Merge branch 'dev' into master-into-dev/2.46.3-2.47.0-dev

Author: rossops

.github/workflows/build-docker-images-for-testing.yml

@@ -51,7 +51,7 @@ jobs:
 
       - name: Build
         id: docker_build
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
         timeout-minutes: 15
         env:
           DOCKER_BUILD_CHECKS_ANNOTATIONS: false

.github/workflows/gh-pages.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '22.15.0'
+          node-version: '22.15.1'
 
       - name: Cache dependencies
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

.github/workflows/k8s-tests.yml

@@ -11,7 +11,6 @@ env:
     --set createRedisSecret=true \
     "
   HELM_PG_DATABASE_SETTINGS: " \
-    --set database=postgresql \
     --set postgresql.enabled=true \
     --set createPostgresqlSecret=true \
    "

.github/workflows/release-x-manual-docker-containers.yml

@@ -66,7 +66,7 @@ jobs:
         # we cannot set any tags here, those are set on the merged digest in release-x-manual-merge-container-digests.yml
       - name: Build and push images
         id: build
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
         env:
           DOCKER_BUILD_CHECKS_ANNOTATIONS: false
         with:

.github/workflows/release-x-manual-helm-chart.yml

@@ -56,7 +56,7 @@ jobs:
              helm dependency update ./helm/defectdojo
 
       - name: Add yq
-        uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
+        uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.45.4
 
       - name: Pin version docker version
         id: pin_image

.github/workflows/validate_docs_build.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '22.15.0'
+          node-version: '22.15.1'
 
       - name: Cache dependencies
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

components/package.json

@@ -35,7 +35,7 @@
     "metismenu": "~3.0.7",
     "moment": "^2.30.1",
     "morris.js": "morrisjs/morris.js",
-    "pdfmake": "^0.2.19",
+    "pdfmake": "^0.2.20",
     "startbootstrap-sb-admin-2": "1.0.7"
   },
   "engines": {

components/yarn.lock

@@ -503,15 +503,15 @@ pako@~1.0.2:
   resolved "https://registry.yarnpkg.com/pako/-/pako-1.0.11.tgz#6c9599d340d54dfd3946380252a35705a6b992bf"
   integrity sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==
 
-pdfmake@^0.2.19:
-  version "0.2.19"
-  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.2.19.tgz#23d6862b395de95e41089263936f0ff806193ea7"
-  integrity sha512-jVUILxOqAgcquxbGCz3Bo1/sGEuVLcReGYvo61oJ2EkkyfrlREd7TfLRF6jdF85aEQjxOj/6BD9uj0p+UfXNkw==
+pdfmake@^0.2.20:
+  version "0.2.20"
+  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.2.20.tgz#a2e37114e46247c9a295df2fc1c7184942de567e"
+  integrity sha512-bGbxbGFP5p8PWNT3Phsu1ZcRLnRfF6jmnuKTkgmt6i5PZzSdX6JaB+NeTz9q+aocfW8SE9GUjL3o/5GroBqGcQ==
   dependencies:
     "@foliojs-fork/linebreak" "^1.1.2"
     "@foliojs-fork/pdfkit" "^0.15.3"
     iconv-lite "^0.6.3"
-    xmldoc "^2.0.0"
+    xmldoc "^2.0.1"
 
 png-js@^1.0.0:
   version "1.0.0"
@@ -625,9 +625,9 @@ util-deprecate@~1.0.1:
   resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"
   integrity sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==
 
-xmldoc@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/xmldoc/-/xmldoc-2.0.0.tgz#948b97c38f0cbc07b878985d14f9e2212127d42a"
-  integrity sha512-6ZsqsqEkIKzWLqGyTN+j+ZRc/vxQHtnlHzSvj3JvM4XZPoZVJxj6fyz0XvwKAf1vh+kSN/HibO1/iJLf3F3LRw==
+xmldoc@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/xmldoc/-/xmldoc-2.0.1.tgz#a901f6a6341e4d8cba3dbc5fc61017249f2adf24"
+  integrity sha512-sOOqgsjl3PU6iBw+fBUGAkTCE+JFK+sBaOL3pnZgzqk2/yvOD7RlFmZtDRJAEBzdpOYxSXyOQH4mjubdfs3MSg==
   dependencies:
     sax "^1.2.4"

docker-compose.yml

@@ -105,7 +105,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   postgres:
-    image: postgres:17.4-alpine@sha256:7062a2109c4b51f3c792c7ea01e83ed12ef9a980886e3b3d380a7d2e5f6ce3f5
+    image: postgres:17.5-alpine@sha256:f325a29ec9deb7039c5f07761d77d79d537dac836ecd99f982f6ca5476724604
     environment:
       POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
       POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}

docs/content/en/connecting_your_tools/parsers/file/burp_enterprise.md

@@ -3,11 +3,105 @@ title: "Burp Enterprise Scan"
 toc_hide: true
 ---
 
-### File Types
-DefectDojo parser accepts a Standard Report as an HTML file.  To parse an XML file instead, use this method: https://documentation.defectdojo.com/integrations/parsers/file/burp/
+## Overview
+The Burp Enterprise Scan parser processes HTML reports from Burp Enterprise Edition and imports the findings into DefectDojo. The parser extracts vulnerability details, severity ratings, descriptions, remediation steps, and other metadata from the HTML report.
 
-See also Burp documentation for info on how to export a Standard Report: 
-https://portswigger.net/burp/documentation/enterprise/work-with-scan-results/generate-reports
+## Supported File Types
+The parser accepts a Standard Report as an HTML file. To parse an XML file instead, use the [Burp XML parser](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/burp/).
+
+See the Burp documentation for information on how to export a Standard Report: [PortSwigger Enterprise Edition Downloading reports](https://portswigger.net/burp/documentation/enterprise/work-with-scan-results/generate-reports)
+
+## Standard Format HTML (Main Format)
+
+### Total Fields in HTML
+- Total data fields in Burp Enterprise Scan HTML output: 15
+- Total data fields parsed into DefectDojo finding: 13
+- Total data fields NOT parsed: 2
+
+### Standard Format Field Mapping Details
+
+| Data Field # | Burp Enterprise Scan Data Field | DefectDojo Finding Field | Parser Line # | Notes |
+|-------------|--------------------------------|--------------------------|--------------|-------|
+| 1 | Title | title | 101, 165 | Extracted from issue container h2 element and table rows with "issue-type-row" class |
+| 2 | Severity | severity | 101, 168 | Extracted from table rows, mapped directly (High/Medium/Low/Info) |
+| 3 | Issue Detail | description | 124-135 | Extracted from matching header "issue detail" and formatted with header |
+| 4 | Issue Description | description | 124-135 | Extracted from matching header "issue description" and formatted with header |
+| 5 | Issue Background | impact | 136-139 | Extracted from matching header "issue background" and formatted with header |
+| 6 | Issue Remediation | impact | 136-139 | Extracted from matching header "issue remediation" and formatted with header |
+| 7 | Remediation Detail | mitigation | 140-143 | Extracted from matching header "remediation detail" and formatted with header |
+| 8 | Remediation Background | mitigation | 140-143 | Extracted from matching header "remediation background" and formatted with header |
+| 9 | References | references | 144-152 | Extracted from matching header "references" and formatted with links |
+| 10 | Vulnerability Classifications | references, cwe | 144-157 | Extracts vulnerability IDs (including CWE numbers) and adds to references section |
+| 11 | Request | request_response | 124-135, 190-195 | Stored as request part of request/response pair in evidence container |
+| 12 | Response | request_response | 124-135, 190-195 | Stored as response part of request/response pair in evidence container |
+| 13 | Endpoint URL | endpoints | 88-101 | Combined from base URL (e.g., "https://instance.example.com") and path (e.g., "/fe/m3/m-login") |
+| 14 | Confidence Level | Not Parsed | - | Shown in HTML report (Certain/Firm/Tentative) but not extracted to findings |
+| 15 | Issue ID/Anchor | Not Parsed | - | HTML anchor tags like "#7459896704422157312" are not extracted |
+
+### Field Mapping Details
+The parser has different handling logic for various sections of the Burp Enterprise report:
+
+- For table content sections (using `table_contents_xpath`), the parser extracts:
+  - Base endpoint from h1 elements (e.g., "https://instance.example.com")
+  - Finding titles from elements with "issue-type-row" class (e.g., "Strict transport security not enforced")
+  - Finding paths and severities from table rows
+  - Combines base endpoint with path to construct full endpoints
+
+- For vulnerability details sections (using `vulnerability_list_xpath`), the parser extracts:
+  - Title from h2 elements
+  - Various content sections based on h3 headers matching predefined categories:
+    - Description headers: "issue detail", "issue description"
+    - Impact headers: "issue background", "issue remediation"
+    - Mitigation headers: "remediation detail", "remediation background"
+    - References headers: "vulnerability classifications", "references"
+    - Request/Response headers: "request", "response"
+
+### Special Processing Notes
+
+#### Date Processing
+No special date processing is performed. The parser uses the current date for the finding.
+
+#### Status Conversion
+All findings are set with default status values:
+- `false_p = False`
+- `duplicate = False`
+- `out_of_scope = False`
+- `mitigated = None`
+- `active = True`
+- `verified = False`
+
+#### Severity Conversion
+Severity values are directly mapped from the Burp report without conversion.
+
+#### Description Construction
+The description field is constructed by combining content from "issue detail" and "issue description" sections. The content is formatted with headers and the original text, including proper formatting of lists, links, and other HTML elements. The description typically begins with "**Issue detail**:" or "**Issue description**:" followed by the content, with multiple sections separated by "---" markdown dividers.
+
+#### Title Format
+Finding titles are extracted directly from the h2 elements in issue containers or from table rows with the "issue-type-row" class.
+
+#### Mitigation Construction
+The mitigation field is constructed by combining content from "remediation detail" and "remediation background" sections, with proper formatting.
+
+#### Deduplication
+No explicit deduplication logic is implemented in the parser. DefectDojo's standard deduplication will apply based on the hash_code generated from the finding details.
+
+#### Tags Handling
+No specific tag handling is implemented in the parser.
+
+#### Common settings for all findings
+All findings are set with:
+- `static_finding = False`
+- `dynamic_finding = True`
+
+## Unique Parser Characteristics
+This parser has special handling for different section types within the HTML report:
+- It handles both the main vulnerability data in "issue-container" divs and table-based data separately
+- It includes processing for evidence containers with request/response pairs
+- It performs formatting of HTML content including links, lists, and other elements to maintain readable descriptions
+- It extracts CWE numbers and vulnerability classifications from reference sections
 
 ### Sample Scan Data
-Sample Burp Enterprise Scan scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/burp_enterprise).
+Sample Burp Enterprise Scan scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/burp_enterprise).
+
+### Link to Tool
+[Burp Enterprise Edition](https://portswigger.net/burp/enterprise)

docs/content/en/open_source/upgrading/2.46.md

@@ -63,10 +63,10 @@ Before:
     "statistics": {
         "before": {},
         "delta": {
-        "created": {},
-        "closed": {},
-        "reactivated": {},
-        "left untouched": {}
+            "created": {},
+            "closed": {},
+            "reactivated": {},
+            "left untouched": {}
         },
         "after": {}
     }
@@ -76,10 +76,10 @@ After:
     "statistics": {
         "before": {},
         "delta": {
-        "created": {},
-        "closed": {},
-        "reactivated": {},
-        "untouched": {}
+            "created": {},
+            "closed": {},
+            "reactivated": {},
+            "untouched": {}
         },
         "after": {}
     }

docs/content/en/open_source/upgrading/2.47.md

@@ -0,0 +1,11 @@
+---
+title: 'Upgrading to DefectDojo Version 2.47.x'
+toc_hide: true
+weight: -20250505
+description: Drop support for PostgreSQL-HA in HELM
+---
+### Drop support for PostgreSQL-HA in HELM
+
+This release removes support for the PostgreSQL-HA (High Availability) Helm chart as a dependency in the DefectDojo Helm chart. Users relying on the PostgreSQL-HA Helm chart will need to transition to using the standard PostgreSQL configuration or an external PostgreSQL database.
+
+There are no special instructions for upgrading to 2.47.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.47.0) for the contents of the release.

docs/content/en/working_with_findings/organizing_engagements_tests/product_hierarchy.md

@@ -112,11 +112,29 @@ Tests are a grouping of activities conducted by engineers to attempt to discover
 Tests always have:
 
 * a unique **Test Title**
-* a specific **Test Type (**API Test, Nessus Scan, etc)
+* a specific **Test Type** (API Test, Nessus Scan, etc)
 * an associated test **Environment**
 * an associated **Engagement**
 
-Tests can be created in different ways. Scan data can be directly imported to an Engagement, which will then create a new Test containing that data. Tests can also be created in advance without scan data, as part of planning future Engagements.
+Tests can be created in different ways.  Tests can be automatically created when scan data is imported directly into to an Engagement, resulting in a new Test containing the scan data. Tests can also be created in anticipation of planning future engagements, or for manually entered security findings requiring tracking and remediation.
+
+### **Test Types**
+
+DefectDojo supports two categories of Test Types:
+
+1. **Parser-based Test Types**: These correspond to specific security scanners that produce output in formats like XML, JSON, or CSV. When importing scan results, DefectDojo uses specialized parsers to convert the scanner output into Findings.
+
+2. **Non-parser Test Types**: These are used for manually created findings not imported from a scan files. 
+The following Test Types appear in the "Scan Type" dropdown when creating a new test, but will not appear when selecting "Import Scan":
+   * API Test
+   * Static Check
+   * Pen Test
+   * Web Application Test
+   * Security Research
+   * Threat Modeling
+   * Manual Code Review
+
+Non-parser Test Types should be used when you need to manually create findings that require remediation but don't originate from automated scanner output.
 
 #### **How do Tests interact with each other?**
 
@@ -163,4 +181,4 @@ Scan data generally will contain references to the hosts or endpoints affected b
 Examples:
 -   https://www.example.com
 -   https://www.example.com:8080/products
--   192.168.0.36
+-   192.168.0.36

docs/package-lock.json

@@ -16,14 +16,14 @@
     "@thulite/images": "3.3.0",
     "@thulite/inline-svg": "1.2.0",
     "@thulite/seo": "2.4.1",
-    "@tabler/icons": "3.31.0",
+    "@tabler/icons": "3.33.0",
     "thulite": "2.5.0"
   },
   "devDependencies": {
     "prettier": "3.5.3",
-    "vite": "6.3.4"
+    "vite": "6.3.5"
   },
   "engines": {
-    "node": "22.15.0"
+    "node": "22.15.1"
   }
 }