Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Release: Merge back 2.45.3 into dev from: master-into-dev/2.45.3-2.46.0-dev #12325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Apr 28, 2025
Merged

Release: Merge back 2.45.3 into dev from: master-into-dev/2.45.3-2.46.0-dev #12325

merged 19 commits into from
Apr 28, 2025

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 16 commits April 22, 2025 02:44
Update versions in application files
18613df
@Maffooch
Merge pull request #12288 from DefectDojo/master-into-bugfix/2.45.2-2…
ae199cb 
….46.0-dev

Release: Merge back 2.45.2 into bugfix from: master-into-bugfix/2.45.2-2.46.0-dev
@manuel-sommer
🐛 Differentiate between slackware and siemens vulnid (#12251)
a0c4895
@paulOsinski
[docs] Add Example Cases to docs (#12265)
c8a50b0 
* add examples_of_use content

* reweight sidebar

---------

Co-authored-by: Paul Osinski <[email protected]>
@Maffooch @cneill
Reimport: Special statuses should be respected from reports (#12291)
ee50912 
* Reimport: Special statuses should be respected from reports

* Fixing ruff

* Update unittests/tools/test_checkmarx_one_parser.py

Co-authored-by: Charles Neill <[email protected]>

* Use the correct dict for statuses

---------

Co-authored-by: Charles Neill <[email protected]>
@valentijnscholten
saml: provide link to saml-tracer browser add-on (#12274)
6d412dd
@valentijnscholten
tenable: check mandatory columns before importing (#12273)
f763df3
@paulOsinski
2.45.2 pro changelog (#12292)
84383b2 
Co-authored-by: Paul Osinski <[email protected]>
@valentijnscholten
sla: parse finding.date implicitly (#12301)
b413437 
* sla: parse finding.date implicitly

* add comment

* move import

* add unit test
@valentijnscholten
Fortify: Handle suppressed findings as false positives (#12293)
76c63d3 
* fortify: handle suppressed findings

* ruff

* fortify: handle suppressed findings docs

* fortify: handle suppressed findings docs
@paulOsinski @Maffooch @cneill
[docs] add Pro Finding Enhancements documentation (#12310)
5bf2349 
* 2.45.2 pro changelog

* add nextgen finding enhancements documentation

* Correcting messy conflict resolution

* Update docs/content/en/changelog/changelog.md

Co-authored-by: Charles Neill <[email protected]>

* Update docs/content/en/working_with_findings/finding_priority.md

Co-authored-by: Charles Neill <[email protected]>

* Update finding_priority.md

---------

Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
@kiblik
Quotes (#12226)
a53fcef
@manuel-sommer
Implement Albibaba Linux vulnids (#12304)
48a7a73
Update versions in application files
0bab9ec
@rossops
Merge pull request #12324 from DefectDojo/release/2.45.3
477583e 
Release: Merge release into master from: release/2.45.3
Update versions in application files
72b373a
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests ui parser helm labels Apr 28, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Apr 28, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request contains multiple sensitive file edits across various components of the Dojo security tracking system, with potential risks including mass assignment vulnerabilities, JSON injection, cross-site scripting, and unsafe date parsing that could compromise system security if not carefully reviewed and validated.

⚠️ Configured Codepaths Edit in dojo/templatetags/display_tags.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/templatetags/as_json.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/templatetags/display_tags.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/templatetags/display_tags.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Potential Mass Assignment Vulnerability in dojo/tools/checkmarx_one/parser.py
Vulnerability Potential Mass Assignment Vulnerability
Description The code uses the **instance_details syntax to pass multiple attributes to the Finding model constructor, which could potentially allow mass assignment if instance_details contains user-controlled or unvalidated data

django-DefectDojo/dojo/tools/checkmarx_one/parser.py

Lines 175 to 189 in 23d98ee

date = self._parse_date(instance.get("firstFoundDate"))
else:
date = self._parse_date(instance.get("foundDate"))
instance_details = self.determine_state(instance)
instance_details.update(base_finding_details)
# Create the finding object
finding = Finding(
severity=instance.get("severity").title(),
date=date,
file_path=instance.get("destinationFileName"),
line=instance.get("destinationLine"),
**instance_details,
)
# Add some details to the description
if node_snippet := get_node_snippet(instance.get("nodes", [])):

💭 Unconfirmed Findings (5)
Vulnerability Potential JSON Injection Risk
Description Identified in multiple webhook template files, the introduction of as_json_no_html_esc filter could change how special characters and potentially malicious content are handled during JSON serialization, potentially allowing injection of harmful content.
Vulnerability Potential Cross-Site Scripting (XSS) Risk
Description Located in dojo/templatetags/as_json.py, the as_json_no_html_esc function uses mark_safe() to bypass HTML escaping, which could allow malicious JSON content to be rendered directly in templates if input is user-controlled.
Vulnerability Potential Unsafe Date Parsing
Description Found in dojo/models.py, the introduction of dateutil.parser.parse() could potentially be exploited if an attacker provides maliciously crafted date strings, leading to potential parsing vulnerabilities.
Vulnerability Potential Information Exposure
Description Discovered in dojo/settings/settings.dist.py, adding new vulnerability URL mappings could potentially expose internal versioning or naming conventions of the security tracking system.
Vulnerability Commented Validation Code Risk
Description Located in dojo/models.py, commented-out validation check suggests potential inconsistent date validation, which might indicate bypassing of type checking for critical fields.

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@rossops rossops merged commit 0b732f0 into dev Apr 28, 2025
78 of 79 checks passed
@rossops rossops deleted the master-into-dev/2.45.3-2.46.0-dev branch April 28, 2025 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees
No one assigned
Labels
docs helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rossops @Maffooch @manuel-sommer @paulOsinski @valentijnscholten @kiblik