Merge branch 'dev' into master-into-dev/2.46.2-2.47.0-dev

Author: rossops

.github/workflows/k8s-tests.yml

@@ -11,7 +11,6 @@ env:
     --set createRedisSecret=true \
     "
   HELM_PG_DATABASE_SETTINGS: " \
-    --set database=postgresql \
     --set postgresql.enabled=true \
     --set createPostgresqlSecret=true \
    "

.github/workflows/release-x-manual-helm-chart.yml

@@ -56,7 +56,7 @@ jobs:
              helm dependency update ./helm/defectdojo
 
       - name: Add yq
-        uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
+        uses: mikefarah/yq@734e2cd25402f10f51351c4034625043f07e7b06 # v4.45.3
 
       - name: Pin version docker version
         id: pin_image

components/package.json

@@ -35,7 +35,7 @@
     "metismenu": "~3.0.7",
     "moment": "^2.30.1",
     "morris.js": "morrisjs/morris.js",
-    "pdfmake": "^0.2.19",
+    "pdfmake": "^0.2.20",
     "startbootstrap-sb-admin-2": "1.0.7"
   },
   "engines": {

components/yarn.lock

@@ -503,15 +503,15 @@ pako@~1.0.2:
   resolved "https://registry.yarnpkg.com/pako/-/pako-1.0.11.tgz#6c9599d340d54dfd3946380252a35705a6b992bf"
   integrity sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==
 
-pdfmake@^0.2.19:
-  version "0.2.19"
-  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.2.19.tgz#23d6862b395de95e41089263936f0ff806193ea7"
-  integrity sha512-jVUILxOqAgcquxbGCz3Bo1/sGEuVLcReGYvo61oJ2EkkyfrlREd7TfLRF6jdF85aEQjxOj/6BD9uj0p+UfXNkw==
+pdfmake@^0.2.20:
+  version "0.2.20"
+  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.2.20.tgz#a2e37114e46247c9a295df2fc1c7184942de567e"
+  integrity sha512-bGbxbGFP5p8PWNT3Phsu1ZcRLnRfF6jmnuKTkgmt6i5PZzSdX6JaB+NeTz9q+aocfW8SE9GUjL3o/5GroBqGcQ==
   dependencies:
     "@foliojs-fork/linebreak" "^1.1.2"
     "@foliojs-fork/pdfkit" "^0.15.3"
     iconv-lite "^0.6.3"
-    xmldoc "^2.0.0"
+    xmldoc "^2.0.1"
 
 png-js@^1.0.0:
   version "1.0.0"
@@ -625,9 +625,9 @@ util-deprecate@~1.0.1:
   resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"
   integrity sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==
 
-xmldoc@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/xmldoc/-/xmldoc-2.0.0.tgz#948b97c38f0cbc07b878985d14f9e2212127d42a"
-  integrity sha512-6ZsqsqEkIKzWLqGyTN+j+ZRc/vxQHtnlHzSvj3JvM4XZPoZVJxj6fyz0XvwKAf1vh+kSN/HibO1/iJLf3F3LRw==
+xmldoc@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/xmldoc/-/xmldoc-2.0.1.tgz#a901f6a6341e4d8cba3dbc5fc61017249f2adf24"
+  integrity sha512-sOOqgsjl3PU6iBw+fBUGAkTCE+JFK+sBaOL3pnZgzqk2/yvOD7RlFmZtDRJAEBzdpOYxSXyOQH4mjubdfs3MSg==
   dependencies:
     sax "^1.2.4"

docker-compose.yml

@@ -105,7 +105,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   postgres:
-    image: postgres:17.4-alpine@sha256:7062a2109c4b51f3c792c7ea01e83ed12ef9a980886e3b3d380a7d2e5f6ce3f5
+    image: postgres:17.5-alpine@sha256:f325a29ec9deb7039c5f07761d77d79d537dac836ecd99f982f6ca5476724604
     environment:
       POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
       POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}

docs/content/en/connecting_your_tools/parsers/file/burp_enterprise.md

@@ -3,11 +3,105 @@ title: "Burp Enterprise Scan"
 toc_hide: true
 ---
 
-### File Types
-DefectDojo parser accepts a Standard Report as an HTML file.  To parse an XML file instead, use this method: https://documentation.defectdojo.com/integrations/parsers/file/burp/
+## Overview
+The Burp Enterprise Scan parser processes HTML reports from Burp Enterprise Edition and imports the findings into DefectDojo. The parser extracts vulnerability details, severity ratings, descriptions, remediation steps, and other metadata from the HTML report.
 
