Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pro release notes for 2.41.4 #11483

Merged
merged 2 commits into from
Jan 2, 2025
Merged

Conversation

paulOsinski
Copy link
Contributor

Release notes for DefectDojo Pro 2.41.4:

  • (API) Changed functionality of 'Force To Active / Verified' flag: True now forces to Active, while False will keep the tool's status (rather than forcing to Inactive).
  • (Beta UI) Added ability to regenerate / copy your API token
  • (Beta UI) Fixed bug preventing date / planned remediation dates from being added via Bulk Edit
  • (Import) Added fields for EPSS score and percentile to Generic Findings Import parser

@github-actions github-actions bot added the docs label Dec 31, 2024
Copy link

dryrunsecurity bot commented Dec 31, 2024

DryRun Security Summary

The pull request updates the DefectDojo Pro changelog with API modifications, Beta UI improvements, and Generic Findings Import parser enhancements, while also highlighting potential security considerations related to the 'Force To Active / Verified' flag and the new /request_response_pairs endpoint.

Expand for full summary

Summary:

The code changes in this pull request primarily focus on updating the changelog for the DefectDojo Pro (Cloud Version) application. The key changes include API updates, Beta UI improvements, and changes to the Generic Findings Import parser.

From an application security perspective, the changes to the 'Force To Active / Verified' flag in the API endpoints are worth noting. This flag is used to control the initial status of findings imported into the system, and the change to make this flag optional could potentially lead to security issues if users are not careful about the default status they choose for imported findings. The application security team should ensure that all findings are properly triaged and marked as active or inactive based on their risk level.

Additionally, the new /request_response_pairs endpoint could be used to retrieve sensitive information if not properly secured and access-controlled. The application security team should review the implementation of this endpoint to ensure that it does not expose any sensitive data.

Files Changed:

  • docs/content/en/changelog/changelog.md: This file has been updated to reflect the following changes:
    1. API Changes:
      • The 'Force To Active / Verified' flag is no longer required when calling the /import-scan and /reimport-scan endpoints.
      • A new /request_response_pairs endpoint has been added.
    2. Beta UI Changes:
      • Added the ability to regenerate/copy the API token.
      • Fixed a bug preventing date/planned remediation dates from being added via Bulk Edit.
    3. Import Changes:
      • Added fields for EPSS score and percentile to the Generic Findings Import parser.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@paulOsinski paulOsinski changed the title add pro release notes for 2.41.4 Add pro release notes for 2.41.4 Dec 31, 2024
@Maffooch Maffooch merged commit abd1e7f into DefectDojo:master Jan 2, 2025
72 of 73 checks passed
farsheedify pushed a commit to farsheedify/django-DefectDojo that referenced this pull request Jan 3, 2025
* add release notes for 2.41.4

* Update changelog.md

---------

Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@paulOsinski paulOsinski deleted the 2.41.4-notes branch January 14, 2025 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants