Merge pull request #12236 from DefectDojo/release/2.45.1

Release: Merge release into master from: release/2.45.1

Author: rossops

.github/renovate.json

@@ -6,6 +6,7 @@
   "dependencyDashboardApproval": false,
   "baseBranches": ["dev"],
   "rebaseWhen": "conflicted",
+  "separateMinorPatch": true,
   "ignorePaths": ["requirements.txt", "requirements-lint.txt", "components/package.json", "components/package-lock.json", "dojo/components/yarn.lock", "dojo/components/package.json", "Dockerfile**"],
   "ignoreDeps": [],
   "packageRules": [{

README.md

@@ -35,7 +35,7 @@ deduplication, remediation, and reporting.
 Try out DefectDojo on our demo server at [demo.defectdojo.org](https://demo.defectdojo.org)
 
 Log in with username `admin` and password `1Defectdojo@demo#appsec`. Please note that the demo is publicly accessible
-and regularly reset. Do not put sensitive data in the demo.
+and regularly reset. Do not put sensitive data in the demo. An easy way to test Defect Dojo is to upload some [sample scan reports](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans).
 
 ## Quick Start for Compose V2
 

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.45.0",
+  "version": "2.45.1",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docs/assets/images/pro_calendar_view.png

@@ -8,17 +8,24 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/en/open_source/upgrading/upgrading_guide/).
 
+## Apr 2025: v2.45
+
+### Apr 7, 2025: v2.45.0
+- **(Beta UI)** Added Calendar view to Beta UI: Calendar view now displays Tests and Engagements, and can be filtered.  Clicking on a Calendar entry now displays a more detailed description of the object.
+![image](images/pro_calendar_view.png)
+- **(Universal Parser)** Added the ability to map an EPSS score from a file.  Note that this field **will** be updated by EPSS database sync, but this gives a user the ability to capture that field from initial import.
+
 ## Mar 2025: v2.44
 
-### Mar 31, 2025, v2.44.4
+### Mar 31, 2025: v2.44.4
 
 - **(Beta UI)** Group and Configuration permissions can now be assigned quickly from a User page.  For more information, see [DefectDojo Pro Permissions](/en/customize_dojo/user_management/pro_permissions_overhaul/).
 
-### Mar 24, 2025, v2.44.3
+### Mar 24, 2025: v2.44.3
 
 - **(Import)** Generic Findings Import will now parse tags in the JSON payload when Async Import is enabled.
 
-### Mar 17, 2025, v2.44.2
+### Mar 17, 2025: v2.44.2
 
 - **(Beta UI)** Added a new method to quickly assign permissions to Products or Product Types.  See our [Pro Permissions](/en/customize_dojo/user_management/pro_permissions_overhaul/) for more details.
 

docs/content/en/changelog/changelog.md

@@ -1,15 +1,43 @@
 ---
-title: "Anchore-Engine"
+title: "Anchore Enterprise Vulnerability"
 toc_hide: true
 ---
 
 ### File Types
 DefectDojo parser accepts a .json file.
 
-Using the [Anchore CLI](https://docs.anchore.com/current/docs/using/cli_usage/images/inspecting_image_content/) is the most reliable way to generate an Anchore report which DefectDojo can parse. When generating a report with the Anchore CLI, please use the following command to ensure complete data: `anchore-cli --json image vuln <image:tag> all`
+You can generate vulnerability data using the Anchore Enterprise CLI tool, [Anchorectl](https://docs.anchore.com/current/docs/using/cli_usage/images/inspecting_image_content/), or through the Enterprise UI. 
+
+## Generating a Vulnerability Report:
+Using Anchorectl: Run the following command to generate a vulnerability report in JSON format
+
+ `anchorectl image vulnerabilities ubuntu:latest -o json `
+
+Using the Anchore UI: Navigate to the desired image in the Anchore Enterprise UI, click on the Vulnerabilities tab, and download the report in JSON format.
 
 ### Acceptable JSON Format
+
 All properties are strings and are required by the parser. As the parser evolved, two anchore engine parser JSON formats are present till now. Both ([old](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchore_engine/many_vulns.json) / [new](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchore_engine/new_format_issue_11552.json)) are supported.
 
+~~~
+
+{
+   
+            "vulnerabilityId": "CVE-2023-24531",
+            "cves": "CVE-2023-24531",
+            "severity": "Critical",
+            "detectedAt": "2025-03-18T08:09:03Z",
+            "packageType": "Go",
+            "path": "/usr/local/bin/gosu",
+            "package": "stdlib-go1.18.2",
+            "fixAvailable": "1.21.0-0",
+            "fixObservedAt": "2025-03-18T08:09:03Z",
+            "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24531",
+            "nvdCvssBaseScore": 9.8
+    
+}
+~~~
+
+
 ### Sample Scan Data
-Sample Anchore-Engine scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchore_engine).
+Sample Anchore-Engine scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchore_engine)

docs/content/en/connecting_your_tools/parsers/file/anchore_engine.md

@@ -18,9 +18,13 @@ Attributes supported for CSV:
 - Verified: Indicator if the finding has been verified. Must be empty, TRUE, or FALSE
 - FalsePositive: Indicator if the finding is a false positive. Must be TRUE, or FALSE.
 - Duplicate:Indicator if the finding is a duplicate. Must be TRUE, or FALSE
+- IsMitigated: Indicator if the finding is mitigated.  Must be TRUE, or FALSE
+- MitigatedDate: Date the finding was mitigated in mm/dd/yyyy format or ISO format
 
 The CSV expects a header row with the names of the attributes.
 
+Date fields are parsed using [dateutil.parse](https://dateutil.readthedocs.io/en/stable/parser.html) supporting a variety of formats such a YYYY-MM-DD or ISO-8601.
+
 Example of JSON format:
 
 ```JSON
@@ -70,6 +74,34 @@ Example of JSON format:
             "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
             "file_path": "src/threeeeeeeeee.cpp",
             "line": 1353
+        },
+        {
+            "title": "test title mitigated",
+            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
+            "severity": "Critical",
+            "mitigation": "Some mitigation",
+            "date": "2021-01-06",
+            "cve": "CVE-2020-36236",
+            "cwe": 287,
+            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
+            "file_path": "src/threeeeeeeeee.cpp",
+            "line": 1353,
+            "is_mitigated": true,
+            "mitigated": "2021-01-16"
+        },
+        {
+            "title": "test title mitigated ISO",
+            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
+            "severity": "Critical",
+            "mitigation": "Some mitigation",
+            "date": "2024-01-04T11:02:11Z",
+            "cve": "CVE-2020-36236",
+            "cwe": 287,
+            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
+            "file_path": "src/threeeeeeeeee.cpp",
+            "line": 1353,
+            "is_mitigated": true,
+            "mitigated": "2024-01-24T11:02:11Z"
         }
     ]
 }

docs/content/en/connecting_your_tools/parsers/file/generic.md

@@ -2,7 +2,7 @@
 title: "HackerOne Cases"
 toc_hide: true
 ---
-Import HackerOne cases findings in JSON format
+Import HackerOne cases findings in JSON format (vulnerability disclosure parser) or Bug Bounties in JSON or CSV format (bug bounty parser)
 
 ### Sample Scan Data
 Sample HackerOne Cases scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/h1).

docs/content/en/connecting_your_tools/parsers/file/h1.md

@@ -2,7 +2,7 @@
 title: "Immuniweb Scan"
 toc_hide: true
 ---
-XML Scan Result File from Immuniweb Scan.
+XML or JSON Scan Result File from [Immuniweb Scan](https://www.immuniweb.com/).
 
 ### Sample Scan Data
 Sample Immuniweb Scan scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/immuniweb).

docs/content/en/connecting_your_tools/parsers/file/immuniweb.md

@@ -14,5 +14,7 @@ DefectDojo currently supports the parsing of the following Rusty Hog JSON output
 RustyHog scans only one target at a time. This is not efficient if you want to scan all targets (e.g. all JIRA tickets) and upload each single report to DefectDojo.
 [Rusty-Hog-Wrapper](https://github.com/manuel-sommer/Rusty-Hog-Wrapper) deals with this and scans a whole JIRA Project or Confluence Space, merges the findings into a valid file which can be uploaded to DefectDojo. (This is no official recommendation from DefectDojo, but rather a pointer in a direction on how to use this vulnerability scanner in a more efficient way.)
 
+You can either select "Rusty Hog Scan" directly, or specify the sub scanner (e.g. "Duroc Hog Scan"). If you choose "Rusty Hog Scan", we recommend to re-import scans into the same test. For more information look at [this issue](https://github.com/DefectDojo/django-DefectDojo/issues/10584).
+
 ### Sample Scan Data
 Sample Rusty Hog parser scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/rusty_hog).