Release: Merge back 2.48.2 into dev from: master-into-dev/2.48.2-2.49.0-dev #12823
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
….49.0-dev Release: Merge back 2.48.1 into bugfix from: master-into-bugfix/2.48.1-2.49.0-dev
* reimport: close_old_findings must respect service field * reimport: close_old_findings must respect service field * close_old_findings: update docs and help texts * typo * reimport docs tweak * reimport: assert that reopen respect service field
* add display of kev data to findings listing and filtering * kev date filter to use date widget * define labels for kev date filter * change column title for kev date * add before/after filters for kev date
* update minimum and maximum password length validation in system settings form * update minimum and maximum password length validation in system settings serializer * Apply suggestions from code review * Update dojo/api_v2/serializers.py * move validation to model * fix ruff * add migration
* twistlock: fix no cvss case * twistlock: use markdown instead html
* view_test: use subquery for finding counts * fix two more group by errors * change all counts to subqueries * fix query
* sysdig parsers: stop using spaces in tags * add clean_tags method * sysdig: clean tags * add migration to clean invalid characters * api edgescan: use unsaved_tags * edgescan test case fix * force parsers to use unsaved_tags * fix tag=None cleaning and validation * fix []!=None * restore reimport tag behaviour * finetune * rename upgrade notes
Release: Merge release into master from: release/2.48.2
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
🔴 Risk threshold exceeded.This pull request contains multiple sensitive file edits across various components of the Dojo application, including views, models, and utility files, with potential security considerations around password policy, privilege escalation in scan imports, and a supply chain risk in GitHub Actions configuration.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/findings_list_snippet.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/test/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/db_migrations/0234_alter_system_settings_maximum_password_length_and_more.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/endpoint/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/engagement/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/filters.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/queries.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding_group/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/forms.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/product/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/product_type/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Weak Password Policy Configuration in dojo/db_migrations/0234_alter_system_settings_maximum_password_length_and_more.py
| Vulnerability | Weak Password Policy Configuration |
|---|---|
| Description | The current maximum password length of 48 characters, while preventing some DoS attacks, is lower than modern security recommendations. OWASP, referencing NIST 800-63B, suggests a minimum of 64 characters to accommodate passphrases. For common hashing algorithms like bcrypt, a limit of 72 bytes is typical. The current limit unnecessarily restricts users from creating longer, more secure passphrases without a clear technical justification from the provided code snippets (e.g., database column size or hashing algorithm limitation). |
Privilege Escalation via Form Field in dojo/forms.py
| Vulnerability | Privilege Escalation via Form Field |
|---|---|
| Description | The ReImportScanForm includes a close_old_findings field which, when set to True, causes the re-importer to close findings that are no longer present in the imported scan. The ReImportScanResultsView (which processes this form) only checks for Permissions.Import_Scan_Result. The API_Importer role has Permissions.Import_Scan_Result but does not have Permissions.Finding_Edit (which is required to close/mitigate findings). Therefore, a user with the API_Importer role could potentially upload a scan with close_old_findings enabled, effectively closing findings they are not authorized to close, leading to a privilege escalation. |
django-DefectDojo/dojo/forms.py
Lines 674 to 680 in caf7372
Supply Chain Risk in .github/workflows/close-stale.yml
| Vulnerability | Supply Chain Risk |
|---|---|
| Description | The use of actions/stale@v9 introduces a supply chain risk. While using third-party GitHub Actions is common, pinning to a mutable tag (@v9) means that the action's code can change without explicit review, potentially introducing vulnerabilities or malicious code. Best practices for GitHub Actions recommend pinning to a full commit SHA to ensure immutability and prevent unexpected changes. Additionally, the action is granted issues: write and pull-requests: write permissions, which are necessary for its intended functionality but represent a significant privilege. A compromise of the action or a malicious update could lead to unauthorized modifications of issues and pull requests in the repository. Although no specific vulnerabilities for actions/stale@v9 were found in the available databases, the general risk associated with mutable action versions and broad write permissions remains. |
django-DefectDojo/.github/workflows/close-stale.yml
Lines 1 to 27 in caf7372
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
github-actions
bot
added
New Migration
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
…Dojo/django-DefectDojo into master-into-dev/2.48.2-2.49.0-dev
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops