DefectDojo/django-DefectDojo 2.3.0

2.3.0 👾 (security release)

on GitHub

🚩 Security

This is a security release addressing security advisory: GHSA-qm5q-2jrx-cch3

Changes since 2.2.0

• Release/2.3.0 @Maffooch (#5222)
• gha: add pr labeler @valentijnscholten (#5199)
• gha: add PR labeler @valentijnscholten (#5198)
• Disable integration tests for export of findings @StefanFl (#5180)
• Simplify my name/links in README.md @valentijnscholten (#5172)
• Fix links in installation.md to point to existing files in dev @savek-cc (#5174)
• fix/add missing/disabled integration tests @valentijnscholten (#5159)
• release cadence update @valentijnscholten (#5168)
• merge master into dev @valentijnscholten (#5169)
• Helm - Add DD_DATABASE_NAME env @zapililirad (#5109)
• WIP - readme cleanup @devGregA (#5130)
• calendar: fix to work with bootstrap-chosen @valentijnscholten (#5094)
• Change secrets severity in detect-secrets parser @syn-4ck (#5098)
• Change Dependency Check parser to make "Location" field more informative @W0uldYk1ndlY (#4910)
• Update dropdown menu of Tool Type page @ericcornelissen (#5089)
• Checkmarx: Do not hardcode Active and Verified finding attributes @ssiriz (#4812)
• Improve bug report template @valentijnscholten (#5066)
• Release: Merge back 2.2.1 into dev from: master-into-dev/2.2.1-2.3.0-dev @github-actions (#5063)
• Release: Merge release into master from: release/2.2.1 @github-actions (#5060)
• Release: Merge back 2.2.0 into dev from: master-into-dev/2.2.0-2.3.0-dev @github-actions (#5015)

🚩 Requires settings changes, database migration, hash code recomputation

• Switch Finding.publish_date to Date type (DateField) @damiencarol (#5076)
• SQ: Fix broken migration 0120 @kiblik (#5127)
• Bandit parser: add de-duplication algorithm @damiencarol (#5206)
• Set Argon2 as default password hasher @valentijnscholten (#5205)
• Import SonarQube security hotspots @jimtsikos (#4107)
• Custom Test_Type for parsers (modify "Found by" dynamicaly) @damiencarol (#5121)
• Add Cobalt.io API parser/importer @ericcornelissen (#4962)
• safety-parser: configurable offline mode @alles-klar (#5030)

🚀 New importers

• Yet another parser: Azure Security Center @StefanFl (#5182)
• Add Cobalt.io API parser/importer @ericcornelissen (#4962)

🚀 General features and enhancements

• Optimize view finding @StefanFl (#5187)
• Set Argon2 as default password hasher @valentijnscholten (#5205)
• Use additional test types for GitLab SAST @StefanFl (#5203)
• Import SonarQube security hotspots @jimtsikos (#4107)
• Rename Azure Security Center parser @StefanFl (#5189)
• Custom Test_Type for parsers (modify "Found by" dynamicaly) @damiencarol (#5121)
• Export findings to CSV and Excel @StefanFl (#5148)
• Enhancements for KICS scans @StefanFl (#5131)
• SARIF parser: Fix severity in rule and take into account the kind attribute @StefanFl (#5125)
• Improve detect-secrets parser @syn-4ck (#5092)
• Added ability to use business days or calendar days @Hijerboa (#4260)
• SARIF parser - add more information to findings @StefanFl (#5071)
• Changed Dropdown Button Color to White @blakeaowens (#5074)
• SonarQube: use severity from issue instead of rule @zeeshan811 (#4934)
• Add a deduplication configuration for Aquasecurity's Cloudsploit @axelpavageau (#5035)
• Add support for dynamic test import for Veracode @jpbowie (#5032)
• safety-parser: configurable offline mode @alles-klar (#5030)
• Better support SARIF ruleId attribute @damiencarol (#5025)
• make notifications async again @valentijnscholten (#4994)

