Skip to content

Release: Merge release into master from: release/2.44.4 #12142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Mar 31, 2025
Merged

Release: Merge release into master from: release/2.44.4 #12142

merged 18 commits into from
Mar 31, 2025

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 17 commits March 24, 2025 15:16
Update versions in application files
6d86933
@rossops
Merge pull request #12088 from DefectDojo/master-into-bugfix/2.44.3-2…
1ba821f 
….45.0-dev

Release: Merge back 2.44.3 into bugfix from: master-into-bugfix/2.44.3-2.45.0-dev
@hoferbeck
add resources to wait-for-db (#12023)
039218a 
Co-authored-by: Jonas Hofer <jonas@hofer.onl>
@manuel-sommer
Add openSUSE vulnerabilities to vulnid (#12041)
04ec13e
@manuel-sommer
🎉 add references to testssl (#12045)
e0564ef
@manuel-sommer
🐛 fix gitlab dast to parse request response pair #12050 (#12057)
c65a068
@valentijnscholten
sso docs: make environment variables vs local_settings more explicit (#…
88c2458 
…12061)
@manuel-sommer
Ruff: Add PLW0602 (#12075)
537048f
@manuel-sommer
Add archlinux security advisory to vulnid (#12078)
fe4a9e9
@manuel-sommer
🎉 resolve todo in ort parser (#12082)
f11e28f
@Maffooch
Import Memory Handling: Do not maintain parsed findings long term (#1…
3fa721a 
…2106)
@paulOsinski
remove exclude_search from Features page (#12121)
a4beeeb 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@manuel-sommer
🎉 Add slackware security advisory to vulnid (#12113)
f0ea0dd
@manuel-sommer
💄 beautify multiple file format choices (#12117)
f11f4d0 
* 💄 beautify tenable file format choice

* update
@Maffooch
Adding new regulations (#12122)
45b5383
@Maffooch
Jira FInding Groups: Confusion on strings vs functions (#12128)
d825153
Update versions in application files
cd9cf5f
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Mar 31, 2025
edited
Loading

DryRun Security Summary

DefectDojo's codebase review revealed potential security risks including information exposure in GitLab DAST parser, unencrypted communication in test data, cryptographic weaknesses, and dependency management concerns.

Expand for full summary

Summary:
Multiple patches across DefectDojo's codebase introduce minor improvements, documentation updates, and version increments, with no critical security vulnerabilities directly identified.

Security Findings:

  1. Potential Information Exposure in GitLab DAST Parser:

    • File: dojo/tools/gitlab_dast/parser.py
    • Risk: Method extracts full request and response headers
    • Potential Impact: Could expose sensitive information like authentication tokens or internal system details
    • Recommendation: Implement header sanitization before storage

  2. Unencrypted Communication in Test JSON:

    • File: unittests/scans/gitlab_dast/issue_12050.json
    • Risk: Contains API endpoint using HTTP (not HTTPS)
    • Potential Impact: Vulnerable to man-in-the-middle attacks
    • Additional Risks:
      • Contains credit card number (PII)
      • Reveals internal hostname
      • Exposes authentication header

  3. Cryptographic Weaknesses in SSL/TLS References:

    • File: unittests/scans/testssl/references.csv
    • Risks:
      • Presence of weak cipher suites (RC4, 3DES)
      • Support for outdated protocols (SSLv2, SSLv3)
      • Multiple cryptographic configuration issues
    • Potential Impact: Vulnerable to cryptographic attacks

  4. Dependency Management Considerations:

    • File: components/package.json
    • Observations:
      • Some dependencies sourced directly from GitHub
      • Some dependencies using older versions
      • Potential indirect security risks in dependency management

No direct, immediately exploitable vulnerabilities were found, but several areas for potential security improvement were identified.

Code Analysis

We ran 7 analyzers against 25 files and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 1 finding

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro.

View PR in the DryRun Dashboard.

@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests integration_tests ui parser labels Mar 31, 2025
@rossops rossops merged commit 3c6d252 into master Mar 31, 2025
78 of 79 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@cneill cneill Awaiting requested review from cneill

@kiblik kiblik Awaiting requested review from kiblik

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

Assignees
No one assigned
Labels
docs helm integration_tests lint New Migration Adding a new migration file. Take care when merging. parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rossops @hoferbeck @manuel-sommer @valentijnscholten @Maffooch @paulOsinski