Release: Merge release into master from: release/2.54.2 #14130
Merged
+34,974
−8,594
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
….55.0-dev Release: Merge back 2.54.1 into bugfix from: master-into-bugfix/2.54.1-2.55.0-dev
- Remove asteval from requirements.txt as it's not used in the codebase - Remove asteval license notice from NOTICE file - No Python code imports or uses asteval
…tests (#14080) * Update AssetSerializer fields to allow null values and set defaults * Refactor authorization functions to use type hints for better clarity and maintainability * Enhance permission checks to support multiple primary key attributes in post requests * Refactor check_post_permission to use list type for post_pk parameter * Refactor Organization serializers to handle default values for critical and key assets, and update OrganizationViewSet to use OrganizationFilterSet for filtering. * Refactor API tests to include asset and organization endpoints, enhancing coverage for asset-related functionalities. * Refactor permission classes to use asset and organization-specific permissions, enhancing clarity and maintainability. * Add blank line before UserHasOrganizationGroupPermission class for improved readability
…#14068) - Add explicit 'Report Builder' submenu item under Reports menu for better UX - Improve form validation error messages to show which specific fields are missing - Fix trailing whitespace in Finding Groups menu item
…code duplication (#14081)
…erializer selection (#14090) * Enforce readonly name field for existing Test_Type instances in form * Add TestTypeCreateSerializer and enforce readonly name field in TestTypeSerializer * Add dynamic serializer selection in TestTypesViewSet for create action * Update test payload to set 'active' field instead of 'name' * Update TestTypeTest payload to use 'name' and modify update_fields to 'active' * Add test to verify 'name' field is read-only in TestType
* 💄 Refactor ssl_labs json file * more
…use in report disclaimers (#14098)
…t-grouped Import/Reimport: Push to jira when findings is not grouped
* Add additional fields to AssetSerializer for business criticality, platform, lifecycle, and origin * Correct some filters too
…#14124) Fixes #14118 This commit fixes multiple bugs related to MIME type handling in file downloads: 1. Fixed tuple-as-string bug where mimetypes.guess_type() was used directly in f-strings, resulting in invalid Content-Type headers like "('image/png', None)" instead of "image/png" 2. Added fallback to "application/octet-stream" when MIME type cannot be determined (when guess_type returns None) 3. Fixed incorrect content type for JSON exports (was "json" instead of "application/json") 4. Fixed potential AttributeError crash in inline_image template tag when guess_type returns None and code attempted to call .startswith() on None Files changed: - dojo/api_v2/views.py: Risk acceptance file download (API endpoint) - dojo/utils.py: Generic file response helper function - dojo/finding/views.py: Finding image downloads and JSON template export - dojo/engagement/views.py: Risk acceptance proof downloads - dojo/templatetags/display_tags.py: Inline image template tag All file downloads now properly set Content-Type headers with appropriate fallbacks for unknown file types.
* commit hash footer: disable in production mode * memory leak: fix bleach usage * simplify git commit hash check * improve git commit detection * cleanup
* prettify sample scan files * prettify sample scan files
* tags from parser: fix parsers, add tests and fallback * fix tag merge * comments
github-actions
bot
requested review from
Maffooch and
mtesauro
as code owners
🔴 Risk threshold exceeded.This pull request modifies sensitive importer files (dojo/importers/base_importer.py, dojo/importers/default_importer.py, and dojo/importers/default_reimporter.py), and the scanner flagged these edits as sensitive; you can configure sensitive paths and allowed authors in .dryrunsecurity.yaml if these changes are expected.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops