Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge back 2.41.0 into bugfix from: master-into-bugfix/2.41.0-2.42.0-dev #11358

Merged
merged 95 commits into from
Dec 2, 2024
Merged

Release: Merge back 2.41.0 into bugfix from: master-into-bugfix/2.41.0-2.42.0-dev #11358

merged 95 commits into from
Dec 2, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Dec 2, 2024

Release triggered by rossops

DefectDojo release bot and others added 30 commits November 4, 2024 18:06
Update versions in application files
6479fea
@rossops
Merge pull request #11190 from DefectDojo/master-into-dev/2.40.0-2.41…
acb9eaf 
….0-dev

Release: Merge back 2.40.0 into dev from: master-into-dev/2.40.0-2.41.0-dev
@dependabot
Bump boto3 from 1.35.53 to 1.35.54 (#11183)
174b022 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.53 to 1.35.54.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.53...1.35.54)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump ruff from 0.7.1 to 0.7.2 (#11184)
cb60da0 
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.7.1 to 0.7.2.
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.7.1...0.7.2)

---
updated-dependencies:
- dependency-name: ruff
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump pdfmake from 0.2.14 to 0.2.15 in /components (#11185)
5439fca 
Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.2.14 to 0.2.15.
- [Release notes](https://github.com/bpampuch/pdfmake/releases)
- [Changelog](https://github.com/bpampuch/pdfmake/blob/0.2.15/CHANGELOG.md)
- [Commits](bpampuch/pdfmake@0.2.14...0.2.15)

---
updated-dependencies:
- dependency-name: pdfmake
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@kiblik
Ruff: Add and "fix" S104 (#11067)
ecf08a5
@kiblik
Ruff: Add and fix D411 (#11064)
08cbfda
@manuel-sommer
Ruff: Add and fix multiple flake8-use-pathlib (#11099)
e6447df
@kiblik @mtesauro
Ruff: Add and fix D413 (#11065)
eae8bad 
Co-authored-by: Matt Tesauro <[email protected]>
@kiblik @mtesauro
Ruff: Add and fix S105 (#11068)
1659350 
Co-authored-by: Matt Tesauro <[email protected]>
@dependabot
Bump django from 5.1.2 to 5.1.3 (#11197)
3f5ee0b 
Bumps [django](https://github.com/django/django) from 5.1.2 to 5.1.3.
- [Commits](django/django@5.1.2...5.1.3)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump boto3 from 1.35.54 to 1.35.55 (#11214)
e7f57ae 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.54 to 1.35.55.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.54...1.35.55)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump boto3 from 1.35.55 to 1.35.56 (#11223)
aa57ac6 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.55 to 1.35.56.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.55...1.35.56)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@hblankenship
add engagement closed MS teams, Email, Alert, and Slack template (#11204
3598412 
)

* add engagement closed template

* add templates for mail, slack, and alerts
@leofvo
fix(helm): add missing env config on job (#11016)
912386b 
* fix(helm): add missing env config on job

The job isn't working well when using external database because the init container checking if the database is accessible isn't taking the same env values as the container that is initializing the database config

* fix(helm): remove unused env

* chore(helm): prefer using with over if
Update versions in application files
30a9aca
@rossops
Merge branch 'dev' into master-into-dev/2.40.1-2.41.0-dev
a99b428
@rossops
Merge pull request #11249 from DefectDojo/master-into-dev/2.40.1-2.41…
a881460 
….0-dev

Release: Merge back 2.40.1 into dev from: master-into-dev/2.40.1-2.41.0-dev
@kiblik
Ruff: Add and fix S108 (#11192)
46ef075
@manuel-sommer
Ruff: Add and fix PTH112 (#11195)
6ec33d0
@pedrohdjs
Added reviewers displayed on findings pages (#11165)
ab2a2c0 
Co-authored-by: Pedro Souza <[email protected]>
@raouf-haddada
API: Engagement update jira epic (#11234)
ee77ea4 
Co-authored-by: Raouf HADDADA <[email protected]>
@kiblik
Ruff: Add and "fix" S106 (#11193)
f87201b
@manuel-sommer @cneill
🐛 fix Bump ruff from 0.7.2 to 0.7.3 (#11224)
43bc980 
* 🐛 fix renovate ruff update

* ruff

* Update dojo/api_v2/serializers.py

Co-authored-by: Charles Neill <[email protected]>

---------

Co-authored-by: Charles Neill <[email protected]>
@kiblik @cneill @mtesauro
Ruff: Add and fix S113 (#11198)
fbbcef0 
* Ruff: Add and fix S113

* Update dojo/settings/settings.dist.py

Co-authored-by: Charles Neill <[email protected]>

---------

Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Matt Tesauro <[email protected]>
@manuel-sommer
Ruff: Add and fix PTH113 (#11194)
d489339 
* Ruff: Add and fix PTH113

* sha sum

* sha sum
@dependabot
Bump boto3 from 1.35.56 to 1.35.58 (#11242)
1e992eb 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.56 to 1.35.58.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.56...1.35.58)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
Update postgres:17.0-alpine Docker digest from 17.0 to 17.0-alpine (d…
3609b3b 
…ocker-compose.yml) (#11239)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@manuel-sommer
Ruff: Add and fix PTH120 (#11201)
9b71a37 
* Ruff: Add and fix PTH120

* fix dedupe_test

* fix dedupe_test

* fix

* sha sum

* ruff

* retrigger unittest

* sha sum
@fopina
fix nuclei parser: expect invalid CWEs (#11232)
d4959b8
kiblik and others added 16 commits November 27, 2024 12:01
@kiblik
Ruff: add and fix some SIM rules (#10926)
fe28476 
* Ruff: add SIM

* Ruff: fix some SIM
@dependabot
Bump boto3 from 1.35.69 to 1.35.70 (#11338)
f83bfbd 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.69 to 1.35.70.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.69...1.35.70)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
chore(deps): update dependency vite from 6.0.0 to v6.0.1 (docs/packag…
9cd9d14 
…e.json) (#11337)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@dependabot
Bump python-gitlab from 5.0.0 to 5.1.0 (#11343)
87d9805 
Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 5.0.0 to 5.1.0.
- [Release notes](https://github.com/python-gitlab/python-gitlab/releases)
- [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md)
- [Commits](python-gitlab/python-gitlab@v5.0.0...v5.1.0)

---
updated-dependencies:
- dependency-name: python-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump pyjwt from 2.10.0 to 2.10.1 (#11345)
5ab0405 
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.0 to 2.10.1.
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.10.0...2.10.1)

---
updated-dependencies:
- dependency-name: pyjwt
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
Update dependency @tabler/icons from 3.22.0 to v3.23.0 (docs/package.…
3e031e9 
…json) (#11348)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@dependabot
Bump boto3 from 1.35.70 to 1.35.71 (#11344)
3367da7 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.70 to 1.35.71.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.70...1.35.71)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump cryptography from 43.0.3 to 44.0.0 (#11346)
0ead615 
Bumps [cryptography](https://github.com/pyca/cryptography) from 43.0.3 to 44.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@43.0.3...44.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@Maffooch
Update docs URL
93ccd3c
@Maffooch
Update CNAME
89af949
@Maffooch
Update page URL
a1e18a7
@Maffooch
Update docs descriptions
9b02149
@rossops
Merge pull request #11356 from DefectDojo/bugfix
81e650c 
Release 2.41.0: Merge Bugfix into Dev
Update versions in application files
06ba12a
@rossops
Merge pull request #11357 from DefectDojo/release/2.41.0
14929cb 
Release: Merge release into master from: release/2.41.0
Update versions in application files
b10a996
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Dec 2, 2024
edited
Loading

DryRun Security Summary

The provided code changes cover a range of updates and improvements to the DefectDojo project, including updates to the .gitignore file, Dockerfiles, GitHub Actions workflow, package dependencies, and the docker-compose.yml file, with a focus on improving the security and maintainability of the project.

Expand for full summary

Summary:

The provided code changes cover a range of updates and improvements to the DefectDojo project, including updates to the .gitignore file, Dockerfiles, GitHub Actions workflow, package dependencies, and the docker-compose.yml file. From an application security perspective, these changes generally appear to be positive and focused on improving the security and maintainability of the project.

Key security-related updates include:

  1. Updating the Nginx base image to a newer version with a specific SHA256 digest, ensuring the use of a secure and vetted base image.
  2. Upgrading the Hugo and Node.js versions used in the GitHub Pages deployment workflow, which helps keep the project's dependencies up-to-date and secure.
  3. Updating the PostgreSQL version used in the docker-compose.yml file, which is a good practice to incorporate the latest security patches and bug fixes.
  4. Reviewing the management of sensitive environment variables, such as database credentials and encryption keys, to ensure they are properly secured.
  5. Monitoring the versions of dependencies, such as the OpenAPI Generator CLI, Chrome, and ChromeDriver, to ensure they are kept up-to-date and secure.

Overall, the changes in this pull request appear to be focused on improving the security, maintainability, and reliability of the DefectDojo project. As an application security engineer, I would recommend closely reviewing the changes and thoroughly testing the application to ensure that no unintended security vulnerabilities are introduced.

Files Changed:

  1. .gitignore: Updates to the .gitignore file to exclude various documentation and development environment-related files and directories, which is a common and recommended practice.
  2. Dockerfile.nginx-debian and Dockerfile.nginx-alpine: Updates to the Nginx-based deployment Dockerfiles, including the use of a specific Nginx base image version and SHA256 digest, as well as the configuration of the Nginx server.
  3. .github/workflows/gh-pages.yml: Updates to the GitHub Actions workflow for deploying the project's documentation to GitHub Pages, including version upgrades for Hugo and Node.js, and improvements to the build and deployment process.
  4. components/package.json: Update to the version of the "pdfmake" dependency, which is a routine dependency update.
  5. Dockerfile.integration-tests-debian: Updates to the Dockerfile used for running integration tests, including version updates for the OpenAPI Generator CLI, Chrome, and ChromeDriver.
  6. components/yarn.lock: Updates to the versions of the @foliojs-fork/fontkit, @foliojs-fork/linebreak, and @foliojs-fork/pdfkit dependencies.
  7. docker-compose.yml: Update to the PostgreSQL image version, as well as a review of the environment variables, volumes, and other configuration settings in the docker-compose.yml file.

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

View PR in the DryRun Dashboard.

@rossops rossops closed this Dec 2, 2024
@rossops rossops reopened this Dec 2, 2024
@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm labels Dec 2, 2024
@rossops rossops merged commit 522aa5a into bugfix Dec 2, 2024
71 checks passed
@rossops rossops deleted the master-into-bugfix/2.41.0-2.42.0-dev branch December 2, 2024 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 docker docs helm integration_tests parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.