Merge pull request #11478 from DefectDojo/master-into-dev/2.41.4-2.42…

….0-dev Release: Merge back 2.41.4 into dev from: master-into-dev/2.41.4-2.42.0-dev
DefectDojo · Dec 30, 2024 · c67e81f · c67e81f
2 parents 7e656ed + 7ae7a8c
commit c67e81f
Show file tree

Hide file tree

Showing 9 changed files with 38 additions and 3 deletions.
diff --git a/docs/config/_default/menus/menus.en.toml b/docs/config/_default/menus/menus.en.toml
@@ -3,6 +3,11 @@
   url = "/en/about_defectdojo/about_docs/"
   weight = 10
 
+  [[main]]
+  name = "Changelog"
+  url = "/en/changelog/changelog/"
+  weight = 11
+
 [[social]]
   name = "X"
   pre = '<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-brand-x" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z" fill="none"></path><path d="M4 4l11.733 16h4.267l-11.733 -16z"></path><path d="M4 20l6.768 -6.768m2.46 -2.46l6.772 -6.772"></path></svg>'

diff --git a/docs/content/en/changelog/changelog.md b/docs/content/en/changelog/changelog.md
@@ -7,6 +7,16 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](../../open_source/upgrading/upgrading_guide).
 
+## Dec 24, 2024: v2.41.3
+
+- **(API)** Added `/request_response_pairs` endpoint.
+- **(Beta UI)** When sorting by Severity, Findings will now be ordered by **severity level** rather than alphabetically.
+- **(Beta UI)** On the Findings table, the Endpoint Hosts column has been replaced with a numerical count of affected Endpoints.
+- **(Beta UI)** On the Findings table, the Vulnerability ID field can now be filtered with "starts_with", "ends_with" filters.
+- **(Beta UI)** Added Edit Test Type form: you can now edit the properties of a custom Test Type to determine if it is Active or Inactive, or a Static Scan or Dynamic Scan Test.
+- **(Beta UI)** Same Tool Deduplication Settings / Test Type field is now searchable.
+- **(Tools)** Qualys HackerGuardian now uses hashcode against "title", "severity", "description" for deduplication.
+- **(Tools)** Horusec scan now uses hashcode against "title", "description", "file_path", and "line" for deduplication.
 
 ## Dec 16, 2024: v2.41.2
 

diff --git a/docs/content/en/connecting_your_tools/parsers/generic_findings_import.md b/docs/content/en/connecting_your_tools/parsers/generic_findings_import.md
@@ -11,6 +11,8 @@ These attributes are supported for CSV:
 - Date: Date of the finding in mm/dd/yyyy format.
 - Title: Title of the finding
 - CweId: Cwe identifier, must be an integer value.
+- epss_score: The probability of exploitation in the next 30 days, must be a float value between 0 and 1.0.
+- epss_percentile: The proportion of all scored vulnerabilities with the same or a lower EPSS score, must be a float value between 0 and 1.0.
 - Url: Url associated with the finding.
 - Severity: Severity of the finding. Must be one of Info, Low, Medium, High, or Critical.
 - Description: Description of the finding. Can be multiple lines if enclosed in double quotes.

diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -2129,10 +2129,10 @@ class CommonImportScanSerializer(serializers.Serializer):
         help_text="Minimum severity level to be imported",
     )
     active = serializers.BooleanField(
-        help_text="Override the active setting from the tool.",
+        help_text="Force findings to be active/inactive or default to the original tool (None)", required=False,
     )
     verified = serializers.BooleanField(
-        help_text="Override the verified setting from the tool.",
+        help_text="Force findings to be verified/not verified or default to the original tool (None)", required=False,
     )
 
     # TODO: why do we allow only existing endpoints?

diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -1777,6 +1777,7 @@ def saml2_attrib_map_format(dict):
     "GLSA": "https://security.gentoo.org/",  # e.g. https://security.gentoo.org/glsa/202409-32
     "RLSA": "https://errata.rockylinux.org/",  # e.g. https://errata.rockylinux.org/RLSA-2024:7001
     "RLBA": "https://errata.rockylinux.org/",  # e.g. https://errata.rockylinux.org/RLBA-2024:6968
+    "CGA": "https://images.chainguard.dev/security/",  # e.g. https://images.chainguard.dev/security/CGA-24pq-h5fw-43v3
 }
 # List of acceptable file types that can be uploaded to a given object via arbitrary file upload
 FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES")

diff --git a/dojo/tools/generic/csv_parser.py b/dojo/tools/generic/csv_parser.py
@@ -66,6 +66,12 @@ def _get_findings_csv(self, filename):
             if "CweId" in row:
                 finding.cwe = int(row["CweId"])
 
+            if "epss_score" in row:
+                finding.epss_score = float(row["epss_score"])
+
+            if "epss_percentile" in row:
+                finding.epss_percentile = float(row["epss_percentile"])
+
             if "CVSSV3" in row:
                 cvss_objects = cvss_parser.parse_cvss_from_text(row["CVSSV3"])
                 if len(cvss_objects) > 0:

diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.42.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.166-dev
+version: 1.6.167-dev
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap

diff --git a/unittests/scans/generic/generic_csv_with_epss.csv b/unittests/scans/generic/generic_csv_with_epss.csv
@@ -0,0 +1,2 @@
+Date,Title,CweId,epss_score,epss_percentile, Url,Severity,Description,Mitigation,Impact,References,Active,Verified,FalsePositive,Duplicate
+01/30/2018,"Server leaks inodes via ETags, header found with file /, fields: 0xW/109b 0xpqG8TolgxCnpM/7cGOOI0GRS+rc ",0,.00042,.23474,https://192.168.1.1/,Low,"Server leaks inodes via ETags, header found with file /, fields: 0xW/109b 0xpqG8TolgxCnpM/7cGOOI0GRS+rc ",,,,False,False,False,False
diff --git a/unittests/tools/test_generic_parser.py b/unittests/tools/test_generic_parser.py
@@ -649,3 +649,12 @@ def test_parse_json_invalid_finding(self):
             with self.assertRaisesMessage(ValueError,
                     "Not allowed fields are present: ['invalid_field', 'last_status_update']"):
                 parser.get_findings(file, Test())
+
+    def test_parse_csv_with_epss(self):
+        with open("unittests/scans/generic/generic_csv_with_epss.csv", encoding="utf-8") as file:
+            parser = GenericParser()
+            findings = parser.get_findings(file, self.test)
+            self.assertEqual(1, len(findings))
+            finding = findings[0]
+            self.assertEqual(.00042, finding.epss_score)
+            self.assertEqual(.23474, finding.epss_percentile)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Date,Title,CweId,epss_score,epss_percentile, Url,Severity,Description,Mitigation,Impact,References,Active,Verified,FalsePositive,Duplicate
		01/30/2018,"Server leaks inodes via ETags, header found with file /, fields: 0xW/109b 0xpqG8TolgxCnpM/7cGOOI0GRS+rc ",0,.00042,.23474,https://192.168.1.1/,Low,"Server leaks inodes via ETags, header found with file /, fields: 0xW/109b 0xpqG8TolgxCnpM/7cGOOI0GRS+rc ",,,,False,False,False,False