Respect scan_date at import time for all findings imported
#5547
Conversation
dojo/importers/importer/importer.py
Outdated
| @@ -91,6 +91,10 @@ def process_parsed_findings(self, test, parsed_findings, scan_type, user, active | |||
| item.active = active | |||
| if item.verified: | |||
| item.verified = verified | |||
| # Only set date value of the test if they were NOT set by the parser | |||
| # scan_date is set to both target_start and target_end in the creat_test function | |||
| if item.date: | |||
There was a problem hiding this comment.
Unfortunately this doesn't work:
- When the parser sets a
dateexplicitly,item.dateis true and it will be overwritten withtest.target_start. This is not what we want. - When the parser doesn't set a
date, the model setscurrent_dateas a default
So basically the date is set here, but you don't know why. I thought about a logic comparing the dates, but couldn't find one that works, as long as there is the default in the model.
There was a problem hiding this comment.
I did not think the date would actually be present until the finding was saved (and the default date would be applied)
Do you think it would be good to set to
if **not** item.date:
item.date = test.target_date
There was a problem hiding this comment.
I tried that, it doesn't work as well, because the model has set the date to current date as a default already. It would work when we remove the default, but then we might get other side effects.
There was a problem hiding this comment.
I've got a quick idea that is a bit more fleshed out. Will commit it and ping you
There was a problem hiding this comment.
I am afraid we need more test cases:
- Parser sets date explicitly
- Import sets date different from today
There was a problem hiding this comment.
The import scan_date should overwrite the date the parser recorded. It is the user taking it into their hands to change it, so the findings should record as such.
I am not sure about re-import as I feel it's primary use is for automated imports as well as keeping an up to date view of what's vulnerable.
The main motivation for this PR is because when importing older reports, the date of the test was often far in the future than the findings themselves. I do no think many would be re-importing older scan reports.
There was a problem hiding this comment.
I am really open about it. @valentijnscholten and @damiencarol, you know import and reimport the best, what do you think?
There was a problem hiding this comment.
I think the idea of this PR is good, but we need some test cases (haven't checked if there are any). We want to make sure it fully works as expected. Otherwise it gets confusing, for example what we saw with the active/verifed being overwritten or not by the parsers or importers. I think during reimport the date of the finding was already set during the initial import, so probably no need to add logic there.
I haven't checked the code, but could it work to remove the default from the field and only set a default in save() as safeguard? That way the if not item.date could work.
There was a problem hiding this comment.
There is a very basic test (just showing that the date at import time does overwrite the default date), but the scan that is used in tests (zap) does not set the date on the report level, so I would need to test with another scanner (I was using Acunetix from the unit tests when I wrote this)
Sounds like leaving re-import alone is the move though.
There was a problem hiding this comment.
For example, here are some scenarios of how this PR affects the date of a finding:
- The parser does not set the date, and scan date is not specified at import
Finding date will be the default value of scan date (time of import)- The parser sets the date, and the scan date is not specified at import
Finding date will be whatever the parser sets- The parser does not set the date, and the scan date is specified at import
Finding date will be whatever the user specified for scan date- The parser sets the date, and the scan date is specified at import
Finding date will be whatever the user specified for scan date
I fully agree.
Specifically this comment:
The import scan_date should overwrite the date the parser recorded. It is the user taking it into their hands to change it, so the findings should record as such.
It's why I think this PR is good. More control to the user and a way to override the data of the parser OR let the parser do the job and use the data as-is.
Also:
I think the idea of this PR is good, but we need some test cases (haven't checked if there are any). We want to make sure it fully works as expected. Otherwise it gets confusing, for example what we saw with the active/verifed being overwritten or not by the parsers or importers. I think during reimport the date of the finding was already set during the initial import, so probably no need to add logic there.
I think @valentijnscholten is right. To make this PR works we need to be good on the unit tests part. We must have the 4 cases covered.
I haven't checked the code, but could it work to remove the default from the field and only set a default in save() as safeguard? That way the if not item.date could work.
Same here, I haven't checked the code but I expect that the save() logic is changed to allow the logic described in the PR description.
