Merge pull request #10746 from DefectDojo/release/2.37.1

Release: Merge release into master from: release/2.37.1

Author: Maffooch

.github/workflows/k8s-tests.yml

@@ -28,7 +28,7 @@ jobs:
           # are tested (https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#available-versions)
           - databases: pgsql
             brokers: redis
-            k8s: 'v1.26.11'
+            k8s: 'v1.30.3'
             os: debian
     steps:
       - name: Checkout
@@ -37,7 +37,7 @@ jobs:
       - name: Setup Minikube
         uses: manusa/actions-setup-minikube@v2.11.0
         with:
-          minikube version: 'v1.31.2'
+          minikube version: 'v1.33.1'
           kubernetes version: ${{ matrix.k8s }}
           driver: docker
           start args: '--addons=ingress --cni calico'

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.37.0",
+  "version": "2.37.1",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docker/entrypoint-unit-tests-devDocker.sh

@@ -54,10 +54,11 @@ EOF
 echo "Unit Tests"
 echo "------------------------------------------------------------"
 
-python3 manage.py test unittests -v 3 --keepdb --no-input --failfast --shuffle --parallel --exclude-tag="non-parallel" || {
+# Removing parallel and shuffle for now to maintain stability
+python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag="non-parallel" || {
     exit 1; 
 }
-python3 manage.py test unittests -v 3 --keepdb --no-input --failfast --shuffle --tag="non-parallel" || {
+python3 manage.py test unittests -v 3 --keepdb --no-input --tag="non-parallel" || {
     exit 1; 
 }
 

docker/entrypoint-unit-tests.sh

@@ -80,9 +80,10 @@ python3 manage.py migrate
 echo "Unit Tests"
 echo "------------------------------------------------------------"
 
-python3 manage.py test unittests -v 3 --keepdb --no-input --failfast --shuffle --parallel --exclude-tag="non-parallel" || {
+# Removing parallel and shuffle for now to maintain stability
+python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag="non-parallel" || {
     exit 1; 
 }
-python3 manage.py test unittests -v 3 --keepdb --no-input --failfast --shuffle --tag="non-parallel" || {
+python3 manage.py test unittests -v 3 --keepdb --no-input --tag="non-parallel" || {
     exit 1; 
 }

docs/content/en/getting_started/upgrading/2.37.md

@@ -14,4 +14,4 @@ MySQL and RabbitMQ have been removed from the following places:
 - Helm Chart
 - Unit/Integration CI/CD Tests
 
-There are no other special instructions for upgrading to 2.37.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.36.0) for the contents of the release.
+There are no other special instructions for upgrading to 2.37.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.37.0) for the contents of the release.

docs/content/en/integrations/parsers/file/appcheck_web_application_scanner.md

@@ -0,0 +1,8 @@
+---
+title: "AppCheck Web Application Scanner"
+toc_hide: true
+---
+Accepts AppCheck Web Application Scanner output in .json format.
+
+### Sample Scan Data
+Sample AppCheck Web Application Scanner scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/appcheck_web_application_scanner).

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.37.0"
+__version__ = "2.37.1"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/cred/views.py

@@ -38,7 +38,7 @@ def new_cred(request):
     return render(request, "dojo/new_cred.html", {"tform": tform})
 
 
-@user_is_authorized(Product, Permissions.Product_View, "pid")
+@user_is_authorized(Product, Permissions.Product_Edit, "pid")
 def all_cred_product(request, pid):
     prod = get_object_or_404(Product, id=pid)
     creds = Cred_Mapping.objects.filter(product=prod).order_by("cred_id__name")

dojo/endpoint/views.py

@@ -6,6 +6,7 @@
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.admin.utils import NestedObjects
+from django.core.exceptions import PermissionDenied
 from django.db import DEFAULT_DB_ALIAS
 from django.db.models import Count, Q, QuerySet
 from django.http import HttpResponseRedirect
@@ -178,7 +179,7 @@ def view_endpoint_host(request, eid):
     return process_endpoint_view(request, eid, host_view=True)
 
 
-@user_is_authorized(Endpoint, Permissions.Endpoint_View, "eid")
+@user_is_authorized(Endpoint, Permissions.Endpoint_Edit, "eid")
 def edit_endpoint(request, eid):
     endpoint = get_object_or_404(Endpoint, id=eid)
 
@@ -468,6 +469,9 @@ def prefetch_for_endpoints(endpoints):
 
 def migrate_endpoints_view(request):
 
+    if not request.user.is_superuser:
+        raise PermissionDenied
+
     view_name = "Migrate endpoints"
 
     html_log = clean_hosts_run(apps=apps, change=(request.method == "POST"))

dojo/forms.py

@@ -31,6 +31,7 @@
 import dojo.jira_link.helper as jira_helper
 from dojo.authorization.roles_permissions import Permissions
 from dojo.endpoint.utils import endpoint_filter, endpoint_get_or_create, validate_endpoints_to_add
+from dojo.engagement.queries import get_authorized_engagements
 from dojo.finding.queries import get_authorized_findings
 from dojo.group.queries import get_authorized_groups, get_group_member_roles
 from dojo.models import (
@@ -3550,6 +3551,18 @@ def __init__(self, *args, **kwargs):
         self.fields["product"].queryset = get_authorized_products(Permissions.Engagement_Add)
 
 
+class ExistingEngagementForm(forms.Form):
+    engagement = forms.ModelChoiceField(
+        queryset=Engagement.objects.none(),
+        required=True,
+        widget=forms.widgets.Select(),
+        help_text="Select which Engagement to link the Questionnaire to")
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["engagement"].queryset = get_authorized_engagements(Permissions.Engagement_Edit).order_by("-target_start")
+
+
 class ConfigurationPermissionsForm(forms.Form):
 
     def __init__(self, *args, **kwargs):