-See also Burp documentation for info on how to export a Standard Report: 
-https://portswigger.net/burp/documentation/enterprise/work-with-scan-results/generate-reports
+## Supported File Types
+The parser accepts a Standard Report as an HTML file. To parse an XML file instead, use the [Burp XML parser](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/burp/).
+
+See the Burp documentation for information on how to export a Standard Report: [PortSwigger Enterprise Edition Downloading reports](https://portswigger.net/burp/documentation/enterprise/work-with-scan-results/generate-reports)
+
+## Standard Format HTML (Main Format)
+
+### Total Fields in HTML
+- Total data fields in Burp Enterprise Scan HTML output: 15
+- Total data fields parsed into DefectDojo finding: 13
+- Total data fields NOT parsed: 2
+
+### Standard Format Field Mapping Details
+
+| Data Field # | Burp Enterprise Scan Data Field | DefectDojo Finding Field | Parser Line # | Notes |
+|-------------|--------------------------------|--------------------------|--------------|-------|
+| 1 | Title | title | 101, 165 | Extracted from issue container h2 element and table rows with "issue-type-row" class |
+| 2 | Severity | severity | 101, 168 | Extracted from table rows, mapped directly (High/Medium/Low/Info) |
+| 3 | Issue Detail | description | 124-135 | Extracted from matching header "issue detail" and formatted with header |
+| 4 | Issue Description | description | 124-135 | Extracted from matching header "issue description" and formatted with header |
+| 5 | Issue Background | impact | 136-139 | Extracted from matching header "issue background" and formatted with header |
+| 6 | Issue Remediation | impact | 136-139 | Extracted from matching header "issue remediation" and formatted with header |
+| 7 | Remediation Detail | mitigation | 140-143 | Extracted from matching header "remediation detail" and formatted with header |
+| 8 | Remediation Background | mitigation | 140-143 | Extracted from matching header "remediation background" and formatted with header |
+| 9 | References | references | 144-152 | Extracted from matching header "references" and formatted with links |
+| 10 | Vulnerability Classifications | references, cwe | 144-157 | Extracts vulnerability IDs (including CWE numbers) and adds to references section |
+| 11 | Request | request_response | 124-135, 190-195 | Stored as request part of request/response pair in evidence container |
+| 12 | Response | request_response | 124-135, 190-195 | Stored as response part of request/response pair in evidence container |
+| 13 | Endpoint URL | endpoints | 88-101 | Combined from base URL (e.g., "https://instance.example.com") and path (e.g., "/fe/m3/m-login") |
+| 14 | Confidence Level | Not Parsed | - | Shown in HTML report (Certain/Firm/Tentative) but not extracted to findings |
+| 15 | Issue ID/Anchor | Not Parsed | - | HTML anchor tags like "#7459896704422157312" are not extracted |
+
+### Field Mapping Details
+The parser has different handling logic for various sections of the Burp Enterprise report:
+
+- For table content sections (using `table_contents_xpath`), the parser extracts:
+  - Base endpoint from h1 elements (e.g., "https://instance.example.com")
+  - Finding titles from elements with "issue-type-row" class (e.g., "Strict transport security not enforced")
+  - Finding paths and severities from table rows
+  - Combines base endpoint with path to construct full endpoints
+
+- For vulnerability details sections (using `vulnerability_list_xpath`), the parser extracts:
+  - Title from h2 elements
+  - Various content sections based on h3 headers matching predefined categories:
+    - Description headers: "issue detail", "issue description"
+    - Impact headers: "issue background", "issue remediation"
+    - Mitigation headers: "remediation detail", "remediation background"
+    - References headers: "vulnerability classifications", "references"
+    - Request/Response headers: "request", "response"
+
+### Special Processing Notes
+
+#### Date Processing
+No special date processing is performed. The parser uses the current date for the finding.
+
+#### Status Conversion
+All findings are set with default status values:
+- `false_p = False`
+- `duplicate = False`
+- `out_of_scope = False`
+- `mitigated = None`
+- `active = True`
+- `verified = False`
+
+#### Severity Conversion
+Severity values are directly mapped from the Burp report without conversion.
+
+#### Description Construction
+The description field is constructed by combining content from "issue detail" and "issue description" sections. The content is formatted with headers and the original text, including proper formatting of lists, links, and other HTML elements. The description typically begins with "**Issue detail**:" or "**Issue description**:" followed by the content, with multiple sections separated by "---" markdown dividers.
+
+#### Title Format
+Finding titles are extracted directly from the h2 elements in issue containers or from table rows with the "issue-type-row" class.
+
+#### Mitigation Construction
+The mitigation field is constructed by combining content from "remediation detail" and "remediation background" sections, with proper formatting.
+
+#### Deduplication
+No explicit deduplication logic is implemented in the parser. DefectDojo's standard deduplication will apply based on the hash_code generated from the finding details.
+
+#### Tags Handling
+No specific tag handling is implemented in the parser.
+
+#### Common settings for all findings
+All findings are set with:
+- `static_finding = False`
+- `dynamic_finding = True`
+
+## Unique Parser Characteristics
+This parser has special handling for different section types within the HTML report:
+- It handles both the main vulnerability data in "issue-container" divs and table-based data separately
+- It includes processing for evidence containers with request/response pairs
+- It performs formatting of HTML content including links, lists, and other elements to maintain readable descriptions
+- It extracts CWE numbers and vulnerability classifications from reference sections
 
 ### Sample Scan Data
-Sample Burp Enterprise Scan scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/burp_enterprise).
+Sample Burp Enterprise Scan scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/burp_enterprise).
+
+### Link to Tool
+[Burp Enterprise Edition](https://portswigger.net/burp/enterprise)

docs/content/en/open_source/performance.md

@@ -15,17 +15,6 @@ change many filters to only search on names, rather than the objects themselves.
 This change will save many large queries, and will improve the performance of UI
 based interactions.
 
-## Asynchronous Import
-
-DefectDojo offers an experimental feature to aynschronously import security reports. 
-This feature works in most use cases, but struggles when doing things such as pushing 
-to Jira during the import process. Because Endpoints are still being processed and 
-created even after the import procedure is completed, pushing Findings to Jira can
-result in incomplete Jira tickets. It is advised to wait until after import has been
-completed (reaches 100%).
-
-To enable this feature, set `ASYNC_FINDING_IMPORT` to True in `local_settings.py`
-
 ## Asynchronous Delete
 
 For larger instances, deleting an object can take minutes for all related objects to be 

docs/content/en/open_source/upgrading/2.46.md

@@ -63,10 +63,10 @@ Before:
     "statistics": {
         "before": {},
         "delta": {
-        "created": {},
-        "closed": {},
-        "reactivated": {},
-        "left untouched": {}
+            "created": {},
+            "closed": {},
+            "reactivated": {},
+            "left untouched": {}
         },
         "after": {}
     }
@@ -76,10 +76,10 @@ After:
     "statistics": {
         "before": {},
         "delta": {
-        "created": {},
-        "closed": {},
-        "reactivated": {},
-        "untouched": {}
+            "created": {},
+            "closed": {},
+            "reactivated": {},
+            "untouched": {}
         },
         "after": {}
     }

docs/content/en/open_source/upgrading/2.47.md

@@ -0,0 +1,11 @@
+---
+title: 'Upgrading to DefectDojo Version 2.47.x'
+toc_hide: true
+weight: -20250505
+description: Drop support for PostgreSQL-HA in HELM
+---
+### Drop support for PostgreSQL-HA in HELM
+
+This release removes support for the PostgreSQL-HA (High Availability) Helm chart as a dependency in the DefectDojo Helm chart. Users relying on the PostgreSQL-HA Helm chart will need to transition to using the standard PostgreSQL configuration or an external PostgreSQL database.
+
+There are no special instructions for upgrading to 2.47.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.47.0) for the contents of the release.