Skip to content

Commit

Permalink
Merge pull request #11478 from DefectDojo/master-into-dev/2.41.4-2.42…
Browse files Browse the repository at this point in the history
….0-dev

Release: Merge back 2.41.4 into dev from: master-into-dev/2.41.4-2.42.0-dev
  • Loading branch information
rossops authored Dec 30, 2024
2 parents 7e656ed + 7ae7a8c commit c67e81f
Show file tree
Hide file tree
Showing 9 changed files with 38 additions and 3 deletions.
5 changes: 5 additions & 0 deletions docs/config/_default/menus/menus.en.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
url = "/en/about_defectdojo/about_docs/"
weight = 10

[[main]]
name = "Changelog"
url = "/en/changelog/changelog/"
weight = 11

[[social]]
name = "X"
pre = '<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-brand-x" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z" fill="none"></path><path d="M4 4l11.733 16h4.267l-11.733 -16z"></path><path d="M4 20l6.768 -6.768m2.46 -2.46l6.772 -6.772"></path></svg>'
Expand Down
10 changes: 10 additions & 0 deletions docs/content/en/changelog/changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,16 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release

For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](../../open_source/upgrading/upgrading_guide).

## Dec 24, 2024: v2.41.3

- **(API)** Added `/request_response_pairs` endpoint.
- **(Beta UI)** When sorting by Severity, Findings will now be ordered by **severity level** rather than alphabetically.
- **(Beta UI)** On the Findings table, the Endpoint Hosts column has been replaced with a numerical count of affected Endpoints.
- **(Beta UI)** On the Findings table, the Vulnerability ID field can now be filtered with "starts_with", "ends_with" filters.
- **(Beta UI)** Added Edit Test Type form: you can now edit the properties of a custom Test Type to determine if it is Active or Inactive, or a Static Scan or Dynamic Scan Test.
- **(Beta UI)** Same Tool Deduplication Settings / Test Type field is now searchable.
- **(Tools)** Qualys HackerGuardian now uses hashcode against "title", "severity", "description" for deduplication.
- **(Tools)** Horusec scan now uses hashcode against "title", "description", "file_path", and "line" for deduplication.

## Dec 16, 2024: v2.41.2

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ These attributes are supported for CSV:
- Date: Date of the finding in mm/dd/yyyy format.
- Title: Title of the finding
- CweId: Cwe identifier, must be an integer value.
- epss_score: The probability of exploitation in the next 30 days, must be a float value between 0 and 1.0.
- epss_percentile: The proportion of all scored vulnerabilities with the same or a lower EPSS score, must be a float value between 0 and 1.0.
- Url: Url associated with the finding.
- Severity: Severity of the finding. Must be one of Info, Low, Medium, High, or Critical.
- Description: Description of the finding. Can be multiple lines if enclosed in double quotes.
Expand Down
4 changes: 2 additions & 2 deletions dojo/api_v2/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -2129,10 +2129,10 @@ class CommonImportScanSerializer(serializers.Serializer):
help_text="Minimum severity level to be imported",
)
active = serializers.BooleanField(
help_text="Override the active setting from the tool.",
help_text="Force findings to be active/inactive or default to the original tool (None)", required=False,
)
verified = serializers.BooleanField(
help_text="Override the verified setting from the tool.",
help_text="Force findings to be verified/not verified or default to the original tool (None)", required=False,
)

# TODO: why do we allow only existing endpoints?
Expand Down
1 change: 1 addition & 0 deletions dojo/settings/settings.dist.py
Original file line number Diff line number Diff line change
Expand Up @@ -1777,6 +1777,7 @@ def saml2_attrib_map_format(dict):
"GLSA": "https://security.gentoo.org/", # e.g. https://security.gentoo.org/glsa/202409-32
"RLSA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RLSA-2024:7001
"RLBA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RLBA-2024:6968
"CGA": "https://images.chainguard.dev/security/", # e.g. https://images.chainguard.dev/security/CGA-24pq-h5fw-43v3
}
# List of acceptable file types that can be uploaded to a given object via arbitrary file upload
FILE_UPLOAD_TYPES = env("DD_FILE_UPLOAD_TYPES")
Expand Down
6 changes: 6 additions & 0 deletions dojo/tools/generic/csv_parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ def _get_findings_csv(self, filename):
if "CweId" in row:
finding.cwe = int(row["CweId"])

if "epss_score" in row:
finding.epss_score = float(row["epss_score"])

if "epss_percentile" in row:
finding.epss_percentile = float(row["epss_percentile"])

if "CVSSV3" in row:
cvss_objects = cvss_parser.parse_cvss_from_text(row["CVSSV3"])
if len(cvss_objects) > 0:
Expand Down
2 changes: 1 addition & 1 deletion helm/defectdojo/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
appVersion: "2.42.0-dev"
description: A Helm chart for Kubernetes to install DefectDojo
name: defectdojo
version: 1.6.166-dev
version: 1.6.167-dev
icon: https://www.defectdojo.org/img/favicon.ico
maintainers:
- name: madchap
Expand Down
2 changes: 2 additions & 0 deletions unittests/scans/generic/generic_csv_with_epss.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Date,Title,CweId,epss_score,epss_percentile, Url,Severity,Description,Mitigation,Impact,References,Active,Verified,FalsePositive,Duplicate
01/30/2018,"Server leaks inodes via ETags, header found with file /, fields: 0xW/109b 0xpqG8TolgxCnpM/7cGOOI0GRS+rc ",0,.00042,.23474,https://192.168.1.1/,Low,"Server leaks inodes via ETags, header found with file /, fields: 0xW/109b 0xpqG8TolgxCnpM/7cGOOI0GRS+rc ",,,,False,False,False,False
9 changes: 9 additions & 0 deletions unittests/tools/test_generic_parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -649,3 +649,12 @@ def test_parse_json_invalid_finding(self):
with self.assertRaisesMessage(ValueError,
"Not allowed fields are present: ['invalid_field', 'last_status_update']"):
parser.get_findings(file, Test())

def test_parse_csv_with_epss(self):
with open("unittests/scans/generic/generic_csv_with_epss.csv", encoding="utf-8") as file:
parser = GenericParser()
findings = parser.get_findings(file, self.test)
self.assertEqual(1, len(findings))
finding = findings[0]
self.assertEqual(.00042, finding.epss_score)
self.assertEqual(.23474, finding.epss_percentile)

0 comments on commit c67e81f

Please sign in to comment.