From 2d0a68ab0a870cef0cef716086e327598d6dac64 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 23 Dec 2024 16:22:18 +0000 Subject: [PATCH 1/7] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/components/package.json b/components/package.json index 6ff5bff877e..febe451775d 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.41.3", + "version": "2.42.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 4d63b24192b..4b1d62f3fef 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.41.3" +appVersion: "2.42.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.165 +version: 1.6.166-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 8a215b29d6e61a5fc0af9958edc277d108390dfb Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Fri, 27 Dec 2024 18:15:01 +0100 Subject: [PATCH 2/7] :tada: added CGA vulnid (#11441) --- dojo/settings/settings.dist.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 6022f1704cd..06ec60e9202 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1776,6 +1776,7 @@ def saml2_attrib_map_format(dict): "CWE": "https://cwe.mitre.org/data/definitions/&&.html", # e.g. https://cwe.mitre.org/data/definitions/79.html "RLSA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RLSA-2024:7001 "RLBA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RLBA-2024:6968 + "CGA": "https://images.chainguard.dev/security/", # e.g. https://images.chainguard.dev/security/CGA-24pq-h5fw-43v3 } # List of acceptable file types that can be uploaded to a given object via arbitrary file upload FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES") From cd04d7ee1a77676024147c6acd24095622829fe3 Mon Sep 17 00:00:00 2001 From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com> Date: Fri, 27 Dec 2024 11:15:15 -0600 Subject: [PATCH 3/7] Add EPSS score and percentile to generic csv parser (#11449) * add epss to generic csv with test * updated documentation * Update docs/content/en/connecting_your_tools/parsers/generic_findings_import.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --------- Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- .../parsers/generic_findings_import.md | 2 ++ dojo/tools/generic/csv_parser.py | 6 ++++++ unittests/scans/generic/generic_csv_with_epss.csv | 2 ++ unittests/tools/test_generic_parser.py | 9 +++++++++ 4 files changed, 19 insertions(+) create mode 100644 unittests/scans/generic/generic_csv_with_epss.csv diff --git a/docs/content/en/connecting_your_tools/parsers/generic_findings_import.md b/docs/content/en/connecting_your_tools/parsers/generic_findings_import.md index fa65af9d2d5..a4395118e0e 100644 --- a/docs/content/en/connecting_your_tools/parsers/generic_findings_import.md +++ b/docs/content/en/connecting_your_tools/parsers/generic_findings_import.md @@ -11,6 +11,8 @@ These attributes are supported for CSV: - Date: Date of the finding in mm/dd/yyyy format. - Title: Title of the finding - CweId: Cwe identifier, must be an integer value. +- epss_score: The probability of exploitation in the next 30 days, must be a float value between 0 and 1.0. +- epss_percentile: The proportion of all scored vulnerabilities with the same or a lower EPSS score, must be a float value between 0 and 1.0. - Url: Url associated with the finding. - Severity: Severity of the finding. Must be one of Info, Low, Medium, High, or Critical. - Description: Description of the finding. Can be multiple lines if enclosed in double quotes. diff --git a/dojo/tools/generic/csv_parser.py b/dojo/tools/generic/csv_parser.py index 4e8acb461d9..9c11133ff59 100644 --- a/dojo/tools/generic/csv_parser.py +++ b/dojo/tools/generic/csv_parser.py @@ -66,6 +66,12 @@ def _get_findings_csv(self, filename): if "CweId" in row: finding.cwe = int(row["CweId"]) + if "epss_score" in row: + finding.epss_score = float(row["epss_score"]) + + if "epss_percentile" in row: + finding.epss_percentile = float(row["epss_percentile"]) + if "CVSSV3" in row: cvss_objects = cvss_parser.parse_cvss_from_text(row["CVSSV3"]) if len(cvss_objects) > 0: diff --git a/unittests/scans/generic/generic_csv_with_epss.csv b/unittests/scans/generic/generic_csv_with_epss.csv new file mode 100644 index 00000000000..f3be723380c --- /dev/null +++ b/unittests/scans/generic/generic_csv_with_epss.csv @@ -0,0 +1,2 @@ +Date,Title,CweId,epss_score,epss_percentile, Url,Severity,Description,Mitigation,Impact,References,Active,Verified,FalsePositive,Duplicate +01/30/2018,"Server leaks inodes via ETags, header found with file /, fields: 0xW/109b 0xpqG8TolgxCnpM/7cGOOI0GRS+rc ",0,.00042,.23474,https://192.168.1.1/,Low,"Server leaks inodes via ETags, header found with file /, fields: 0xW/109b 0xpqG8TolgxCnpM/7cGOOI0GRS+rc ",,,,False,False,False,False diff --git a/unittests/tools/test_generic_parser.py b/unittests/tools/test_generic_parser.py index bbd8d6e7ed2..b7fce8efed0 100644 --- a/unittests/tools/test_generic_parser.py +++ b/unittests/tools/test_generic_parser.py @@ -649,3 +649,12 @@ def test_parse_json_invalid_finding(self): with self.assertRaisesMessage(ValueError, "Not allowed fields are present: ['invalid_field', 'last_status_update']"): parser.get_findings(file, Test()) + + def test_parse_csv_with_epss(self): + with open("unittests/scans/generic/generic_csv_with_epss.csv", encoding="utf-8") as