON output
+- AWS Security Hub Compliance Checks: <br>`aws securityhub get-findings --filters ComplianceStatus="[{Comparison=EQUALS,Value=FAILED}]" | jq "." > output.json`
+- AWS Security Hub GuardDuty: <br>`aws securityhub get-findings --filters ProductName="[{Value=GuardDuty,Comparison=EQUALS}]" | jq "." > output.json`
+- AWS Security Hub Inspector: <br>`aws securityhub get-findings --filters ProductName="[{Value=Inspector,Comparison=EQUALS}]" | jq "." > output.json`
 
 ### Sample Scan Data
 Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/awssecurityhub).

docs/content/en/integrations/parsers/file/burp_dastardly.md

@@ -0,0 +1,11 @@
+---
+title: "Burp Dastardly"
+toc_hide: true
+---
+### File Types
+DefectDojo parser accepts Burp Dastardly Scans as an XML output.
+
+Dastardly is a free, lightweight web application security scanner for your CI/CD pipeline. It is designed specifically for web developers, and checks your application for seven security issues that are likely to interest you during software development. Dastardly is based on the same scanner as Burp Suite (Burp Scanner).
+
+### Sample Scan Data
+Sample Burp Dastardly scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/burp_dastardly).

docs/content/en/integrations/parsers/file/clair.md

@@ -2,7 +2,7 @@
 title: "Clair Scan"
 toc_hide: true
 ---
-Import JSON reports of Docker image vulnerabilities.
+You can import JSON reports of Docker image vulnerabilities found by a Clair scan or the Clair Klar client.
 
 ### Sample Scan Data
 Sample Clair Scan scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/clair).

docs/content/en/integrations/parsers/file/wfuzz.md

@@ -8,13 +8,11 @@ The return code matching are directly put in Severity as follow(this is hardcode
 
 HTTP Return Code | Severity
 -----------------|---------
-200              |  High
-302              |  Low
-401              |  Medium
-403              |  Medium
-404              |  Medium
-407              |  Medium
-500              |  Low
+missing          |  Low
+200 - 299        |  High
+300 - 399        |  Low
+400 - 499        |  Medium
+>= 500           |  Low
 
 ### Sample Scan Data
 Sample Wfuzz JSON importer scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/wfuzz).

docs/content/en/usage/features.md

@@ -557,6 +557,9 @@ Product Type Counts
 
     ![Product Type Counts](../../images/met_2.png)
 
+Product Tag Counts
+:   Same as above, but for a group of products sharing a tag.
+
 Simple Metrics
 :   Provides tabular data for all Product Types. The data displayed in
     this view is the total number of S0, S1, S2, S3, S4, Opened This
@@ -671,3 +674,12 @@ feedback.internal.google.com (endpoint) -> [ team:human resources, public_facing
 Endpoint Meta Importer can be found in the Endpoint tab when viewing a Product
 
 **Note:** The field "hostname" is required as it is used to query/create endpoints.
+
+## Findings Image Upload
+
+You can add images (.png, .jpeg, .gif) to your findings. In order to achieve this, you have to click on "Manage Files" within the finding:
+![Manage Files](../../images/findings_manage_files.png)
+There, you can upload a png file to attach it to a finding:
+![Upload PNG File](../../images/file_upload.png)
+The following picture shows the result:
+![Result PNG File in finding](../../images/uploaded_png_to_finding.png)