Merge pull request #11935 from DefectDojo/bugfix

Release 2.44.0: Merge Bugfix into Dev

Author: rossops

.github/ISSUE_TEMPLATE/bug_report.md

@@ -33,6 +33,7 @@ A clear and concise description of what you expected to happen.
 
 **Environment information**
  - Operating System: [e.g. Ubuntu 18.04]
+ - Docker Compose or Helm version (Output of `docker compose version` or `helm version`)
  - DefectDojo version (see footer) or commit message: [use `git show -s --format="[%ci] %h: %s [%d]"`]
 
 **Logs** 

.github/ISSUE_TEMPLATE/support_request.md

@@ -33,6 +33,7 @@ A clear and concise description of what you expected to happen.
 
 **Environment information**
  - Operating System: [e.g. Ubuntu 18.04]
+ - Docker Compose or Helm version (Output of `docker compose version` or `helm version`)
  - DefectDojo version (see footer) or commit message: [use `git show -s --format="[%ci] %h: %s [%d]"`]
 
 **Logs** 

README.md

@@ -109,7 +109,7 @@ our channel there, [#defectdojo](https://owasp.slack.com/channels/defectdojo). F
 
 :warning: We have instituted a [feature freeze](https://github.com/DefectDojo/django-DefectDojo/discussions/8002) on v2
 of DefectDojo as we begin work on v3. Please see our [contributing guidelines](readme-docs/CONTRIBUTING.md) for more
-information. Check out our latest update on v3 [here](https://github.com/DefectDojo/django-DefectDojo/discussions/8974).
+information. Check out our latest update on v3 [here](https://github.com/DefectDojo/django-DefectDojo/discussions/11199).
 
 ## Pro Edition
 [Upgrade to DefectDojo Pro](https://www.defectdojo.com/) today to take your DevSecOps to 11. DefectDojo Pro is

docker-compose.override.unit_tests.yml

@@ -29,6 +29,7 @@ services:
       DD_CELERY_BROKER_PORT: "-1"
       DD_CELERY_BROKER_PATH: '/dojo.celerydb.sqlite'
       DD_CELERY_BROKER_PARAMS: ''
+      DD_JIRA_EXTRA_ISSUE_TYPES: 'Vulnerability' # Shouldn't trigger a migration error
   celerybeat:
     image: busybox:1.37.0-musl
     entrypoint: ['echo', 'skipping', 'celery beat']

docker-compose.override.unit_tests_cicd.yml

@@ -28,6 +28,7 @@ services:
       DD_CELERY_BROKER_PORT: "-1"
       DD_CELERY_BROKER_PATH: '/dojo.celerydb.sqlite'
       DD_CELERY_BROKER_PARAMS: ''
+      DD_JIRA_EXTRA_ISSUE_TYPES: 'Vulnerability' # Shouldn't trigger a migration error
   celerybeat:
     image: busybox:1.37.0-musl
     entrypoint: ['echo', 'skipping', 'celery beat']

docs/content/en/connecting_your_tools/parsers/file/ms_defender.md

@@ -5,6 +5,7 @@ toc_hide: true
 This parser helps to parse Microsoft Defender Findings and supports two types of imports:
 - You can import a JSON output file from the api/vulnerabilities/machinesVulnerabilities endpoint of Microsoft defender.
 - You can upload a custom zip file which include multiple JSON files from two Microsoft Defender Endpoints. For that you have to make your own zip file and include two folders (machines/ and vulnerabilities/) within the zip file. For vulnerabilities/ you can attach multiple JSON files from the api/vulnerabilities/machinesVulnerabilities REST API endpoint of Microsoft Defender. Furthermore, in machines/ you can attach the JSON output from the api/machines REST API endpoint of Microsoft Defender. Then, the parser uses the information in both folders to add more specific information like the affected IP Address to the finding.
+<br>However, if you have a fast changing environment with a huge number of vulnerabilities and endpoints, it is recommended to leave the folder machines/ empty. Then, for stability reasons the machine info is skipped and only the machineID is added to the finding.
 
 ### Sample Scan Data
 Sample MS Defender Parser scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/ms_defender).

dojo/db_migrations/0027_jira_issue_type_settings.py

@@ -1,5 +1,6 @@
 # Generated by Django 2.2.4 on 2020-01-02 15:33
 
+from django.conf import settings
 from django.db import migrations, models
 
 
@@ -13,6 +14,6 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='jira_conf',
             name='default_issue_type',
-            field=models.CharField(choices=[('Task', 'Task'), ('Story', 'Story'), ('Epic', 'Epic'), ('Spike', 'Spike'), ('Bug', 'Bug'), ('Security', 'Security')], default='Bug', help_text='You can define extra issue types in settings.py', max_length=15),
+            field=models.CharField(choices=settings.JIRA_ISSUE_TYPE_CHOICES_CONFIG, default='Bug', help_text='You can define extra issue types in settings.py', max_length=15),
         ),
     ]

dojo/db_migrations/0182_alter_jira_instance_default_issue_type.py

@@ -1,5 +1,6 @@
 # Generated by Django 4.1.7 on 2023-03-06 11:38
 
+from django.conf import settings
 from django.db import migrations, models
 
 
@@ -13,6 +14,6 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='jira_instance',
             name='default_issue_type',
-            field=models.CharField(choices=[('Task', 'Task'), ('Story', 'Story'), ('Epic', 'Epic'), ('Spike', 'Spike'), ('Bug', 'Bug'), ('Security', 'Security')], default='Bug', help_text='You can define extra issue types in settings.py', max_length=255),
+            field=models.CharField(choices=settings.JIRA_ISSUE_TYPE_CHOICES_CONFIG, default='Bug', help_text='You can define extra issue types in settings.py', max_length=255),
         ),
     ]

dojo/settings/settings.dist.py

@@ -1761,9 +1761,12 @@ def saml2_attrib_map_format(din):
     "ALBA-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/ALBA-2019:3411
     "ALSA-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/ALSA-2024:0827
     "AVD": "https://avd.aquasec.com/misconfig/",  # e.g. https://avd.aquasec.com/misconfig/avd-ksv-01010
+    "BAM-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/BAM-25498
+    "BSERV-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/BSERV-19020
     "C-": "https://hub.armosec.io/docs/",  # e.g. https://hub.armosec.io/docs/c-0085
     "CAPEC": "https://capec.mitre.org/data/definitions/&&.html",  # e.g. https://capec.mitre.org/data/definitions/157.html
     "CGA-": "https://images.chainguard.dev/security/",  # e.g. https://images.chainguard.dev/security/CGA-24pq-h5fw-43v3
+    "CONFSERVER-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/CONFSERVER-93361
     "CVE-": "https://nvd.nist.gov/vuln/detail/",  # e.g. https://nvd.nist.gov/vuln/detail/cve-2022-22965
     "CWE": "https://cwe.mitre.org/data/definitions/&&.html",  # e.g. https://cwe.mitre.org/data/definitions/79.html
     "DLA-": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/DLA-3917-1
@@ -1774,9 +1777,12 @@ def saml2_attrib_map_format(din):
     "FEDORA-": "https://bodhi.fedoraproject.org/updates/",  # e.g. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-06aa7dc422
     "GHSA-": "https://github.com/advisories/",  # e.g. https://github.com/advisories/GHSA-58vj-cv5w-v4v6
     "GLSA": "https://security.gentoo.org/",  # e.g. https://security.gentoo.org/glsa/202409-32
+    "JSDSERVER-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/JSDSERVER-14872
     "KHV": "https://avd.aquasec.com/misconfig/kubernetes/",  # e.g. https://avd.aquasec.com/misconfig/kubernetes/khv045
+    "MGAA-": "https://advisories.mageia.org/&&.html",  # e.g. https://advisories.mageia.org/MGAA-2013-0054.html
     "MGASA-": "https://advisories.mageia.org/&&.html",  # e.g. https://advisories.mageia.org/MGASA-2025-0023.html
     "OSV-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/OSV-2024-1330
+    "PAN-SA-": "https://security.paloaltonetworks.com/",  # e.g. https://security.paloaltonetworks.com/PAN-SA-2024-0010
     "PMASA-": "https://www.phpmyadmin.net/security/",  # e.g. https://www.phpmyadmin.net/security/PMASA-2025-1
     "PYSEC-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/PYSEC-2024-48
     "RHBA-": "https://access.redhat.com/errata/",  # e.g. https://access.redhat.com/errata/RHBA-2024:2406
@@ -1787,6 +1793,7 @@ def saml2_attrib_map_format(din):
     "RUSTSEC-": "https://rustsec.org/advisories/",  # e.g. https://rustsec.org/advisories/RUSTSEC-2024-0432
     "RXSA-": "https://errata.rockylinux.org/",  # e.g. https://errata.rockylinux.org/RXSA-2024:4928
     "SNYK-": "https://snyk.io/vuln/",  # e.g. https://security.snyk.io/vuln/SNYK-JS-SOLANAWEB3JS-8453984
+    "SUSE-SU-": "https://www.suse.com/support/update/announcement/",  # e.g. https://www.suse.com/support/update/announcement/2024/suse-su-20244196-1
     "TEMP-": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF
     "TYPO3-": "https://typo3.org/security/advisory/",  # e.g. https://typo3.org/security/advisory/typo3-core-sa-2025-010
     "USN-": "https://ubuntu.com/security/notices/",  # e.g. https://ubuntu.com/security/notices/USN-6642-1

dojo/static/dojo/js/metrics.js

@@ -738,6 +738,75 @@ function accepted_per_week_2(critical, high, medium, low) {
         options);
 }
 
+
+// This function is valid besides metrics.html also for the dashboard-metrics.html, 
+// dashboard.html, and product-metrics.html
+function updatePunchcardTable(punchcardData, ticks) {
+    let tableBody = $("#punchcard-table tbody");
+
+    const daysMap = ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"];
+    let formattedData = {};
+    
+    // No table processing in case of no data
+    if (punchcardData.length === 0 || ticks.length === 0) return; 
+
+    // Removing html elements from the ticks dates
+    let ticksMap = {};
+    ticks.forEach(entry => {
+        let weekIndex = String(entry[0]);
+        let rawHtml = entry[1]; 
+
+        // Goodbye <span> + space instead of <br/> 
+        let cleanDate = rawHtml.replace(/<\/?span[^>]*>/g, "").replace(/<br\s*\/?>/g, " ");
+        cleanDate = cleanDate.trim();
+        ticksMap[weekIndex] = cleanDate;
+    });
+
+    let minWeekOffset = ticks[0][0]; 
+    let maxWeekOffset = ticks[ticks.length - 1][0]; 
+    
+    for (let weekOffset = minWeekOffset; weekOffset <= maxWeekOffset; weekOffset++) {
+        let formattedDate = ticksMap[String(weekOffset)] || "Unknown Date";
+        let formattedWeek = `Week ${weekOffset - minWeekOffset + 1}, starting on ${formattedDate}`;
+
+        formattedData[formattedWeek] = {
+            "Monday": 0, "Tuesday": 0, "Wednesday": 0,
+            "Thursday": 0, "Friday": 0, "Saturday": 0, "Sunday": 0
+        };
+    }
+
+    // Populating week data
+    punchcardData.forEach(entry => {
+        let weekOffset = entry[0]; 
+        let day = daysMap[entry[1]];
+        let value = entry[3] || 0;
+
+        let formattedDate = ticksMap[String(weekOffset)] || "Unknown Date";
+        let formattedWeek = `Week ${weekOffset - minWeekOffset + 1}, starting on ${formattedDate}`;
+
+        if (formattedData[formattedWeek]) {
+            formattedData[formattedWeek][day] = value;
+        }
+    });
+
+    // Rendering accessibility table body
+    Object.entries(formattedData).forEach(([week, values]) => {
+        let newRow = `
+            <tr>
+                <td scope="row">${week}</td>
+                <td>${values.Monday || '0'}</td>
+                <td>${values.Tuesday || '0'}</td>
+                <td>${values.Wednesday || '0'}</td>
+                <td>${values.Thursday || '0'}</td>
+                <td>${values.Friday || '0'}</td>
+                <td>${values.Saturday || '0'}</td>
+                <td>${values.Sunday || '0'}</td>
+            </tr>
+        `;
+        tableBody.append(newRow);
+    });
+}
+
 /*
         product_metrics.html
 */