Release: Merge back 2.54.2 into dev from: master-into-dev/2.54.2-2.55.0-dev

docs/content/supported_tools/parsers/file/cloudflare_insights.md

@@ -3,7 +3,7 @@ title: "Cloudflare Insights"
 toc_hide: true
 ---
 
-Import Cloudflare Insights findings using the **CSV export** provided by Cloudflare.
+Import Cloudflare Insights findings using the **CSV export** or via api the **JSON output** provided by Cloudflare.
 
 ### Sample Scan Data
 Sample Cloudflare Insights files can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/cloudflare_insights).

dojo/__init__.py

@@ -5,5 +5,5 @@
 from .celery import app as celery_app  # noqa: F401
 
 __version__ = "2.55.0-dev"
-__url__ = "https://github.com/DefectDojo/django-DefectDojo"
-__docs__ = "https://documentation.defectdojo.com"
+__url__ = "https://github.com/DefectDojo/django-DefectDojo"  # noqa: RUF067
+__docs__ = "https://documentation.defectdojo.com"  # noqa: RUF067

dojo/api_v2/permissions.py

@@ -1,12 +1,14 @@
 import re
 
+from django.db.models import Model
 from django.shortcuts import get_object_or_404
 from rest_framework import permissions, serializers
 from rest_framework.exceptions import (
     ParseError,
     PermissionDenied,
     ValidationError,
 )
+from rest_framework.request import Request
 
 from dojo.authorization.authorization import (
     user_has_configuration_permission,
@@ -29,7 +31,7 @@
 )
 
 
-def check_post_permission(request, post_model, post_pk, post_permission):
+def check_post_permission(request: Request, post_model: Model, post_pk: str | list[str], post_permission: int) -> bool:
     if request.method == "POST":
         if request.data.get(post_pk) is None:
             msg = f"Unable to check for permissions: Attribute '{post_pk}' is required"
@@ -40,13 +42,13 @@ def check_post_permission(request, post_model, post_pk, post_permission):
 
 
 def check_object_permission(
-    request,
-    obj,
-    get_permission,
-    put_permission,
-    delete_permission,
-    post_permission=None,
-):
+    request: Request,
+    obj: Model,
+    get_permission: int,
+    put_permission: int,
+    delete_permission: int,
+    post_permission: int | None = None,
+) -> bool:
     if request.method == "GET":
         return user_has_permission(request.user, obj, get_permission)
     if request.method in {"PUT", "PATCH"}:
@@ -507,6 +509,25 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasAssetPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
+            Permissions.Product_Type_Add_Product,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_View,
+            Permissions.Product_Edit,
+            Permissions.Product_Delete,
+        )
+
+
 class UserHasProductMemberPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
@@ -523,6 +544,22 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasAssetMemberPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request, Product, "asset", Permissions.Product_Manage_Members,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_View,
+            Permissions.Product_Manage_Members,
+            Permissions.Product_Member_Delete,
+        )
+
+
 class UserHasProductGroupPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
@@ -539,6 +576,22 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasAssetGroupPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request, Product, "asset", Permissions.Product_Group_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Group_View,
+            Permissions.Product_Group_Edit,
+            Permissions.Product_Group_Delete,
+        )
+
+
 class UserHasProductTypePermission(permissions.BasePermission):
     def has_permission(self, request, view):
         if request.method == "POST":
@@ -557,6 +610,24 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasOrganizationPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method == "POST":
+            return user_has_global_permission(
+                request.user, Permissions.Product_Type_Add,
+            )
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_View,
+            Permissions.Product_Type_Edit,
+            Permissions.Product_Type_Delete,
+        )
+
+
 class UserHasProductTypeMemberPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
@@ -576,6 +647,25 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasOrganizationMemberPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
+            Permissions.Product_Type_Manage_Members,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_View,
+            Permissions.Product_Type_Manage_Members,
+            Permissions.Product_Type_Member_Delete,
+        )
+
+
 class UserHasProductTypeGroupPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         return check_post_permission(
@@ -595,6 +685,25 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasOrganizationGroupPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product_Type,
+            "organization",
+            Permissions.Product_Type_Group_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_Type_Group_View,
+            Permissions.Product_Type_Group_Edit,
+            Permissions.Product_Type_Group_Delete,
+        )
+
+
 class UserHasReimportPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         # permission check takes place before validation, so we don't have access to serializer.validated_data()
@@ -739,6 +848,25 @@ def has_object_permission(self, request, view, obj):
         )
 
