Merge branch 'dev' into master-into-dev/2.48.4-2.49.0-dev

Author: Maffooch

.github/workflows/gh-pages.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '22.17.0'
+          node-version: '22.17.1'
 
       - name: Cache dependencies
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

.github/workflows/release-x-manual-helm-chart.yml

@@ -71,7 +71,7 @@ jobs:
              helm dependency update ./helm/defectdojo
 
       - name: Add yq
-        uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.45.4
+        uses: mikefarah/yq@1187c954ec44c3a0e62c13ca7dc9dadc1ca80ae7 # v4.46.1
 
       - name: Pin version docker version
         id: pin_image

.github/workflows/validate_docs_build.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '22.17.0'
+          node-version: '22.17.1'
 
       - name: Cache dependencies
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

Dockerfile.nginx-alpine

@@ -54,7 +54,7 @@ COPY manage.py ./
 COPY dojo/ ./dojo/
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.28.0-alpine3.21@sha256:aed99734248e851764f1f2146835ecad42b5f994081fa6631cc5d79240891ec9
+FROM nginx:1.28.0-alpine3.21@sha256:d83c0138ea82c9f05c4378a5001e0c71256b647603c10c186bd7697a4db722d3
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

Dockerfile.nginx-debian

@@ -73,7 +73,7 @@ COPY dojo/ ./dojo/
 
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.28.0-alpine3.21@sha256:aed99734248e851764f1f2146835ecad42b5f994081fa6631cc5d79240891ec9
+FROM nginx:1.28.0-alpine3.21@sha256:d83c0138ea82c9f05c4378a5001e0c71256b647603c10c186bd7697a4db722d3
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

components/package.json

@@ -13,7 +13,7 @@
     "chosen-js": "^1.8.7",
     "clipboard": "^2.0.11",
     "datatables.net": "^2.3.1",
-    "datatables.net-buttons-bs": "^3.2.3",
+    "datatables.net-buttons-bs": "^3.2.4",
     "datatables.net-colreorder": "^2.1.1",
     "drmonty-datatables-plugins": "^1.0.0",
     "drmonty-datatables-responsive": "^1.0.0",

components/yarn.lock

@@ -187,19 +187,19 @@ datatables.net-bs@^2:
     datatables.net "2.3.2"
     jquery ">=1.7"
 
-datatables.net-buttons-bs@^3.2.3:
-  version "3.2.3"
-  resolved "https://registry.yarnpkg.com/datatables.net-buttons-bs/-/datatables.net-buttons-bs-3.2.3.tgz#989dfaebad1731fc72ebe1fc33bf9e94b365ec2a"
-  integrity sha512-1Td8OKEeyKB+W26pbqxUlea6NUoR0znQq2c2tqDfnCAWRBfJaNs2+xXBdYhylC5ACGmie1HieliS8kV9gAfY6w==
+datatables.net-buttons-bs@^3.2.4:
+  version "3.2.4"
+  resolved "https://registry.yarnpkg.com/datatables.net-buttons-bs/-/datatables.net-buttons-bs-3.2.4.tgz#7a883c3ee8c6428fb99e6e6e56c39d0051386039"
+  integrity sha512-wOljUlsJ4sU5pABim+cwbO61ZFRv4aak1PkNL812i/qFwIEcsji7uz59PAx1ZoP1YdNtetj4Vn7D5oTU+Ijedw==
   dependencies:
     datatables.net-bs "^2"
-    datatables.net-buttons "3.2.3"
+    datatables.net-buttons "3.2.4"
     jquery ">=1.7"
 
-datatables.net-buttons@3.2.3:
-  version "3.2.3"
-  resolved "https://registry.yarnpkg.com/datatables.net-buttons/-/datatables.net-buttons-3.2.3.tgz#26eae1f012fd5cfbfcf28dfbfd8a4b644ea8a4ae"
-  integrity sha512-K+WeQWUYVGe5c3Gwb8Gfi7YpUXbJEerik3B2vynnVKpBlYBF5AHTGbrK1Psek2q/mjxeIVNHafQ9eX2otLhJVw==
+datatables.net-buttons@3.2.4:
+  version "3.2.4"
+  resolved "https://registry.yarnpkg.com/datatables.net-buttons/-/datatables.net-buttons-3.2.4.tgz#c58cc0bb518da8738bec6e64a54c1135dc257141"
+  integrity sha512-anA39/R0kpHA2DOwqEHy/ZMXD5vf4tWmyNO0BnO0kJG7AFNvGTUCWBnBifXYg3G64U6JYpYY+MuTFKIB1/ZMTQ==
   dependencies:
     datatables.net "^2"
     jquery ">=1.7"

docker-compose.yml

@@ -120,7 +120,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   postgres:
-    image: postgres:17.5-alpine@sha256:fbe21607052bb5c298674f2fd8cf044a63aa3ddf50b81627f894f91f40f50bcb
+    image: postgres:17.5-alpine@sha256:6567bca8d7bc8c82c5922425a0baee57be8402df92bae5eacad5f01ae9544daa
     environment:
       POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
       POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}
@@ -129,7 +129,7 @@ services:
       - defectdojo_postgres:/var/lib/postgresql/data
   redis:
     # Pinning to this version due to licensing constraints
-    image: redis:7.2.9-alpine@sha256:fce236b99c58ef7196c4e243e43f533b404d5c17239cae4e6e262b729a1952b3
+    image: redis:7.2.10-alpine@sha256:395ccd7ee4db0867de0d0410f4712a9e0331cff9fdbd864f71ec0f7982d3ffe6
     volumes:
       - defectdojo_redis:/data
 volumes:

docs/content/en/connecting_your_tools/parsers/file/mayhem.md

@@ -0,0 +1,19 @@
+---
+title: "Mayhem SARIF Reports"
+toc_hide: true
+---
+Import for Mayhem generated SARIF reports. In general, the exiting
+SARIF report consumer should work, and for general cases does. However,
+since Mayhem is A. DAST and B. includes fuzzed data in the content of
+the report, a Mayhem-specific SARIF consumer is added.
+See more below: 
+[Mayhem SARIF Report (API)](https://docs.mayhem.security/api-testing/tutorials/identifying-api-issues/bug-reporting/#sarif-reports).
+[Mayhem SARIF Report (CI)](https://docs.mayhem.security/integrations/ci-integrations/github/#analyzing-sarif-reports).
+
+
+#### Parity with Existing SARIF Consumer
+
+The current implementation is mostly lifted from the existing SARIF parser support. As such, it will also aggregate all the findings in the SARIF file in one single report, and it also supports fingerprint deduplication.
+
+### Sample Scan Data
+Sample Mayhem SARIF reports can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/mayhem).

docs/content/en/open_source/contributing/how-to-write-a-parser.md

@@ -166,43 +166,52 @@ Good example:
        finding.cwe = data["mykey"]
 ```
 
-### Do not parse CVSS by hand (vector, score or severity)
+### Parsing of CVSS vectors
 
-Data can have `CVSS` vectors or scores. Don't write your own CVSS score algorithm.
-For parser, we rely on module `cvss`. But we also have a helper method to validate the vector and extract the base score and severity from it.
+Data can have `CVSS` vectors or scores. Defect Dojo use the `cvss` module provided by RedHat Security.
+There's also a helper method to validate the vector and extract the base score and severity from it.
 
 ```python
-from dojo.utils import parse_cvss_data
-cvss_data = parse_cvss_data("CVSS:3.0/S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X")
-if cvss_data:
-    finding.cvssv3 = cvss_data.get("vector")
-    finding.cvssv3_score = cvss_data.get("score")
-    finding.severity = cvss_data.get("severity")  # if your tool does generate severity
+    from dojo.utils import parse_cvss_data
+
+    cvss_vector = <get CVSS3 or CVSS4 vector from the report>
+    cvss_data = parse_cvss_data(cvss_vector)
+    if cvss_data:
+        finding.severity = cvss_data["severity"]
+        finding.cvssv3 = cvss_data["cvssv3"]
+        finding.cvssv4 = cvss_data["cvssv4"]
+        # we don't set any score fields as those will be overwritten by Defect Dojo
 ```
+Not all values have to be used as scan reports usually provide their own value for `severity`.
+And sometimes also for `cvss_score`. Defect Dojo will not overwrite any `cvss3_score` or `cvss4_score`.
+If no score is set, Defect Dojo will use the `cvss` library to calculate the score.
+The response also has the detected major version of the CVSS vector in `cvss_data["major_version"]`.
 
-If you need more manual processing, you can parse the `CVSS3` vector directly.
+
+If you need more manual processing, you can parse the `CVSS` vector directly.
 
 Example of use:
 
 ```python
-import cvss.parser
-from cvss import CVSS2, CVSS3
-
-vectors = cvss.parser.parse_cvss_from_text("CVSS:3.0/S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X")
-if len(vectors) > 0 and type(vectors[0]) is CVSS3:
-    print(vectors[0].severities())  # this is the 3 severities
-
-    cvssv3 = vectors[0].clean_vector()
-    severity = vectors[0].severities()[0]
-    vectors[0].compute_base_score()
-    cvssv3_score = vectors[0].scores()[0]
-    finding.severity = severity
-    finding.cvssv3_score = cvssv3_score
+    import cvss.parser
+    from cvss import CVSS2, CVSS3, CVSS4
+
+    # TEMPORARY: Use Defect Dojo implementation of `parse_cvss_from_text` white waiting for https://github.com/RedHatProductSecurity/cvss/pull/75 to be released
+    vectors = dojo.utils.parse_cvss_from_text("CVSS:3.0/S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X")
+        if len(vectors) > 0 and type(vectors[0]) is CVSS3:
+            print(vectors[0].severities())  # this is the 3 severities
+
+            cvssv3 = vectors[0].clean_vector()
+            severity = vectors[0].severities()[0]
+            vectors[0].compute_base_score()
+            cvssv3_score = vectors[0].scores()[0]
+            finding.severity = severity
+            finding.cvssv3_score = cvssv3_score
 ```
 
-Bad example (DIY):
+Do not do something like this:
 
-```python
+```
     def get_severity(self, cvss, cvss_version="2.0"):
         cvss = float(cvss)
         cvss_version = float(cvss_version[:1])