Release: Merge back 2.54.2 into dev from: master-into-dev/2.54.2-2.55.0-dev #14133
+34,970
−8,590
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
….55.0-dev Release: Merge back 2.54.1 into bugfix from: master-into-bugfix/2.54.1-2.55.0-dev
- Remove asteval from requirements.txt as it's not used in the codebase - Remove asteval license notice from NOTICE file - No Python code imports or uses asteval
…tests (#14080) * Update AssetSerializer fields to allow null values and set defaults * Refactor authorization functions to use type hints for better clarity and maintainability * Enhance permission checks to support multiple primary key attributes in post requests * Refactor check_post_permission to use list type for post_pk parameter * Refactor Organization serializers to handle default values for critical and key assets, and update OrganizationViewSet to use OrganizationFilterSet for filtering. * Refactor API tests to include asset and organization endpoints, enhancing coverage for asset-related functionalities. * Refactor permission classes to use asset and organization-specific permissions, enhancing clarity and maintainability. * Add blank line before UserHasOrganizationGroupPermission class for improved readability
…#14068) - Add explicit 'Report Builder' submenu item under Reports menu for better UX - Improve form validation error messages to show which specific fields are missing - Fix trailing whitespace in Finding Groups menu item
…code duplication (#14081)
…erializer selection (#14090) * Enforce readonly name field for existing Test_Type instances in form * Add TestTypeCreateSerializer and enforce readonly name field in TestTypeSerializer * Add dynamic serializer selection in TestTypesViewSet for create action * Update test payload to set 'active' field instead of 'name' * Update TestTypeTest payload to use 'name' and modify update_fields to 'active' * Add test to verify 'name' field is read-only in TestType
* 💄 Refactor ssl_labs json file * more
…use in report disclaimers (#14098)
…t-grouped Import/Reimport: Push to jira when findings is not grouped
* Add additional fields to AssetSerializer for business criticality, platform, lifecycle, and origin * Correct some filters too
…#14124) Fixes #14118 This commit fixes multiple bugs related to MIME type handling in file downloads: 1. Fixed tuple-as-string bug where mimetypes.guess_type() was used directly in f-strings, resulting in invalid Content-Type headers like "('image/png', None)" instead of "image/png" 2. Added fallback to "application/octet-stream" when MIME type cannot be determined (when guess_type returns None) 3. Fixed incorrect content type for JSON exports (was "json" instead of "application/json") 4. Fixed potential AttributeError crash in inline_image template tag when guess_type returns None and code attempted to call .startswith() on None Files changed: - dojo/api_v2/views.py: Risk acceptance file download (API endpoint) - dojo/utils.py: Generic file response helper function - dojo/finding/views.py: Finding image downloads and JSON template export - dojo/engagement/views.py: Risk acceptance proof downloads - dojo/templatetags/display_tags.py: Inline image template tag All file downloads now properly set Content-Type headers with appropriate fallbacks for unknown file types.
* commit hash footer: disable in production mode * memory leak: fix bleach usage * simplify git commit hash check * improve git commit detection * cleanup
* prettify sample scan files * prettify sample scan files
* tags from parser: fix parsers, add tests and fallback * fix tag merge * comments
Release: Merge release into master from: release/2.54.2
github-actions
bot
requested review from
Maffooch and
mtesauro
as code owners
Contributor
Author
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Contributor
Author
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
github-actions
bot
added
apiv2
conflicts-detected
docs
unittests
ui
parser
helm
and removed
conflicts-detected
labels
Contributor
Author
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
🔴 Risk threshold exceeded.This pull request modifies many sensitive templates, auth, importer, API, and utility files (e.g., dojo/templates/, templatetags, api_v2/, authorization, importers/*, utils.py, views, forms) and flags a logic flaw in both default_importer.py and default_reimporter.py where a per-finding push_to_jira flag is overwritten across a batch, causing incorrect/omitted Jira synchronization for findings. Reviewers should verify the sensitive-path changes and fix the batching logic so push_to_jira is handled per-finding (or properly aggregated) before invoking batched post-processing.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/finding_pdf_report.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_endpoint_pdf_report.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_pdf_report.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_type_pdf_report.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/report_builder.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/test_pdf_report.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templatetags/announcement_banner_tags.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templatetags/display_tags.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templatetags/get_banner.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/permissions.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/authorization/authorization.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/engagement/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/forms.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/notes/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/base.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/custom_html_report.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/endpoint_pdf_report.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Logic Flaw in Batched Jira Synchronization in dojo/importers/default_importer.py
| Vulnerability | Logic Flaw in Batched Jira Synchronization |
|---|---|
| Description | The push_to_jira flag is recalculated and overwritten for each finding within the import loop. However, this flag is only used when a batch of findings is dispatched for post-processing. Because the variable is overwritten in each iteration, the value passed to the batch processing function is solely determined by the grouping status of the last finding in that batch. If the last finding is added to a group (which sets push_to_jira to False for that finding to avoid individual sync), all findings in the entire batch—including those that were not grouped and should have been synced individually—will not be pushed to Jira. This leads to findings being missing from Jira, undermining the core vulnerability management workflow. |
django-DefectDojo/dojo/importers/default_importer.py
Lines 253 to 256 in 8ba30c5
Logic Flaw in Batched Jira Synchronization (Reimporter) in dojo/importers/default_reimporter.py
| Vulnerability | Logic Flaw in Batched Jira Synchronization (Reimporter) |
|---|---|
| Description | In the process_findings method of the reimporter, the push_to_jira flag is recalculated for each finding within a loop. However, this flag is used to trigger a batched post-processing task (post_process_findings_batch) that applies to all findings accumulated in the current batch (default size 1000). Because the variable push_to_jira is overwritten in each iteration, only the value calculated for the last finding in the batch (or the last finding in the report) is used for the entire batch. If findings in a batch have different grouping statuses (some grouped, some not), this lead to inconsistent JIRA synchronization: findings that should be pushed may be skipped, or findings that are already part of a group may be pushed individually, causing duplicates. |
django-DefectDojo/dojo/importers/default_reimporter.py
Lines 396 to 399 in 8ba30c5
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops