Merge pull request #12617 from DefectDojo/master-into-dev/2.47.2-2.48.0-dev

Release: Merge back 2.47.2 into dev from: master-into-dev/2.47.2-2.48.0-dev

Author: rossops

docs/content/en/open_source/upgrading/2.39.md

@@ -2,7 +2,114 @@
 title: 'Upgrading to DefectDojo Version 2.39.x'
 toc_hide: true
 weight: -20240903
-description: No special instructions.
+description: Major upgrade of Postgres 16 to 17
 exclude_search: true
 ---
-There are no special instructions for upgrading to 2.39.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.39.0) for the contents of the release.
+
+# PostgreSQL Major Version Upgrade in Docker Compose
+
+This release incorporates a major upgrade of Postgres. When using the default docker compose setup you'll need to upgrade the Postgres data folder before you can use Defect Dojo 2.39.0.
+
+There are lots of online guides to be found such as https://hub.docker.com/r/tianon/postgres-upgrade or https://github.com/pgautoupgrade/docker-pgautoupgrade.
+
+There's also the [official documentation on `pg_upgrade`](https://www.postgresql.org/docs/current/pgupgrade.html), but this doesn't work out of the box when using Docker containers.
+
+Sometimes it's easier to just perform the upgrade manually, which would look something like the steps below.
+It may need some tuning to your specific needs and docker compose setup. The guide is loosely based on https://simplebackups.com/blog/docker-postgres-backup-restore-guide-with-examples.
+If you already have a valid backup of the postgres 16 database, you can start at step 4.
+
+---
+
+## 0. Backup
+
+Always back up your data before starting and save it somewhere.
+Make sure the backup and restore is tested before continuing the steps below where the docker volume containing the database will be removed.
+
+## 1. Start the Old Postgres Container
+
+If you've acceidentally already updated your docker-compose.yml to the new versions, downgrade to postgres 16 for now:
+
+Edit your `docker-compose.yml` to use the old Postgres version (e.g., `postgres:16.4-alpine`):
+
+```yaml
+postgres:
+  image: postgres:16.4-alpine
+  ...
+```
+
+Start only the Postgres container which will now be 16.4:
+
+```bash
+docker compose up -d postgres
+```
+
+---
+
+## 2. Dump Your Database
+
+```bash
+docker compose exec -t postgres pg_dump -U defectdojo -Fc defectdojo -f /tmp/defectdojo.dump
+docker cp <postgres_container_name>:/tmp/defectdojo.dump defectdojo.dump
+```
+You can find the postgres_container_name via `docker container ls` or `docker ps`.
+
+---
+
+## 3. Stop Containers and Remove the Old Volume
+
+You can find the volume name via `docker volume ls`.
+
+```bash
+docker compose down
+docker volume rm <defectdojo_postgres_volume_name>
+```
+
+---
+
+## 4. Switch to the New Postgres Version
+
+Edit your `docker-compose.yml` to use the new version (e.g., `postgres:17.5-alpine`):
+
+```yaml
+postgres:
+  image: postgres:17.5-alpine
+  ...
+```
+
+---
+
+## 5. Start the New Postgres Container
+
+```bash
+docker compose up -d postgres
+```
+
+---
+
+## 6. Restore Your Database
+
+**Copy the dump file into the new container:**
+
+```bash
+docker cp defectdojo.dump <postgres_container_name>:/defectdojo.dump
+```
+
+**Restore inside the container:**
+
+```bash
+docker exec -it <postgres_container_name> bash
+pg_restore -U defectdojo -d defectdojo /defectdojo.dump
+```
+
+---
+
+## 7. Start the Rest of Your Services
+
+```bash
+docker compose up -d
+```
+
+---
+
+
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.39.0) for the contents of the release.

dojo/jira_link/helper.py

@@ -1674,19 +1674,24 @@ def process_resolution_from_jira(finding, resolution_id, resolution_name, assign
     jira_instance = get_jira_instance(finding)
 
     if resolved:
-        if jira_instance and resolution_name in jira_instance.accepted_resolutions:
+        if jira_instance and resolution_name in jira_instance.accepted_resolutions and (finding.test.engagement.product.enable_simple_risk_acceptance or finding.test.engagement.enable_full_risk_acceptance):
             if not finding.risk_accepted:
-                logger.debug(f"Marking related finding of {jira_issue.jira_key} as accepted. Creating risk acceptance.")
+                logger.debug(f"Marking related finding of {jira_issue.jira_key} as accepted.")
+                finding.risk_accepted = True
                 finding.active = False
                 finding.mitigated = None
                 finding.is_mitigated = False
                 finding.false_p = False
-                ra = Risk_Acceptance.objects.create(
-                    accepted_by=assignee_name,
-                    owner=finding.reporter,
-                )
-                finding.test.engagement.risk_acceptance.add(ra)
-                ra_helper.add_findings_to_risk_acceptance(User.objects.get_or_create(username="JIRA")[0], ra, [finding])
+
+                if finding.test.engagement.product.enable_full_risk_acceptance:
+                    logger.debug(f"Creating risk acceptance for finding linked to {jira_issue.jira_key}.")
+                    ra = Risk_Acceptance.objects.create(
+                        accepted_by=assignee_name,
+                        owner=finding.reporter,
+                        decision_details=f"Risk Acceptance automatically created from JIRA issue {jira_issue.jira_key} with resolution {resolution_name}",
+                    )
+                    finding.test.engagement.risk_acceptance.add(ra)
+                    ra_helper.add_findings_to_risk_acceptance(User.objects.get_or_create(username="JIRA")[0], ra, [finding])
                 status_changed = True
         elif jira_instance and resolution_name in jira_instance.false_positive_resolutions:
             if not finding.false_p:

dojo/metrics/views.py

@@ -185,7 +185,6 @@ def simple_metrics(request):
         total_medium = []
         total_low = []
         total_info = []
-        total_closed = []
         total_opened = []
         findings_broken_out = {}
 
@@ -197,10 +196,20 @@ def simple_metrics(request):
                                        date__year=now.year,
                                        )
 
+        closed = Finding.objects.filter(test__engagement__product__prod_type=pt,
+                                       false_p=False,
+                                       duplicate=False,
+                                       out_of_scope=False,
+                                       mitigated__month=now.month,
+                                       mitigated__year=now.year,
+                                       )
+
         if get_system_setting("enforce_verified_status", True) or get_system_setting("enforce_verified_status_metrics", True):
             total = total.filter(verified=True)
+            closed = closed.filter(verified=True)
 
         total = total.distinct()
+        closed = closed.distinct()
 
         for f in total:
             if f.severity == "Critical":
@@ -214,9 +223,6 @@ def simple_metrics(request):
             else:
                 total_info.append(f)
 
-            if f.mitigated and f.mitigated.year == now.year and f.mitigated.month == now.month:
-                total_closed.append(f)
-
             if f.date.year == now.year and f.date.month == now.month:
                 total_opened.append(f)
 
@@ -228,7 +234,7 @@ def simple_metrics(request):
         findings_broken_out["S4"] = len(total_info)
 
         findings_broken_out["Opened"] = len(total_opened)
-        findings_broken_out["Closed"] = len(total_closed)
+        findings_broken_out["Closed"] = len(closed)
 
         findings_by_product_type[pt] = findings_broken_out
 

dojo/settings/settings.dist.py

@@ -1828,10 +1828,12 @@ def saml2_attrib_map_format(din):
     "ELA-": "https://www.freexian.com/lts/extended/updates/",  # e.g. https://www.freexian.com/lts/extended/updates/ela-1387-1-erlang
     "ELBA-": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
     "ELSA-": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
+    "EUVD-": "https://euvd.enisa.europa.eu/vulnerability/",  # e.g. https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-17599
     "FEDORA-": "https://bodhi.fedoraproject.org/updates/",  # e.g. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-06aa7dc422
     "FG-IR-": "https://www.fortiguard.com/psirt/",  # e.g. https://www.fortiguard.com/psirt/FG-IR-24-373
     "GHSA-": "https://github.com/advisories/",  # e.g. https://github.com/advisories/GHSA-58vj-cv5w-v4v6
     "GLSA": "https://security.gentoo.org/",  # e.g. https://security.gentoo.org/glsa/202409-32
+    "GO-": "https://pkg.go.dev/vuln/",  # e.g. https://pkg.go.dev/vuln/GO-2025-3703
     "JSDSERVER-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/JSDSERVER-14872
     "KB": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=",  # e.g. https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0108401
     "KHV": "https://avd.aquasec.com/misconfig/kubernetes/",  # e.g. https://avd.aquasec.com/misconfig/kubernetes/khv045

dojo/tools/nmap/parser.py

@@ -43,11 +43,10 @@ def get_findings(self, file, test):
                 if host.find("hostnames/hostname[@type='PTR']") is not None
                 else None
             )
-            if fqdn is not None:
-                host_info += f"**FQDN:** {fqdn}\n"
+            for hosts in host.find("hostnames"):
+                host_info += "**" + hosts.attrib["type"] + ":** " + hosts.attrib["name"] + "\n"
 
             host_info += "\n\n"
-
             for os in host.iter("os"):
                 for os_match in os.iter("osmatch"):
                     if "name" in os_match.attrib:

helm/defectdojo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.48.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.192-dev
+version: 1.6.193-dev
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap

unittests/scans/cargo_audit/no_findings.json

@@ -1 +1,26 @@
-{"database":{"advisory-count":302,"last-commit":"7e4cbf6107145306ebb5002d66bcb98606a757fe","last-updated":"2021-05-12T01:59:58Z"},"lockfile":{"dependency-count":1},"settings":{"target_arch":null,"target_os":null,"severity":null,"ignore":[],"informational_warnings":["unmaintained"],"package_scope":null},"vulnerabilities":{"found":false,"count":0,"list":[]},"warnings":{}}
+{
+  "database": {
+    "advisory-count": 302,
+    "last-commit": "7e4cbf6107145306ebb5002d66bcb98606a757fe",
+    "last-updated": "2021-05-12T01:59:58Z"
+  },
+  "lockfile": {
+    "dependency-count": 1
+  },
+  "settings": {
+    "target_arch": null,
+    "target_os": null,
+    "severity": null,
+    "ignore": [],
+    "informational_warnings": [
+      "unmaintained"
+    ],
+    "package_scope": null
+  },
+  "vulnerabilities": {
+    "found": false,
+    "count": 0,
+    "list": []
+  },
+  "warnings": {}
+}

unittests/scans/coverity_scan/many_vulns.json

@@ -1 +1,87 @@
-{"type": "Coverity issues", "formatVersion": 10, "suppressedIssueCount": 0, "issues": [{"mergeKey": "72bfbba76f98b46f51cf6645c43e836d", "occurrenceCountForMK": 1, "occurrenceNumberInMK": 1, "referenceOccurrenceCountForMK": null, "checkerName": "SIGMA.container_filesystem_write", "subcategory": "docker_compose", "type": "sigma.container_filesystem_write", "subtype": "docker_compose", "code-language": "text", "extra": "container_filesystem_write_docker_compose -- ImlFVhxAJ/cQpaURz/DPbcdn-cTLSuAy.yml -- ##\u03a3-markup - ##\u03a3-markup - services - web", "domain": "OTHER", "language": "Text", "mainEventFilePathname": "/HFEh/jfelEokZ/IOPdmEtf/EtaCywegk/TJfOXRH/qmAQHu-aKKJNxc.yml", "strippedMainEventFilePathname": "IadeFt-IGhxEGm.yml", "mainEventLineNumber": 5, "mainEventColumnNumber": null, "properties": {}, "functionDisplayName": null, "functionMangledName": null, "functionHtmlDisplayName": null, "functionSimpleName": null, "functionSearchName": null, "localStatus": null, "ordered": true, "events": [{"covLStrEventDescription": "The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.", "eventDescription": "The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.", "eventNumber": 1, "eventTreePosition": "1", "eventSet": 0, "eventTag": "Sigma main event", "filePathname": "/FgIS/JmWOWPmI/aYTdjcqF/DdHXGIILG/XTaImjm/kVhsWy-uiioKWl.yml", "strippedFilePathname": "uuYprG-uBYzRaE.yml", "lineNumber": 5, "columnNumber": null, "main": true, "moreInformationId": null, "remediation": false, "events": null}, {"covLStrEventDescription": "Explicitly set the `read-only` attribute of the service to `true` to create a service container with a read-only filesystem.", "eventDescription": "Explicitly set the `read-only` attribute of the service to `true` to create a service container with a read-only filesystem.", "eventNumber": 2, "eventTreePosition": "2", "eventSet": 0, "eventTag": "remediation", "filePathname": "/zYzQ/GdvvsmTv/OgguMuOt/KTYxQNmOD/SJTuieI/UTWGTQ-TWItlOE.yml", "strippedFilePathname": "DuCiSG-msIglfo.yml", "lineNumber": 5, "columnNumber": null, "main": false, "moreInformationId": null, "remediation": true, "events": null}], "stateOnServer": null, "localTriage": null, "checkerProperties": {"category": "Sigma", "categoryDescription": "Sigma", "cweCategory": "552", "weaknessIdCategory": "none", "issueKinds": ["SECURITY"], "eventSetCaptions": [], "impact": "Low", "impactDescription": "Low", "subcategoryLocalEffect": "", "subcategoryShortDescription": "Container allows filesystem write", "subcategoryLongDescription": "The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with."}}], "desktopAnalysisSettings": null, "error": null, "warnings": []}
+{
+  "type": "Coverity issues",
+  "formatVersion": 10,
+  "suppressedIssueCount": 0,
+  "issues": [
+    {
+      "mergeKey": "72bfbba76f98b46f51cf6645c43e836d",
+      "occurrenceCountForMK": 1,
+      "occurrenceNumberInMK": 1,
+      "referenceOccurrenceCountForMK": null,
+      "checkerName": "SIGMA.container_filesystem_write",
+      "subcategory": "docker_compose",
+      "type": "sigma.container_filesystem_write",
+      "subtype": "docker_compose",
+      "code-language": "text",
+      "extra": "container_filesystem_write_docker_compose -- ImlFVhxAJ/cQpaURz/DPbcdn-cTLSuAy.yml -- ##Σ-markup - ##Σ-markup - services - web",
+      "domain": "OTHER",
+      "language": "Text",
+      "mainEventFilePathname": "/HFEh/jfelEokZ/IOPdmEtf/EtaCywegk/TJfOXRH/qmAQHu-aKKJNxc.yml",
+      "strippedMainEventFilePathname": "IadeFt-IGhxEGm.yml",
+      "mainEventLineNumber": 5,
+      "mainEventColumnNumber": null,
+      "properties": {},
+      "functionDisplayName": null,
+      "functionMangledName": null,
+      "functionHtmlDisplayName": null,
+      "functionSimpleName": null,
+      "functionSearchName": null,
+      "localStatus": null,
+      "ordered": true,
+      "events": [
+        {
+          "covLStrEventDescription": "The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.",
+          "eventDescription": "The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.",
+          "eventNumber": 1,
+          "eventTreePosition": "1",
+          "eventSet": 0,
+          "eventTag": "Sigma main event",
+          "filePathname": "/FgIS/JmWOWPmI/aYTdjcqF/DdHXGIILG/XTaImjm/kVhsWy-uiioKWl.yml",
+          "strippedFilePathname": "uuYprG-uBYzRaE.yml",
+          "lineNumber": 5,
+          "columnNumber": null,
+          "main": true,
+          "moreInformationId": null,
+          "remediation": false,
+          "events": null
+        },
+        {
+          "covLStrEventDescription": "Explicitly set the `read-only` attribute of the service to `true` to create a service container with a read-only filesystem.",
+          "eventDescription": "Explicitly set the `read-only` attribute of the service to `true` to create a service container with a read-only filesystem.",
+          "eventNumber": 2,
+          "eventTreePosition": "2",
+          "eventSet": 0,
+          "eventTag": "remediation",
+          "filePathname": "/zYzQ/GdvvsmTv/OgguMuOt/KTYxQNmOD/SJTuieI/UTWGTQ-TWItlOE.yml",
+          "strippedFilePathname": "DuCiSG-msIglfo.yml",
+          "lineNumber": 5,
+          "columnNumber": null,
+          "main": false,
+          "moreInformationId": null,
+          "remediation": true,
+          "events": null
+        }
+      ],
+      "stateOnServer": null,
+      "localTriage": null,
+      "checkerProperties": {
+        "category": "Sigma",
+        "categoryDescription": "Sigma",
+        "cweCategory": "552",
+        "weaknessIdCategory": "none",
+        "issueKinds": [
+          "SECURITY"
+        ],
+        "eventSetCaptions": [],
+        "impact": "Low",
+        "impactDescription": "Low",
+        "subcategoryLocalEffect": "",
+        "subcategoryShortDescription": "Container allows filesystem write",
+        "subcategoryLongDescription": "The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with."
+      }
+    }
+  ],
+  "desktopAnalysisSettings": null,
+  "error": null,
+  "warnings": []
+}