🐛 Bug Fixes

• SQ: Fix broken migration 0120 @kiblik (#5127)
• Use django-filter for quick reports and CSV and Excel reports @StefanFl (#5170)
• Fix BulkEdit severity dropdown after #4766 @Maffooch (#5207)
• SonarQube API Import: set dedup algo @kiblik (#5194)
• fix import for SonarQube findings without 'htmlDesc' @ikrenyi1 (#5123)
• Fix integration test for export of findings @StefanFl (#5177)
• Fix merge of findings - incomplete fix introduced in #5064 @cw-acroteau (#5144)
• Make integration test for exports more resilient @StefanFl (#5156)
• Fix Harbor parser @StefanFl (#5140)
• SARIF parser: Fix severity in rule and take into account the kind attribute @StefanFl (#5125)
• Fix deduplication config check @StefanFl (#5113)
• Fix Bundler Audit for version 0.9.x.x and unittests maintenance @damiencarol (#5111)
• View engagement: fix sonarqubce config error @valentijnscholten (#5110)
• Repair stub findings @StefanFl (#5108)
• Check deduplication config on startup @jhewi (#4963)
• fix incorrect encoding of urls in finding list headings @valentijnscholten (#5072)
• fix: support Aquasecurity's cloudsploit "region" as list @axelpavageau (#5055)
• fix error on merging findings due to django3 changes @37b (#5064)
• Endpoint: Fix host validation @kiblik (#5049)

📝 Documentation updates

• Use https as submodule url of google/docsy.git @MichaelGissingNC (#5192)
• Fixes build statuses, corrects image pointers, and ... @devGregA (#5133)
• Documentation update for settings and reports @StefanFl (#5122)
• docs: add MyISAM requirement @valentijnscholten (#5093)

🧰 Maintenance

• Switch Finding.publish_date to Date type (DateField) @damiencarol (#5076)
• Add customizable header and footer logo @Maffooch (#5216)
• Bandit parser: add de-duplication algorithm @damiencarol (#5206)
• Update rabbitmq:3.9.7 Docker digest from 3.9.7 to 3.9.7 (docker-compose.yml) @renovate (#5201)
• Bump cryptography from 3.4.8 to 35.0.0 @dependabot (#5196)
• Bump google-auth from 2.1.0 to 2.2.1 @dependabot (#5185)
• Bump djangosaml2 from 1.3.3 to 1.3.4 @dependabot (#5184)
• Update dependency postcss-cli from 9.0.0 to v9.0.1 (docs/package.json) @renovate (#5175)
• Bump google-api-python-client from 2.22.0 to 2.23.0 @dependabot (#5186)
• Bump django-crispy-forms from 1.12.0 to 1.13.0 @dependabot (#5160)
• Bump datatables.net from 1.11.2 to 1.11.3 in /components @dependabot (#5162)
• Bump datatables.net-buttons-dt from 2.0.0 to 2.0.1 in /components @dependabot (#5165)
• Bump django-filter from 2.4.0 to 21.1 @dependabot (#5161)
• Bump datatables.net-dt from 1.11.2 to 1.11.3 in /components @dependabot (#5163)
• Bump datatables.net-buttons-bs from 2.0.0 to 2.0.1 in /components @dependabot (#5164)
• Update dependency autoprefixer from 10.3.5 to v10.3.6 (docs/package.json) @renovate (#5157)
• Update dependency postcss from 8.3.7 to v8.3.8 (docs/package.json) @renovate (#5153)
• Update rabbitmq Docker tag from 3.9.5 to v3.9.7 (docker-compose.yml) @renovate (#5152)
• Update actions/github-script action from v4 to v5 (.github/workflows/new-release-pr.yml) @renovate (#5149)
• Update dependency postcss-cli from 8.3.1 to v9 (docs/package.json) @renovate (#5150)
• Bump openpyxl from 3.0.7 to 3.0.9 @dependabot (#5145)
• Bump sqlalchemy from 1.4.23 to 1.4.25 @dependabot (#5146)
• Bump urllib3 from 1.26.6 to 1.26.7 @dependabot (#5147)
• Add unit tests for Dawnscanner @damiencarol (#5143)
• Update dependency autoprefixer from 10.3.4 to v10.3.5 (docs/package.json) @renovate (#5135)
• Update dependency postcss from 8.3.6 to v8.3.7 (docs/package.json) @renovate (#5136)
• Bump google-api-python-client from 2.21.0 to 2.22.0 @dependabot (#5138)
• Bump drf-spectacular from 0.18.2 to 0.19.0 @dependabot (#5139)
• Bump gitpython from 3.1.23 to 3.1.24 @dependabot (#5124)
• ZAP parser maintenance @damiencarol (#5099)
• Make scan type list rely on Dynamic parser infra. @damiencarol (#5084)
• Bump google-auth from 2.0.2 to 2.1.0 @dependabot (#5104)
• Bump google-api-python-client from 2.20.0 to 2.21.0 @dependabot (#5105)
• Bump numpy from 1.19.5 to 1.21.2 @dependabot (#5097)
• UI improvements @StefanFl (#5090)
• Bump openpyxl from 3.0.7 to 3.0.8 @dependabot (#5086)
• Bump django-environ from 0.6.0 to 0.7.0 @dependabot (#5087)
• Bump nginx from 1.21.1-alpine to 1.21.3-alpine @dependabot (#5088)
• Bump django-tagulous from 1.2.1 to 1.3.0 @dependabot (#5050)
• Bump gitpython from 3.1.18 to 3.1.23 @dependabot (#5077)
• Update stefanzweifel/git-auto-commit-action action from v4.11.0 to v4.12.0 (.github/workflows/plantuml.yml) @renovate (#5081)
• Bump debugpy from 1.4.1 to 1.4.3 @dependabot (#5078)
• Fix errors with Spotbugs 4.4.x @damiencarol (#5068)
• Bump google-api-python-client from 2.19.1 to 2.20.0 @dependabot (#5067)
• Bump datatables.net from 1.11.1 to 1.11.2 in /components @dependabot (#5057)
• Update mysql:5.7.35 Docker digest from 5.7.35 to v5.7.35 (docker-compose.yml) @renovate (#5061)
• Update dependency autoprefixer from 10.3.3 to v10.3.4 (docs/package.json) @renovate (#5062)
• Bump datatables.net-dt from 1.11.1 to 1.11.2 in /components @dependabot (#5056)
• Bump datatables.net-buttons-bs from 1.7.1 to 2.0.0 in /components @dependabot (#4987)
• Support Docker Compose V2 @StefanFl (#5047)
• fix(rest-api): fix some warnings from drf @alles-klar (#5031)
• Bump datatables.net from 1.10.25 to 1.11.1 in /components @dependabot (#5041)
• Bump google-api-python-client from 2.19.0 to 2.19.1 @dependabot (#5029)
• Bump drf-spectacular from 0.18.1 to 0.18.2 @dependabot (#5039)
• Bump django-environ from 0.5.0 to 0.6.0 @dependabot (#5040)
• Bump datatables.net-dt from 1.10.25 to 1.11.1 in /components @dependabot (#5042)
• Bump python from 3.8.11-slim-buster to 3.8.12-slim-buster @dependabot (#5043)
• Bump pillow from 8.3.1 to 8.3.2 @dependabot (#5034)
• Bump google-auth-oauthlib from 0.4.5 to 0.4.6 @dependabot (#5023)
• Bump django-tagulous from 1.2.0 to 1.2.1 @dependabot (#5022)
• Bump google-auth from 2.0.1 to 2.0.2 @dependabot (#5024)
• fix javascript regex error detection @valentijnscholten (#5038)
• Bump datatables.net-buttons-dt from 1.7.1 to 2.0.0 in /components @dependabot (#4988)
• Bump drf-spectacular from 0.17.3 to 0.18.1 @dependabot (#5009)
• Bump django-environ from 0.4.5 to 0.5.0 @dependabot (#5007)
• Bump google-api-python-client from 2.18.0 to 2.19.0 @dependabot (#5008)
• Update rabbitmq:3.9.5 Docker digest from 3.9.5 to 3.9.5 (docker-compose.yml) @renovate (#5005)