 
+class UserHasAssetAPIScanConfigurationPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        return check_post_permission(
+            request,
+            Product,
+            "asset",
+            Permissions.Product_API_Scan_Configuration_Add,
+        )
+
+    def has_object_permission(self, request, view, obj):
+        return check_object_permission(
+            request,
+            obj,
+            Permissions.Product_API_Scan_Configuration_View,
+            Permissions.Product_API_Scan_Configuration_Edit,
+            Permissions.Product_API_Scan_Configuration_Delete,
+        )
+
+
 class UserHasJiraProductPermission(permissions.BasePermission):
     def has_permission(self, request, view):
         if request.method == "POST":

dojo/api_v2/serializers.py

@@ -1472,8 +1472,15 @@ class Meta:
         exclude = ("inherited_tags",)
 
 
+class TestTypeCreateSerializer(serializers.ModelSerializer):
+
+    class Meta:
+        model = Test_Type
+        exclude = ("dynamically_generated",)
+
+
 class TestTypeSerializer(serializers.ModelSerializer):
-    tags = TagListSerializerField(required=False)
+    name = serializers.ReadOnlyField()
 
     class Meta:
         model = Test_Type

dojo/api_v2/views.py

@@ -751,7 +751,7 @@ def download_proof(self, request, pk=None):
         # send file
         response = FileResponse(
             file_handle,
-            content_type=f"{mimetypes.guess_type(str(file_path))}",
+            content_type=mimetypes.guess_type(str(file_path))[0] or "application/octet-stream",
             status=status.HTTP_200_OK,
         )
         response["Content-Length"] = file_object.size
@@ -2263,6 +2263,11 @@ class TestTypesViewSet(
     def get_queryset(self):
         return Test_Type.objects.all().order_by("id")
 
+    def get_serializer_class(self):
+        if self.action == "create":
+            return serializers.TestTypeCreateSerializer
+        return serializers.TestTypeSerializer
+
 
 # @extend_schema_view(**schema_with_prefetch())
 # Nested models with prefetch make the response schema too long for Swagger UI

dojo/asset/api/filters.py

@@ -8,12 +8,13 @@
     CharFieldInFilter,
     DateRangeFilter,
     DojoFilter,
+    MultipleChoiceFilter,
     NumberInFilter,
     ProductSLAFilter,
-    custom_filter,
 )
 from dojo.labels import get_labels
 from dojo.models import (
+    Product,
     Product_API_Scan_Configuration,
     Product_Group,
     Product_Member,
@@ -38,18 +39,18 @@ class ApiAssetFilter(DojoFilter):
     name = CharFilter(lookup_expr="icontains")
     name_exact = CharFilter(field_name="name", lookup_expr="iexact")
     description = CharFilter(lookup_expr="icontains")
-    business_criticality = CharFilter(method=custom_filter, field_name="business_criticality")
-    platform = CharFilter(method=custom_filter, field_name="platform")
-    lifecycle = CharFilter(method=custom_filter, field_name="lifecycle")
-    origin = CharFilter(method=custom_filter, field_name="origin")
+    business_criticality = MultipleChoiceFilter(choices=Product.BUSINESS_CRITICALITY_CHOICES)
+    platform = MultipleChoiceFilter(choices=Product.PLATFORM_CHOICES)
+    lifecycle = MultipleChoiceFilter(choices=Product.LIFECYCLE_CHOICES)
+    origin = MultipleChoiceFilter(choices=Product.ORIGIN_CHOICES)
     # NumberInFilter
     id = NumberInFilter(field_name="id", lookup_expr="in")
     asset_manager = NumberInFilter(field_name="product_manager", lookup_expr="in")
     technical_contact = NumberInFilter(field_name="technical_contact", lookup_expr="in")
     team_manager = NumberInFilter(field_name="team_manager", lookup_expr="in")
-    prod_type = NumberInFilter(field_name="prod_type", lookup_expr="in")
+    organization = NumberInFilter(field_name="prod_type", lookup_expr="in")
     tid = NumberInFilter(field_name="tid", lookup_expr="in")
-    prod_numeric_grade = NumberInFilter(field_name="prod_numeric_grade", lookup_expr="in")
+    asset_numeric_grade = NumberInFilter(field_name="prod_numeric_grade", lookup_expr="in")
     user_records = NumberInFilter(field_name="user_records", lookup_expr="in")
     regulations = NumberInFilter(field_name="regulations", lookup_expr="in")
 
@@ -80,7 +81,7 @@ class ApiAssetFilter(DojoFilter):
             ("tid", "tid"),
             ("name", "name"),
             ("created", "created"),
-            ("prod_numeric_grade", "prod_numeric_grade"),
+            ("prod_numeric_grade", "asset_numeric_grade"),
             ("business_criticality", "business_criticality"),
             ("platform", "platform"),
             ("lifecycle", "lifecycle"),
@@ -97,8 +98,8 @@ class ApiAssetFilter(DojoFilter):
             ("team_manager", "team_manager"),
             ("team_manager__first_name", "team_manager__first_name"),
             ("team_manager__last_name", "team_manager__last_name"),
-            ("prod_type", "prod_type"),
-            ("prod_type__name", "prod_type__name"),
+            ("prod_type", "organization"),
+            ("prod_type__name", "organization__name"),
             ("updated", "updated"),
             ("user_records", "user_records"),
         ),

dojo/asset/api/serializers.py

@@ -37,11 +37,17 @@ class AssetSerializer(serializers.ModelSerializer):
     # V3 fields
     asset_meta = ProductMetaSerializer(source="product_meta", read_only=True, many=True)
     organization = RelatedOrganizationField(source="prod_type")
-    asset_numeric_grade = serializers.IntegerField(source="prod_numeric_grade")
-    enable_asset_tag_inheritance = serializers.BooleanField(source="enable_product_tag_inheritance")
+    asset_numeric_grade = serializers.IntegerField(source="prod_numeric_grade", required=False, allow_null=True)
+    enable_asset_tag_inheritance = serializers.BooleanField(source="enable_product_tag_inheritance", required=False, default=False)
     asset_managers = serializers.PrimaryKeyRelatedField(
         source="product_manager",
-        queryset=Dojo_User.objects.exclude(is_active=False))
+        queryset=Dojo_User.objects.exclude(is_active=False),
+        required=False, allow_null=True,
+    )
+    business_criticality = serializers.ChoiceField(choices=Product.BUSINESS_CRITICALITY_CHOICES, allow_blank=True, allow_null=True, required=False)
+    platform = serializers.ChoiceField(choices=Product.PLATFORM_CHOICES, allow_blank=True, allow_null=True, required=False)
+    lifecycle = serializers.ChoiceField(choices=Product.LIFECYCLE_CHOICES, allow_blank=True, allow_null=True, required=False)
+    origin = serializers.ChoiceField(choices=Product.ORIGIN_CHOICES, allow_blank=True, allow_null=True, required=False)
 
     class Meta:
         model = Product

dojo/asset/api/views.py

@@ -43,7 +43,7 @@ class AssetAPIScanConfigurationViewSet(
     filterset_class = AssetAPIScanConfigurationFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductAPIScanConfigurationPermission,
+        permissions.UserHasAssetAPIScanConfigurationPermission,
     )
 
     def get_queryset(self):
@@ -68,7 +68,7 @@ class AssetViewSet(
     filterset_class = ApiAssetFilter
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductPermission,
+        permissions.UserHasAssetPermission,
     )
 
     def get_queryset(self):
@@ -138,7 +138,7 @@ class AssetMemberViewSet(
     filterset_class = AssetMemberFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductMemberPermission,
+        permissions.UserHasAssetMemberPermission,
     )
 
     def get_queryset(self):
@@ -166,7 +166,7 @@ class AssetGroupViewSet(
     filterset_class = AssetGroupFilterSet
     permission_classes = (
         IsAuthenticated,
-        permissions.UserHasProductGroupPermission,
+        permissions.UserHasAssetGroupPermission,
     )
 
     def get_queryset(self):