file: + parser = GenericParser() + findings = parser.get_findings(file, self.test) + self.assertEqual(1, len(findings)) + finding = findings[0] + self.assertEqual(.00042, finding.epss_score) + self.assertEqual(.23474, finding.epss_percentile) From 15b3b5a33207b02ad6f9614c76e3d2bad923f9b8 Mon Sep 17 00:00:00 2001 From: Harold Blankenship <36673698+hblankenship@users.noreply.github.com> Date: Fri, 27 Dec 2024 13:57:38 -0600 Subject: [PATCH 4/7] Allow None Option for Active/Verified on Import/Reimport to Mirror UI Options (#11447) * Allow for None for Verified and Active (just like the UI) * update help text too --- dojo/api_v2/serializers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py index 5cdc2db4d88..9ee4ce457a6 100644 --- a/dojo/api_v2/serializers.py +++ b/dojo/api_v2/serializers.py @@ -2087,10 +2087,10 @@ class CommonImportScanSerializer(serializers.Serializer): help_text="Minimum severity level to be imported", ) active = serializers.BooleanField( - help_text="Override the active setting from the tool.", + help_text="Force findings to be active/inactive or default to the original tool (None)", required=False, ) verified = serializers.BooleanField( - help_text="Override the verified setting from the tool.", + help_text="Force findings to be verified/not verified or default to the original tool (None)", required=False, ) # TODO: why do we allow only existing endpoints? From 0a93d5ac78a4252d9850015f7adefdc2c1639e32 Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Fri, 27 Dec 2024 12:58:26 -0700 Subject: [PATCH 5/7] update changelog, add changelog menu to header (#11465) Co-authored-by: Paul Osinski --- docs/config/_default/menus/menus.en.toml | 5 +++++ docs/content/en/changelog/changelog.md | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/docs/config/_default/menus/menus.en.toml b/docs/config/_default/menus/menus.en.toml index 421f875a28a..410c2f28373 100644 --- a/docs/config/_default/menus/menus.en.toml +++ b/docs/config/_default/menus/menus.en.toml @@ -3,6 +3,11 @@ url = "/en/about_defectdojo/about_docs/" weight = 10 + [[main]] + name = "Changelog" + url = "/en/changelog/changelog/" + weight = 11 + [[social]] name = "X" pre = '' diff --git a/docs/content/en/changelog/changelog.md b/docs/content/en/changelog/changelog.md index e92ec689612..c3fcabef775 100644 --- a/docs/content/en/changelog/changelog.md +++ b/docs/content/en/changelog/changelog.md @@ -7,6 +7,16 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](../../open_source/upgrading/upgrading_guide). +## Dec 24, 2024: v2.41.3 + +- **(API)** Added `/request_response_pairs` endpoint. +- **(Beta UI)** When sorting by Severity, Findings will now be ordered by **severity level** rather than alphabetically. +- **(Beta UI)** On the Findings table, the Endpoint Hosts column has been replaced with a numerical count of affected Endpoints. +- **(Beta UI)** On the Findings table, the Vulnerability ID field can now be filtered with "starts_with", "ends_with" filters. +- **(Beta UI)** Added Edit Test Type form: you can now edit the properties of a custom Test Type to determine if it is Active or Inactive, or a Static Scan or Dynamic Scan Test. +- **(Beta UI)** Same Tool Deduplication Settings / Test Type field is now searchable. +- **(Tools)** Qualys HackerGuardian now uses hashcode against "title", "severity", "description" for deduplication. +- **(Tools)** Horusec scan now uses hashcode against "title", "description", "file_path", and "line" for deduplication. ## Dec 16, 2024: v2.41.2 From 40a0dba6386cfc7edeba5741d00c3c85043b9419 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 30 Dec 2024 15:32:09 +0000 Subject: [PATCH 6/7] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index febe451775d..e037cef0533 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.42.0-dev", + "version": "2.41.4", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index d6ab484dc20..5b3feec85aa 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.41.3" +__version__ = "2.41.4" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 4b1d62f3fef..d6c561dc9a9 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.42.0-dev" +appVersion: "2.41.4" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.166-dev +version: 1.6.166 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From b91ae3e3c501adee875e3de9f797e0f96f6f2c51 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 30 Dec 2024 15:57:25 +0000 Subject: [PATCH 7/7] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index e037cef0533..febe451775d 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.41.4", + "version": "2.42.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 5b3feec85aa..033e2fc2894 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.41.4" +__version__ = "2.42.0-dev" __url__ = "https://github.com/DefectDojo/django-DefectDojo" __docs__ = "https://documentation.defectdojo.com" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index d6c561dc9a9..e9713e02252 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.41.4" +appVersion: "2.42.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.166 +version: 1.6.167-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap