Merge branch 'master' into release/2.44.4

Author: rossops

.dryrunsecurity.yaml

@@ -60,7 +60,6 @@ allowedAuthors:
   usernames:
     - mtesauro
     - devGregA
-    - grendel513
     - cneill
     - Maffooch
     - blakeaowens
@@ -71,4 +70,3 @@ allowedAuthors:
     - valentijnscholten
 notificationList:
   - '@mtesauro'
-  - '@grendel513'

.github/CODEOWNERS

@@ -0,0 +1,17 @@
+# Any kind of package updates only need 2 approvals,
+# So let's add three folks here
+requirements.txt @cneill @mtesauro @Maffooch
+# Any dockerfile or compose changes will need to be viewed by
+# these people
+Dockerfile.* @mtesauro @Maffooch 
+docker-compose.* @mtesauro @Maffooch 
+/docker/ @mtesauro @Maffooch 
+# Documentation changes 
+/docs/ @paulOsinski @valentijnscholten @Maffooch
+# Kubernetes should be reviewed by reviewed first by those that know it
+/helm/ @cneill @kiblik
+# Anything UI related needs to be checked out by those with the eye for it
+/dojo/static/ @blakeaowens @Maffooch
+/dojo/templates/ @blakeaowens @Maffooch
+# Any model changes should be closely looked at
+/dojo/models.py @Maffooch

.github/pr-reminder.py

@@ -0,0 +1,219 @@
+import logging
+import os
+from datetime import datetime, timedelta
+
+import requests
+
+logger = logging.getLogger(__name__)
+
+# Set up the GitHub and Slack tokens from environment variables
+GH_TOKEN = os.getenv("GH_TOKEN")
+SLACK_TOKEN = os.getenv("SLACK_TOKEN")
+REPO_OWNER = "DefectDojo"
+REPO_NAME = "django-DefectDojo"
+GITHUB_USER_NAME_TO_SLACK_EMAIL = {
+    "Maffooch": "cody@defectdojo.com",
+    "mtesauro": "matt@defectdojo.com",
+    "devGregA": "greg@defectdojo.com",
+    "blakeaowens": "blake@defectdojo.com",
+    "dogboat": "sean@defectdojo.com",
+    "cneill": "charles@defectdojo.com",
+    "hblankenship": "harold@defectdojo.com",
+}
+
+
+# Helper function to calculate the prior Thursday from a given date
+def get_prior_thursday(date: datetime) -> str:
+    # Calculate the day of the week (0=Monday, 1=Tuesday, ..., 6=Sunday)
+    weekday = date.weekday()
+    # If today is Thursday (weekday 3), return the same day.
+    if weekday == 3:
+        return date
+    # Calculate how many days to subtract to reach the most recent Thursday
+    days_to_subtract = (
+        weekday - 3
+    ) % 7  # (weekday - 3) gives the number of days past Thursday
+    prior_thursday = date - timedelta(days=days_to_subtract)
+
+    return prior_thursday.strftime("%Y-%m-%d")
+
+
+# Helper function to get Slack User ID from Slack Email
+def get_slack_user_id(slack_email: str) -> int:
+    headers = {"Authorization": f"Bearer {SLACK_TOKEN}"}
+    params = {"email": slack_email}
+    response = requests.get(
+        "https://slack.com/api/users.lookupByEmail",
+        headers=headers,
+        params=params,
+        timeout=30,
+    )
+
+    if response.status_code != 200 or not response.json().get("ok"):
+        logger.info(f"Error fetching Slack user ID for email {slack_email}: {response.text}")
+        return None
+
+    return response.json().get("user", {}).get("id")
+
+
+# Helper function to fetch pull requests from GitHub
+def get_pull_requests() -> dict:
+    headers = {"Authorization": f"token {GH_TOKEN}"}
+    response = requests.get(
+        f"https://api.github.com/repos/{REPO_OWNER}/{REPO_NAME}/pulls",
+        headers=headers,
+        timeout=30,
+    )
+
+    if response.status_code != 200:
+        logger.info(f"Error fetching PRs: {response.text}")
+        response.raise_for_status()
+
+    return response.json()
+
+
+# Helper function to get PR reviews (approved, changes requested, or pending)
+def get_pr_reviews(pull_request: dict) -> list[dict]:
+    pr_number = pull_request["number"]
+    reviews_url = f"https://api.github.com/repos/{REPO_OWNER}/{REPO_NAME}/pulls/{pr_number}/reviews"
+    headers = {"Authorization": f"token {GH_TOKEN}"}
+    response = requests.get(
+        reviews_url,
+        headers=headers,
+        timeout=30,
+    )
+
+    if response.status_code != 200:
+        logger.info(f"Error fetching reviews for PR {pr_number}: {response.text}")
+        return []
+
+    reviews = response.json()
+    # Dictionary to store the latest review for each user
+    latest_reviews = {}
+    # Iterate over each review to find the latest one for each user
+    for review in reviews:
+        user = review["user"]["login"]
+        submitted_at = review["submitted_at"]
+        state = review["state"]
+        # Convert the submitted_at timestamp to a datetime object for comparison
+        review_time = datetime.strptime(submitted_at, "%Y-%m-%dT%H:%M:%SZ")
+        # If the user doesn't have a review or the current one is later, update
+        if user not in latest_reviews or (
+            review_time > latest_reviews[user]["submitted_at"] and state != "COMMENTED"
+        ):
+            latest_reviews[user] = {
+                "user": user,
+                "state": state,
+                "submitted_at": review_time,
+                "url": review["html_url"],
+            }
+    # Determine if there are any pending reviewers
+    latest_reviews.update(
+        {
+            user_dict.get("login"): {
+                "user": user_dict.get("login"),
+                "state": "PENDING",
+            }
+            for user_dict in pull_request.get("requested_reviewers", [])
+        },
+    )
+    # Return the latest review state and URL for each user
+    return latest_reviews.values()
+
+
+# Helper function to send a message via Slack
+def send_slack_message(slack_user_id: int, message: str) -> None:
+    headers = {
+        "Content-Type": "application/json",
+        "Authorization": f"Bearer {SLACK_TOKEN}",
+    }
+    payload = {"channel": slack_user_id, "text": message}
+    response = requests.post(
+        "https://slack.com/api/chat.postMessage",
+        json=payload,
+        headers=headers,
+        timeout=30,
+    )
+
+    if response.status_code != 200 or not response.json().get("ok"):
+        logger.info(f"Error sending Slack message: {response.text}")
+        response.raise_for_status()
+
+
+# Helper function to format the PR message with review statuses
+def format_pr_message(pull_request: dict, reviews: list[dict]) -> str:
+    repo_name = pull_request["head"]["repo"]["name"]
+    pull_request_title = pull_request["title"]
+    pull_request_url = pull_request["html_url"]
+    pull_request_number = pull_request["number"]
+    constructed_title = f"{repo_name} (#{pull_request_number}): {pull_request_title}"
+    message = f"• <{pull_request_url}|{constructed_title}>"
+    # Fetch the milestone due date and URL
+    if (milestone := pull_request.get("milestone")) is not None and (
+        (milestone_due_date := milestone.get("due_on"))
+        and (milestone_url := milestone.get("html_url"))
+        and (milestone_title := milestone.get("title"))
+    ):
+        message += f"\n    Merge by: {get_prior_thursday(datetime.strptime(milestone_due_date, '%Y-%m-%dT%H:%M:%SZ'))} for release <{milestone_url}|{milestone_title}>"
+    # Format reviews and append to the message (only latest review status per user)
+    message += "\n    Review Status:\n"
+    for review in reviews:
+        user = review["user"]
+        state = review["state"]
+        if url := review.get("url"):
+            message += f"    • {user}: <{url}|{state.lower().capitalize()}>\n"
+        else:
+            message += f"    • {user}: {state.lower().capitalize()}\n"
+
+    return message
+
+
+# Main function to process PRs and notify Slack users
+def notify_reviewers():
+    try:
+        user_pr_map = {}
+        slack_email_to_slack_id = {}
+        pull_requests = get_pull_requests()
+        # Logging all fetched PR details
+        logger.info(f"Fetched {len(pull_requests)} PRs from GitHub.")
+        for pull_request in pull_requests:
+            title = pull_request["title"]
+            pr_number = pull_request["number"]
+            logger.info(f"Processing PR: {pr_number} - {title}")
+            reviews = get_pr_reviews(pull_request)
+            logger.info(f"Found {len(reviews)} reviews for PR {pr_number}.")
+            message = format_pr_message(pull_request, reviews)
+            # Map Slack users to PR messages
+            for review in reviews:
+                github_username = review["user"]
+                if github_username not in user_pr_map:
+                    user_pr_map[github_username] = ""
+                # Determine if we should prune any non pending reviews
+                if f"{github_username}: Pending" in message:
+                    user_pr_map[github_username] += message + "\n"
+        # Add the Header at the beginning of the list
+        header_message = "Here are the PRs that are still requiring review:"
+        # Add Tips and Tricks at the end of the list
+        tips_message = "*Tips and Tricks*\n"
+        tips_message += (
+            "• This is how to remove a PR from the list: Approve, Request changes, or leave a general comment.\n"
+            "• If someone else has requested changes, then leave a general comment to remove the pending review from yourself."
+        )
+        # Send Slack messages to reviewers
+        for github_username, pr_list in user_pr_map.items():
+            if pr_list:
+                if slack_email := GITHUB_USER_NAME_TO_SLACK_EMAIL.get(github_username):
+                    if slack_user_id := slack_email_to_slack_id.get(
+                        slack_email,
+                        get_slack_user_id(slack_email),
+                    ):
+                        message_content = f"Hello {github_username}! {header_message}\n{pr_list}\n{tips_message}"
+                        # logger.info("\n\n", message_content, "\n\n")
+                        send_slack_message(slack_user_id, message_content)
+    except Exception as e:
+        logger.info(f"Error occurred: {e}")
+        raise
+
+
+if __name__ == "__main__":
+    notify_reviewers()

.github/workflows/slack-pr-reminder.yml

@@ -0,0 +1,36 @@
+name: Notify Pending PR Reviewers
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 16 * * 1-5'  # 11:00 AM CT M-F
+
+jobs:
+  notify-reviewers:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          # Only checkout the master branch to avoid changes to this script
+          # This is to reduce the possibilities of a secret leak from modifying
+          # this action, or the python script that is called down below
+          ref: master 
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install requests
+
+      - name: Run PR reminder script
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
+        run: |
+          python3 .github/pr-reminder.py

docs/content/en/changelog/changelog.md

@@ -10,6 +10,16 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Mar 2025: v2.44
 
+### Mar 24, 2025, v2.44.3
+
+- **(Import)** Generic Findings Import will now parse tags in the JSON payload when Async Import is enabled.
+
+### Mar 17, 2025, v2.44.2
+
+- **(Beta UI)** Added a new method to quickly assign permissions to Products or Product Types.  See our [Pro Permissions](/en/customize_dojo/user_management/pro_permissions_overhaul/) for more details.
+
+![image](images/pro_permissions_2.png)
+
 ### Mar 10, 2025: v2.44.1
 
 - **(Beta UI)** Added a field in the View Engagement page which allows a user to navigate to the linked Jira Epic, if one exists.

docs/content/en/customize_dojo/user_management/audit_logging.md

@@ -24,6 +24,7 @@ In the Classic (Open-Source) UI, this history is found under the '☰' (hamburge
 This API returns 31 days of audit logs.
 
 * Sending default or empty parameters will return the last 31 days of audit logs.
+
 * Parameter `window_month` which will take a month and year in the format MM-YYYY and provide the audit logs for that month.
 * You can set the `window_start` parameter to limit these logs to a shorter window, rather than returning the entire month.
 

docs/package-lock.json

@@ -21,7 +21,7 @@
   },
   "devDependencies": {
     "prettier": "3.5.2",
-    "vite": "6.2.0"
+    "vite": "6.2.3"
   },
   "engines": {
     "node": "22.14.0"

docs/package.json

@@ -109,6 +109,9 @@ preview = true
     "S105",  # hardcoded passwords in tests are fine
     "S108",  # tmp paths mentioned in tests are fine
 ]
+".github/pr-reminder.py" = [
+    "INP001", # https://docs.astral.sh/ruff/rules/implicit-namespace-package/
+]
 
 [lint.flake8-boolean-trap]
 extend-allowed-calls = ["dojo.utils.get_system_setting"]