Also, @Maffooch it could be good to make it clear in the documentation how we handle the date. Could you add a part in the documentation that clearly state the 1/2/3/4 cases? Thanks.
|
@StefanFl unit tests will fail here (the one I made), but think the logic is sound now and ready for some more test coverage |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
dojo/importers/importer/importer.py
Outdated
| if item.date == now_date: | ||
| # Parser did not set the date, so it is the default value | ||
| if target_start_date != now_date: | ||
| # Import scan_date was set, and the parser has not overwritten it | ||
| logger.debug('Parser did not set date, import override it ' + str(target_start_date) + ' : ' + str(now_date)) | ||
| item.date = test.target_start | ||
| else: | ||
| # The parser has set the date already | ||
| if target_start_date != now_date: | ||
| # The date set by import scan_date should overwrite scan report date | ||
| logger.debug('Parser set date, import override it ' + str(target_start_date) + ' : ' + str(now_date)) | ||
| item.date = test.target_start |
There was a problem hiding this comment.
the if and else parts seem to do the identical thing, except logging a different message?
The PR description says:
This PR sets the date of all findings imported to the date set at import time, but only if the parser fails to do so.
But the code seems to overwrite the date set by the parser in all cases? Looks like the unit tests check for that as well?
Not sure about how others use the scan_date, but I would expect that a date set by the parser will always be respected and not overwritten. So the scan_date is only used if the parser doesn't set a date, like the PR description mentions.
There was a problem hiding this comment.
I will change the PR description to be more descriptive, but no, the date is not overwritten in all cases. This is outlined in the unit tests created in this PR.
The motivation for this change is due to a scan being completed on given date (say 01/01/2005) and then imported to dojo at a later date. Regardless of setting the scan_date variable, the date of the findings will not change from those imported in the scan report. If the scan report does not specify the date, the date of the finding will always be the default date (the time of import) regardless of what value is specified in the scan_date.
The default date given to a test (and all findings) is the date of import. This is true in a number of cases
- the scan_date field is not supplied at all (API)
- The scan_date is auto populated, and the user does not change it (UI)
The only way for a finding to have a date other than the date contained in the scan report (if the scanner even supplies it) or the default date (generated at import time) is to manually set the date for every single finding imported.
unittests/dojo_test_case.py
Outdated
| if scan_date is not None: | ||
| payload['scan_date'] = scan_date | ||
| else: | ||
| payload['scan_date'] = str(datetime.date.today()) | ||
|
|
There was a problem hiding this comment.
I think we should also test for the scenario where scan_date is None, what used to be the default in the test cases. Not sure how anybody else uses the scan_date, but I always leave it as None because it will get defaulted to today by the serializer. If we make the change proposed here, we have defaults set in two places, if one of them changes it might lead to confusing results or missed scenario's in the tests.
There was a problem hiding this comment.
I cannot think of a possible scenario when the scan date could be None. It will always have a value because there are defaults set. The default in the test cases was actually the date 2020-06-04. I can set it to actually be None (so it relies on the default) in the test case, but I think having a default in two places (not in general, but specifically one in code, and one in test) is a good thing. If someone tries to change the default in the code, the unit tests will fail. This a good thing as it will be easier to catch someone making big changes.
Your use of the scan_date is the common use case. Leaving it as None (not specifying it at all) will not affect the date of the findings at all whether they were set by the parser, or set by the default value. This is reflected in the code as well.
There was a problem hiding this comment.
Still I think it would be better to have the until test reflect what most users are doing, not sending a scan_date. IT won't change what happens today, the tests will still pass.
|
The import scan_date should overwrite the date the parser recorded. It is the user taking it into their hands to change it, so the findings should record as such. I am not sure I agree. The field is mandatory in the UI and mandatory (defaulted to today) in API. So if it's always used to overwrite any date set by the parser, the user will have no way to actually use the date set by the parser. When importing a scan the user (or the cicd script) doesn't always know when the scan was performed, so it can't always set the scan_date correctly. So it would be better to have the parser set it. Either way, the PR description differs from the PR implementation at the moment. |
There was a problem hiding this comment.
Don't want nag, but I really think we should give this some second thought. For example reports from AWS or other cloud security scans usually contain findings with different "first found" dates. This PR now overwrites all of them with the date chosen by the user or the api script (or today if no date is provided in the API).
I don't think that is what we want, or am I misreading the code?
I think we have similar case to the active/verified handling of overwriting. The user has no choice between "overwrite always" or "use this as a default when the parser can't figure it out".
|
I will update the PR description to better describe the implementation
This is not true. Please see the unit tests that outline all possible use cases of where a findings date can come from.
Since the scan_date field is not mandatory when using the API, a CI/CD script can simply not set the scan_date (and it will default to the time of import), and the finding date will either come from the scan report, or the default value.
Half of this correct. The dates will be overwritten by the user if they specify the scan_date. Since it is not mandatory, users can not use it. The default generated date will not overwrite a date that was taken from the scan report (see the two unit tests on this)
You are misreading the code. Please deploy this and test by hand. I found that the Acunetix scans used in the unit tests have a date from the report, and the ZAP scans used in the unit tests do not specify a date in the report. |
|
Ok, I don't have the time to analyze all the possible code paths here so have to assume it does what it does. I am wondering though what happens when an import starts at 5minutes before midnight and runs 10 or 15 minutes? And what happens when a DD instance is not in UTC? Couple of years ago I had to change most instance to Should we add the PR description to the |
|
Thanks for the comments @damiencarol @valentijnscholten I'll add the uses cases to documentation. The defaults are set in forms.py and API serializers and neither one accommodates timezones. It would be good to change those (and all instances of time related activities) to support timezones. But for now, I will change just these two. I'm not sure how I would check for timezone accommodation in the unit tests though. |
valentijnscholten
dismissed
their stale review
the comparison with "today" in different places confused me
|
Looking at the code if the import is started at 23:55 and runs for 10 or 15 minutes you will get some findings that have their date overwritten, and some keep their date. Testing for timezones in unit tests would be a big job, as we're not doing that anywhere yet. I have an idea on how to implement the requirements without relying on comparisons to "today" in these places which would make it more straightforward to read/understand. But don't have the time to do it or show it, so I'll just leave it up to the rest to review/approve. |
Hmm that is a tough one. Struggling to think of way to overcome that. Wouldn't that happen without this code change as well though?
Agreed, the timezone test would be very time consuming. I think simulating various timezones via hardcode and checking count the count of findings at various dates and validating dates would do it. I have updated the default date in UI/API and in tests to accommodate timezones. Also added documentation |
Before this PR I think the date field of findings is never overwritten by scan_date? You could fix it by getting |
|
Oh that is actually what is already happening (see now=now) django-DefectDojo/dojo/importers/importer/importer.py Lines 352 to 356 in 1a1cf79 I did not notice this until now, but I think it solves that corner case |
Ah crap, I didn't realize it was already there as it's not shown in the diff. But SOMEBODY (*me) already added it earlier it seems. The prophecy fulfilled or how do they say that in English. |
|
For reference: https://github.com/DefectDojo/django-DefectDojo/blob/dev/dojo/forms.py#L376 I think the UI should be consistent with the API. I agree with the change, but I think the field should not be required in the UI, and should not be pre-populated. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
* Update versions in application files * Update gh-pages.yml * Bump google-auth from 2.3.2 to 2.3.3 (#5367) Bumps [google-auth](https://github.com/googleapis/google-auth-library-python) from 2.3.2 to 2.3.3. - [Release notes](https://github.com/googleapis/google-auth-library-python/releases) - [Changelog](https://github.com/googleapis/google-auth-library-python/blob/main/CHANGELOG.md) - [Commits](googleapis/google-auth-library-python@v2.3.2...v2.3.3) --- updated-dependencies: - dependency-name: google-auth dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump django-imagekit from 4.0.2 to 4.1.0 (#5366) Bumps [django-imagekit](https://github.com/matthewwithanm/django-imagekit) from 4.0.2 to 4.1.0. - [Release notes](https://github.com/matthewwithanm/django-imagekit/releases) - [Commits](matthewwithanm/django-imagekit@4.0.2...4.1.0) --- updated-dependencies: - dependency-name: django-imagekit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * APIv2: Allow import/reimport by names not only ids (#5342) * allow import/reimport by names * cleanup * cleanup * update docs * improvements * cleanup 2 * cleanup 2 * php inventory changes * Update dojo/api_v2/views.py Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * Update dojo/api_v2/views.py Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * cleanup 3.0 * cleanup 3.0 * cleanup 3.0 Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * Bump google-api-python-client from 2.28.0 to 2.29.0 (#5365) Bumps [google-api-python-client](https://github.com/googleapis/google-api-python-client) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/googleapis/google-api-python-client/releases) - [Changelog](https://github.com/googleapis/google-api-python-client/blob/main/CHANGELOG.md) - [Commits](googleapis/google-api-python-client@v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: google-api-python-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump lxml from 4.6.3 to 4.6.4 (#5381) Bumps [lxml](https://github.com/lxml/lxml) from 4.6.3 to 4.6.4. