Merge pull request #11187 from DefectDojo/bugfix

Release 2.40.0: Merge Bugfix into Dev

Author: rossops

docs/assets/icons/logo.svg

@@ -77,6 +77,12 @@ weight = 1
     pre = "<i class='fab fa-github'></i>"
     url = "https://github.com/DefectDojo/django-DefectDojo"
 
+[[menu.main]]
+    name = "Knowledge Base"
+    weight = 50
+    pre = "<i class='fas fa-atlas'></i>"
+    url = "https://support.defectdojo.com"
+
 [markup]
   [markup.goldmark]
     [markup.goldmark.renderer]

docs/config.dev.toml

@@ -77,6 +77,12 @@ weight = 1
     pre = "<i class='fab fa-github'></i>"
     url = "https://github.com/DefectDojo/django-DefectDojo"
 
+[[menu.main]]
+    name = "Knowledge Base"
+    weight = 50
+    pre = "<i class='fas fa-atlas'></i>"
+    url = "https://support.defectdojo.com"
+
 [markup]
   [markup.goldmark]
     [markup.goldmark.renderer]

docs/config.master.toml

@@ -16,9 +16,9 @@ All commands assume that you're located at the root of the django-DefectDojo clo
 - It's advised that you create a dedicated branch for your development, such as `git checkout -b parser-name`.
 
 It is easiest to use the docker compose deployment as it has hot-reload capbility for uWSGI.
-Set up your environment to use the debug environment:
+Set up your environment to use the dev environment:
 
-`$ docker/setEnv.sh debug`
+`$ docker/setEnv.sh dev`
 
 Please have a look at [DOCKER.md](https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/DOCKER.md) for more details.
 
@@ -294,12 +294,24 @@ This local command will launch the unit test for your new parser
 $ docker compose exec uwsgi bash -c 'python manage.py test unittests.tools.<your_unittest_py_file>.<main_class_name> -v2'
 {{< /highlight >}}
 
+or like this:
+
+{{< highlight bash >}}
+$ ./dc-unittest.sh --test-case unittests.tools.<your_unittest_py_file>.<main_class_name>
+{{< /highlight >}}
+
 Example for the blackduck hub parser:
 
 {{< highlight bash >}}
 $ docker compose exec uwsgi bash -c 'python manage.py test unittests.tools.test_blackduck_csv_parser.TestBlackduckHubParser -v2'
 {{< /highlight >}}
 
+or like this:
+
+{{< highlight bash >}}
+$ ./dc-unittest.sh --test-case unittests.tools.test_blackduck_csv_parser.TestBlackduckHubParser
+{{< /highlight >}}
+
 {{% alert title="Information" color="info" %}}
 If you want to run all unit tests, simply run `$ docker compose exec uwsgi bash -c 'python manage.py test unittests -v2'`
 {{% /alert %}}

docs/content/en/contributing/how-to-write-a-parser.md

@@ -14,11 +14,11 @@ See instructions in [DOCKER.md](<https://github.com/DefectDojo/django-DefectDojo
 
 ### SaaS (Includes Support & Supports the Project)
 
-[SaaS link](https://www.defectdojo.com/pricing)
+[SaaS link](https://defectdojo.com/platform)
 
 ### AWS AMI (Supports the Project)
 
-[Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-m2a25gr67xbzk), and complete [walkthrough](https://www.10security.com/defectdojo-aws-launch-guide)
+[Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-m2a25gr67xbzk), and complete [walkthrough](https://defectdojo.com/defectdojo-aws-launch-guide)
 
 ---
 ## **Options for the brave (not officially supported)**

docs/content/en/getting_started/installation.md

@@ -2257,6 +2257,13 @@ def setup_common_context(self, data: dict) -> dict:
             if context.get("scan_date")
             else None
         )
+
+        # engagement end date was not being used at all and so target_end would also turn into None
+        # in this case, do not want to change target_end unless engagement_end exists
+        eng_end_date = context.get("engagement_end_date", None)
+        if eng_end_date:
+            context["target_end"] = context.get("engagement_end_date")
+
         return context
 
 

dojo/api_v2/serializers.py

@@ -1 +1 @@
-39cdd5dfe53499bfe201d3e5a0f55b20514272235e86db7d5238f2663b79f946
+6b9365d002880ae64ab54da905ede076db5a8661960f8f1e2793b7f4d25ff7e8

dojo/settings/.settings.dist.py.sha256sum

@@ -276,7 +276,7 @@
     DD_DELETE_PREVIEW=(bool, True),
     # List of acceptable file types that can be uploaded to a given object via arbitrary file upload
     DD_FILE_UPLOAD_TYPES=(list, [".txt", ".pdf", ".json", ".xml", ".csv", ".yml", ".png", ".jpeg",
-                                 ".sarif", ".xlsx", ".doc", ".html", ".js", ".nessus", ".zip"]),
+                                 ".sarif", ".xlsx", ".doc", ".html", ".js", ".nessus", ".zip", ".fpr"]),
     # Max file size for scan added via API in MB
     DD_SCAN_FILE_MAX_SIZE=(int, 100),
     # When disabled, existing user tokens will not be removed but it will not be
@@ -1742,6 +1742,7 @@ def saml2_attrib_map_format(dict):
     "USN": "https://ubuntu.com/security/notices/",  # e.g. https://ubuntu.com/security/notices/USN-6642-1
     "DLA": "https://security-tracker.debian.org/tracker/",  # e.g. https://security-tracker.debian.org/tracker/DLA-3917-1
     "ELSA": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
+    "ELBA": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
     "RXSA": "https://errata.rockylinux.org/",  # e.g. https://errata.rockylinux.org/RXSA-2024:4928
 }
 # List of acceptable file types that can be uploaded to a given object via arbitrary file upload

dojo/settings/settings.dist.py

@@ -103,6 +103,9 @@ def get_findings(self, filename: str, test: Test):
             mitigation = str(row.get("Solution", row.get("definition.solution", row.get("Steps to Remediate", "N/A"))))
             impact = row.get("Description", row.get("definition.description", "N/A"))
             references = row.get("See Also", row.get("definition.see_also", "N/A"))
+            references += "\nTenable Plugin ID: " + row.get("Plugin", "N/A")
+            references += "\nPlugin Publication Date: " + row.get("Plugin Publication Date", "N/A")
+            references += "\nPlugin Modification Date: " + row.get("Plugin Modification Date", "N/A")
             # Determine if the current row has already been processed
             dupe_key = (
                 severity

dojo/tools/tenable/csv_format.py

@@ -10,8 +10,15 @@
 
 
 class TrivyChecksHandler:
-    def handle_checks(self, service, checks, test):
+    def handle_checks(self, labels, checks, test):
         findings = []
+        resource_namespace = labels.get("trivy-operator.resource.namespace", "")
+        resource_kind = labels.get("trivy-operator.resource.kind", "")
+        resource_name = labels.get("trivy-operator.resource.name", "")
+        container_name = labels.get("trivy-operator.container.name", "")
+        service = f"{resource_namespace}/{resource_kind}/{resource_name}"
+        if container_name != "":
+            service = f"{service}/{container_name}"
         for check in checks:
             check_title = check.get("title")
             check_severity = TRIVY_SEVERITIES[check.get("severity")]
@@ -23,6 +30,10 @@ def handle_checks(self, service, checks, test):
                     + check_id.lower()
                 )
             check_description = check.get("description", "")
+            check_description += "\n**container.name:** " + container_name
+            check_description += "\n**resource.kind:** " + resource_kind
+            check_description += "\n**resource.name:** " + resource_name
+            check_description += "\n**resource.namespace:** " + resource_namespace
             title = f"{check_id} - {check_title}"
             finding = Finding(
                 test=test,
@@ -33,6 +44,7 @@ def handle_checks(self, service, checks, test):
                 static_finding=True,
                 dynamic_finding=False,
                 service=service,
+                tags=[resource_namespace],
             )
             if check_id:
                 finding.unsaved_vulnerability_ids = [check_id]