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](lxml/lxml@lxml-4.6.3...lxml-4.6.4) --- updated-dependencies: - dependency-name: lxml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update gcr.io/cloudsql-docker/gce-proxy Docker tag from 1.26.0 to v1.27.0 (helm/defectdojo/values.yaml) (#5375) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Update upgrading.md (#5374) * Update versions in application files * Bump django-watson from 1.5.5 to 1.6.0 (#5389) Bumps [django-watson](https://github.com/etianen/django-watson) from 1.5.5 to 1.6.0. - [Release notes](https://github.com/etianen/django-watson/releases) - [Changelog](https://github.com/etianen/django-watson/blob/master/CHANGELOG.markdown) - [Commits](etianen/django-watson@release-1.5.5...release-1.6.0) --- updated-dependencies: - dependency-name: django-watson dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * main: improve documentation (#5390) * Update dependency postcss-cli from 9.0.1 to v9.0.2 (docs/package.json) (#5392) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Generate github pages for master + dev branches (#5398) * pages for master and dev * pages for master and dev * Bump numpy from 1.21.3 to 1.21.4 (#5396) Bumps [numpy](https://github.com/numpy/numpy) from 1.21.3 to 1.21.4. - [Release notes](https://github.com/numpy/numpy/releases) - [Changelog](https://github.com/numpy/numpy/blob/main/doc/HOWTO_RELEASE.rst.txt) - [Commits](numpy/numpy@v1.21.3...v1.21.4) --- updated-dependencies: - dependency-name: numpy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update Chart.yaml * Integration test idempotency (#5397) * Resolve failing integration test if user existed. Added is_help_message_present for .help-block Used non-deprecated selector * Ensure test_user_notificaitons_change tests changes and not just selecting. Test is now idempotent instead of just working first time. * Removing integration test with missing test file. Removal based on existing read-only tests within user_test.py and lack of test in GitHub Actions. * Remove trailing whitespace * Restore entrypoint-integration-tests.sh * main(tests): remove rabbitmq from unit-tests (#5307) * main(tests): remove rabbitmq from unit-tests service * main(tests): remove rabbitmq from unit-tests * fix(tests): overwrite broker values from dockerfile * Bump pdfmake from 0.2.2 to 0.2.3 in /components (#5409) Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.2.2 to 0.2.3. - [Release notes](https://github.com/bpampuch/pdfmake/releases) - [Changelog](https://github.com/bpampuch/pdfmake/blob/0.2.3/CHANGELOG.md) - [Commits](bpampuch/pdfmake@0.2.2...0.2.3) --- updated-dependencies: - dependency-name: pdfmake dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump django-extensions from 3.1.3 to 3.1.5 (#5408) Bumps [django-extensions](https://github.com/django-extensions/django-extensions) from 3.1.3 to 3.1.5. - [Release notes](https://github.com/django-extensions/django-extensions/releases) - [Changelog](https://github.com/django-extensions/django-extensions/blob/main/CHANGELOG.md) - [Commits](django-extensions/django-extensions@3.1.3...3.1.5) --- updated-dependencies: - dependency-name: django-extensions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Remove models for legacy api classes (#5387) * Remove models for legacy api classes * fix unit tests * Auth V2 - Remove legacy authorization part 1: Remove legacy auth from templates (#5382) * remove legacy auth from templates * remove legacy unit test * remove dependency check report (#5413) * fix(helm chart): Update the nginx-prometheus-exporter entrypoint (#5415) Fix #5414 The entrypoint has been changed between version 0.8.0 and 0.9.0 of the nginx-prometheus-exporter * Bump google-api-python-client from 2.29.0 to 2.30.0 (#5418) Bumps [google-api-python-client](https://github.com/googleapis/google-api-python-client) from 2.29.0 to 2.30.0. - [Release notes](https://github.com/googleapis/google-api-python-client/releases) - [Changelog](https://github.com/googleapis/google-api-python-client/blob/main/CHANGELOG.md) - [Commits](googleapis/google-api-python-client@v2.29.0...v2.30.0) --- updated-dependencies: - dependency-name: google-api-python-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump pdfmake from 0.2.3 to 0.2.4 in /components (#5429) Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.2.3 to 0.2.4. - [Release notes](https://github.com/bpampuch/pdfmake/releases) - [Changelog](https://github.com/bpampuch/pdfmake/blob/0.2.4/CHANGELOG.md) - [Commits](bpampuch/pdfmake@0.2.3...0.2.4) --- updated-dependencies: - dependency-name: pdfmake dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump coverage from 6.1.1 to 6.1.2 (#5428) Bumps [coverage](https://github.com/nedbat/coveragepy) from 6.1.1 to 6.1.2. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](nedbat/coveragepy@6.1.1...6.1.2) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump drf-spectacular from 0.20.2 to 0.21.0 (#5427) Bumps [drf-spectacular](https://github.com/tfranzel/drf-spectacular) from 0.20.2 to 0.21.0. - [Release notes](https://github.com/tfranzel/drf-spectacular/releases) - [Changelog](https://github.com/tfranzel/drf-spectacular/blob/master/CHANGELOG.rst) - [Commits](tfranzel/drf-spectacular@0.20.2...0.21.0) --- updated-dependencies: - dependency-name: drf-spectacular dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix integration test users (#5425) * Fix: sequential integration tests * Fix: sequential integration tests * Remove: reload Co-authored-by: Dubravko Sever <dubravko.sever@pan-net.eu> * Update rabbitmq Docker tag from 3.9.8 to v3.9.9 (docker-compose.yml) (#5434) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Bump psycopg2-binary from 2.9.1 to 2.9.2 (#5439) Bumps [psycopg2-binary](https://github.com/psycopg/psycopg2) from 2.9.1 to 2.9.2. - [Release notes](https://github.com/psycopg/psycopg2/releases) - [Changelog](https://github.com/psycopg/psycopg2/blob/master/NEWS) - [Commits](https://github.com/psycopg/psycopg2/commits) --- updated-dependencies: - dependency-name: psycopg2-binary dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sqlalchemy from 1.4.26 to 1.4.27 (#5440) Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 1.4.26 to 1.4.27. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Move more markdown files to github pages (#5403) * Update branching-model.md * remove branching release model from README * Delete BRANCHING-MODEL.md * Update README.md * Update README.md * Delete REST-APIs.md * Delete RELEASE-AND-BRANCH-MODEL.md * Delete GETTING-STARTED.md * Delete ROADMAP.md * Update README.md * Update CONTRIBUTING.md * Update README.md * Delete MAINTAINERS.md * Update security_issue.md * Update README.md * move markdown files to docs * Update docs/content/en/contributing/documentation.md Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * Update README.md * finetune api wrapper section * add back AVAILABLE plugins page * Defect Dojo -> DefectDojo Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * Integration test warning cleanup (#5445) * Update all deprecated selenium get_element(s)_by* * Remove trailing whitespace from user_test.py * fix dedupe sync usage example (#5446) * Bump nginx from 1.21.3-alpine to 1.21.4-alpine (#5452) Bumps nginx from 1.21.3-alpine to 1.21.4-alpine. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add dojo license to package.json (#5447) * Authz: Allow global maintainers/owner to add Product Types (#5410) * Allow global maintainers/owners to add product types * add permission check to templates * add permission check to templates * rename filter * feat(saml): configurable login button (#5449) * Allow to force login form (#5444) * allow to force login form * add docs * feat: make semgrep reports more informative (#5391) * Add more detailed description for semgrep report. Add unittests for new description format * Fix flake errors * Fix unittest errors * Fix unittest errors * Update dojo/tools/semgrep/parser.py Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * Add test for new semgrep description Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * remove dojo/user/helper (#5412) Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> * add build arg for userid integration tests (#5432) * Update mysql:5.7.36 Docker digest from 5.7.36 to v5.7.36 (docker-compose.yml) (#5464) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Add "Forgot password" functionality (#5302) * Define reset password process * fix LOGIN_EXEMPT_URLS, add button on log-in screen * flake8 * replace "Password reset" by "Forgot password" * add DD_SOCIAL_AUTH_FORGOT_PASSWORD_BUTTON * change DD_SOCIAL_AUTH_FORGOT_PASSWORD_BUTTON to DD_FORGOT_PASSWORD_BUTTON * flake8 * change "mail_notifications_from" to "email_from", change first button, override site url, use "email_from" as sending address, handle ConnectionError * rename DD_FORGOT_PASSWORD_BUTTON to DD_FORGOT_PASSWORD, allow to fail if sending of email is not successful, add integration test, add mailhog to dev and integration tests * typo * add docs * typos * run mailhog during integration tests on github * use SMTP for Celery - to be able to send mail notifications * Bump google-api-python-client from 2.30.0 to 2.31.0 (#5462) Bumps [google-api-python-client](https://github.com/googleapis/google-api-python-client) from 2.30.0 to 2.31.0. - [Release notes](https://github.com/googleapis/google-api-python-client/releases) - [Changelog](https://github.com/googleapis/google-api-python-client/blob/main/CHANGELOG.md) - [Commits](googleapis/google-api-python-client@v2.30.0...v2.31.0) --- updated-dependencies: - dependency-name: google-api-python-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump markdown from 3.3.4 to 3.3.5 (#5460) Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.3.4 to 3.3.5. - [Release notes](https://github.com/Python-Markdown/markdown/releases) - [Commits](Python-Markdown/markdown@3.3.4...3.3.5) --- updated-dependencies: - dependency-name: markdown dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * use buildkit master with bugfix (#5467) * Bump markdown from 3.3.5 to 3.3.6 (#5470) Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.3.5 to 3.3.6. - [Release notes](https://github.com/Python-Markdown/markdown/releases) - [Commits](Python-Markdown/markdown@3.3.5...3.3.6) --- updated-dependencies: - dependency-name: markdown dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump django-polymorphic from 3.0.0 to 3.1.0 (#5469) Bumps [django-polymorphic](https://github.com/django-polymorphic/django-polymorphic) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/django-polymorphic/django-polymorphic/releases) - [Changelog](https://github.com/django-polymorphic/django-polymorphic/blob/master/docs/changelog.rst) - [Commits](jazzband/django-polymorphic@3.0.0...v3.1) --- updated-dependencies: - dependency-name: django-polymorphic dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump mysqlclient from 2.0.3 to 2.1.0 (#5468) Bumps [mysqlclient](https://github.com/PyMySQL/mysqlclient) from 2.0.3 to 2.1.0. - [Release notes](https://github.com/PyMySQL/mysqlclient/releases) - [Changelog](https://github.com/PyMySQL/mysqlclient/blob/main/HISTORY.rst) - [Commits](PyMySQL/mysqlclient@v2.0.3...v2.1.0) --- updated-dependencies: - dependency-name: mysqlclient dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update rabbitmq:3.9.9 Docker digest from 3.9.9 to 3.9.9 (docker-compose.yml) (#5472) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Auth V2 - Remove legacy authorization part 3: Remove feature flag from core classes (#5458) * remove dojo/user/helper * remove FEATURE_AUTHORIZATION_V2 from core classes and API * Fix for creating multiple groups containing the same Product Type (#5457) * fix * revert change for message * beautify * Update rabbitmq Docker tag from 3.9.9 to v3.9.10 (docker-compose.yml) (#5475) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Fix for missing API_Scan_Configuration and exception handler (#5455) Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * Add support for pushing tags to jira (#5476) * Bump cryptography from 35.0.0 to 36.0.0 (#5482) Bumps [cryptography](https://github.com/pyca/cryptography) from 35.0.0 to 36.0.0. - [Release notes](https://github.com/pyca/cryptography/releases) - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@35.0.0...36.0.0) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * new report format (#5478) * Update rabbitmq:3.9.10 Docker digest from 3.9.10 to 3.9.10 (docker-compose.yml) (#5486) Co-authored-by: Renovate Bot <bot@renovateapp.com> * optimize GHA unit test (#5488) * Moved all plot objects into one .js file (#5456) * Removed all plot objects from corresponding .html files and grouped them into one static .js file * Attempt #1 to fix failing integration test Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * Add EmptyDir for CeleryBeat into /run (#5421) * Add volumeMounts for celery beat * Decrease Chart version * use DEDUPE_ALGO_HASH_CODE for detect-secrets (#5483) * Update dependency postcss from 8.3.11 to v8.4.0 (docs/package.json) (#5493) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Update labeler.yml * add tag for each trivy vulnerability (#5479) Signed-off-by: shubhindia <shubhindia123@gmail.com> * Update dependency postcss from 8.4.0 to v8.4.1 (docs/package.json) (#5498) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Update DOCKER.md (#5505) Fixing broken link for "Running in Production" * Update dependency postcss from 8.4.1 to v8.4.3 (docs/package.json) (#5507) Co-authored-by: Renovate Bot <bot@renovateapp.com> * go to user view after user add (#5510) * set default group for all new users (#5501) * Update dependency postcss from 8.4.3 to v8.4.4 (docs/package.json) (#5512) Co-authored-by: Renovate Bot <bot@renovateapp.com> * Auth V2 - Remove legacy authorization part 4: final removal of FEATURE_AUTHORIZATION_V2 (#5477) * remove FEATURE_AUTHORIZATION_V2 * flake8 Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * fix duplicate notification urls (#5515) * Update 0066_django_tagulous.py (#5514) * Nessus: store only standard protocol names (#5471) Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * Bump coverage from 6.1.2 to 6.2 (#5520) Bumps [coverage](https://github.com/nedbat/coveragepy) from 6.1.2 to 6.2. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](nedbat/coveragepy@6.1.2...6.2) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(helm): allow disabling initializer job (#5504) There is initializer.run: true in default values.yaml, but it isn't used anywhere. I'd like to add the opportunity to disable the initializer job. Also, it would be great to make it possible to add annotations to the initializer job. UPD: annotations support for init job was added :) * Bump humanize from 3.12.0 to 3.13.1 (#5530) Bumps [humanize](https://github.com/jmoiron/humanize) from 3.12.0 to 3.13.1. - [Release notes](https://github.com/jmoiron/humanize/releases) - [Commits](jmoiron/humanize@3.12.0...3.13.1) --- updated-dependencies: - dependency-name: humanize dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Endpoint Metadata Importer for adding tags/custom fields to Endpoints (#5491) * Endpoint Metadata Importer for adding tags and custom fields to Endpoints * fix flake8 * Add api functionality and update docs * fix flake8 * Add unit test suite * fix Flake8 * fix Flake8 * Add endpoint to test method list * Correct unit tests and remove print statements * Add feature flag an rename private_dns to hostname * Rename no_private_dns_endpoint_meta_import.csv to no_hostname_endpoint_meta_import.csv * Make changes requested by Stefan * Fix Flake8 * seperate API product_name and product_id accessors * Fix typo * Fix copy/paste error * Add endpoint meta import to system settings * Update Nessus WAS parser to catch the lack of a port in CSV Parser (#5490) * Update Nessus WAS parser to catch the lack of a port in CSV Parser * Remove default of '8888' and just leave blank * Remove default port/protocol * Fix Flake8 * Add IP address as backup to host Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * main(helm): remove deprecated stable repo (#5450) * main(helm): remove deprecated stable repo * fix: rename mysql variable for bitnami chart * fix(helm): mysql secrets * main(tests): update kubernetes versions * main(tests): update kubernetes test strategy * main(tests): update minikube * fix(helm): mysql port and documentation Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * move unittests outside dojo folder (#5527) * move unittests outside dojo folder * change base class * cleanup * cleanup * cleanup * cleanup * fixes * cleanup * refactor * cleanup * cleanup * cleanup * fixes * fixes * fixes * we expect these env variables to be set (#5529) Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * Upgrade to Django 3.2 (#5265) * Upgrade to Django 3.2 * try fork with tagulous fix * try fork with tagulous fix * fixes for typos (#5531) * fix: checkmarx parser aggregation and deduplication with query id (#5506) this should fix #3958 the aggregation mechanism and deduplication mechanism for checkmarx are now using the same fields it now uses the query id of checkmarx in the hash code to avoid creating multiple issue for each checkmarx "result" we keep the aggregation but now we can no longer find duplicates inside a single report * Bump djangosaml2 from 1.3.4 to 1.3.5 (#5463) Bumps [djangosaml2](https://github.com/IdentityPython/djangosaml2) from 1.3.4 to 1.3.5. - [Release notes](https://github.com/IdentityPython/djangosaml2/releases) - [Changelog](https://github.com/IdentityPython/djangosaml2/blob/master/CHANGES) - [Commits](IdentityPython/djangosaml2@v1.3.4...v1.3.5) --- updated-dependencies: - dependency-name: djangosaml2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump redis from 3.5.3 to 4.0.2 (#5481) Bumps [redis](https://github.com/redis/redis-py) from 3.5.3 to 4.0.2. - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@3.5.3...v4.0.2) --- updated-dependencies: - dependency-name: redis dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump google-api-python-client from 2.31.0 to 2.32.0 (#5536) Bumps [google-api-python-client](https://github.com/googleapis/google-api-python-client) from 2.31.0 to 2.32.0. - [Release notes](https://github.com/googleapis/google-api-python-client/releases) - [Changelog](https://github.com/googleapis/google-api-python-client/blob/main/CHANGELOG.md) - [Commits](googleapis/google-api-python-client@v2.31.0...v2.32.0) --- updated-dependencies: - dependency-name: google-api-python-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * bump django to 3.2.9 (#5539) * fix files api (#5509) * Move unit test leftovers (#5543) * Move unit test leftovers * fix for FlexibleImportTestAPI * fix for the fix * remove duplicated `{{block.super}}` lines (#5545) * Update express_new_jira.html * remove duplicate block.super * Update rabbitmq Docker tag from 3.9.10 to v3.9.11 (docker-compose.yml) (#5541) * Update rabbitmq Docker tag from 3.9.10 to v3.9.11 (docker-compose.yml) * Update docker-compose.yml not sure what happened, maybe they republished with a different image/checksum Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * Auth V2 - Remove legacy authorization part 5: Removal of authorized users (#5518) * remove authorized users * rename db migration after rebase * release notes * bugfix for missed staff legacy removal * flake8 * more flake8 * next flake8 * added removal of user migration to release notes * rename db migration after rebase * use GHA caching for integration tests (#5495) * use GHA caching for integration tests * Update integration-tests.yml * Add organizational blocks around metrics.js files (#5544) * Update rabbitmq:3.9.11 Docker digest from 3.9.11 to 3.9.11 (docker-compose.yml) (#5546) Co-authored-by: Renovate Bot <bot@renovateapp.com> * remove findingimages leftovers (#5540) * Add support for files in generic parser (#5508) * Add support for files in generic parser * Update models.py * Add documentation * Update docs/content/en/integrations/import.md Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * Update docs/content/en/integrations/import.md Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * Update docs/content/en/integrations/import.md Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * changes after move of unit tests Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> * fix staff permission to add product types (#5551) * typo and missing parser (#5548) * Set default_auto_field after migration to Django 3.2 (#5552) fixes #5538 * fix checkmarx false positive import (#5484) * Autocreate product / engagement during (re)import (#5492) * Smart Import * cleanup * fix push to jira logic * add docs * add jira testcases * comments * create ci/cd engagements * fix target start/end * cleanup * set owner for created models * autocreate for reimport * cleanup * reimport authz tests * cleanup * add docs * update unit test paths * update unit test paths * update unit test paths * fix unit tests * fix metatdata dict code * fix tests * fix merge artifacts * fix merge artifacts * Added info on upgrading godojo installs of DefectDojo to the docs (#5561) * Add asynchronous re/imports (disabled by default) (#5553) * Add asynchronous re/imports (disabled by default) * Fix Flake8 Violations * Update unit tests * Update importer.py * Update progress typo * fix image migation for duplicate captions (#5549) * api: update reimport docstring (#5560) * Update views.py * Update views.py * Update views.py * Fix alias paths in nginx config (#5557) * Update nginx.conf fix alias path * Update nginx_TLS.conf fix alias path * Respect `scan_date` at import time for all findings imported (#5547) * Respect `scan_date` at import time for all findings imported * Update scan_date set logic * Add more unit tests * Remove first attempt at unit test * Add documentation and set default import date to be timezone considerate * Make scan_date optional field * Update test_importers_importer.py * Update api scan_date validation * Fix required false issue * Update docs title * Remove default date from unit tests * Update versions in application files Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stefan Fleckenstein <stefan.fleckenstein@maibornwolff.de> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: alles-klar <jannik-j@t-online.de> Co-authored-by: CharlieSears <charlie.sears@gmail.com> Co-authored-by: bgoareguer <43874676+bgoareguer@users.noreply.github.com> Co-authored-by: Sever <dubravko.sever@gmail.com> Co-authored-by: Dubravko Sever <dubravko.sever@pan-net.eu> Co-authored-by: Shubham Gopale <shubhindia123@gmail.com> Co-authored-by: kiblik <tomas@kubla.sk> Co-authored-by: Artem Tykhonov <artem@macpaw.com> Co-authored-by: blakeaowens <76979297+blakeaowens@users.noreply.github.com> Co-authored-by: rsaiprashanth <prashanth.vy607@gmail.com> Co-authored-by: qlimenoque <49155800+qlimenoque@users.noreply.github.com> Co-authored-by: Julien Caillon <julien.caillon@gmail.com> Co-authored-by: Damien Carol <damien.carol@gmail.com> Co-authored-by: ptrovatelli <34663482+ptrovatelli@users.noreply.github.com> Co-authored-by: Matt Tesauro <mtesauro@gmail.com> Co-authored-by: Assylbek <39023505+tutasla@users.noreply.github.com>
I noticed that the
scan_datefield in the importer is not respected when setting the date of a finding.This PR sets the date of all findings imported to the date specified at import time, but only if the user changes it from the default. Default behavior of setting the finding date to "today" is maintained.
For example, here are some scenarios of how this PR affects the date of a finding:
Finding date will be the default value of scan date (time of import)
Finding date will be whatever the parser sets
Finding date will be whatever the user specified for scan date
Finding date will be whatever the user specified for scan date
The bottom line is whatever the user specifies for the scan date is respected for all findings imported. if the scan date is left at default, or not specified at all, the parser will need to set the date, or the date of the finding will be set to the default (import time)