DefectDojo/django-DefectDojo 2.6.0

2.6.0 👾 (security release)

on GitHub

Please consult the security advisories GHSA-f82x-m585-gj24 (moderate) and GHSA-v7fv-g69g-x7p2 (high) to see what security issues were fixed in this release. These will be published and become visible at January 18th, 2022.

Please consult the Upgrade notes in the documentation for specific instructions for this release, and general upgrade instructions. Below is an automatically generated list of all PRs merged since the previous release.

Changes since 2.5.0

• Add header to nginx configuration @StefanFl (#5674)
• Add UI label to PR labeler and release drafter @kiblik (#5586)
• docs: add pointer to open items for DD_ASYNC_FINDING_IMPORT @valentijnscholten (#5639)
• Reversed x-axis on Product's Detailed Metrics Page @blakeaowens (#5617)
• Fix: filesystem not to be writable by the defectdojo user @dsever (#5284)
• feat(helm-chart): celery worker app_settings @qlimenoque (#5573)
• Fix typo @fabaff (#5575)
• Release: Merge back 2.5.0 into dev from: master-into-dev/2.5.0-2.6.0-dev @github-actions (#5570)
• Release: Merge release into master from: release/2.5.0 @github-actions (#5569)

🚩 Changes to settings.dist.py / local_settings.py

• Release: Merge release into master from: release/2.6.0 @github-actions (#5676)
• New parser for pip-audit @StefanFl (#5642)
• Move USER_PROFILE_EDITABLE to system_settings @dsever (#5611)
• Support version 8 of gitleaks @StefanFl (#5625)
• Solar change deduplication model @zapililirad (#5620)
• Configuration authorization: Permission checks and editing of permissions for users and groups @StefanFl (#5423)
• Revert "Release: Merge release into master from: release/2.5.0" @Maffooch (#5567)

🚩 Database migration

• Release: Merge release into master from: release/2.6.0 @github-actions (#5676)
• Remove Objects_Engagement and introduce flag to enable/disable Objects_Product @StefanFl (#5608)
• Fix database migration for deletion of development environments @StefanFl (#5649)
• Restrict deletion of environments @StefanFl (#5592)
• Move USER_PROFILE_EDITABLE to system_settings @dsever (#5611)
• Configuration authorization: Permission checks and editing of permissions for users and groups @StefanFl (#5423)
• Add migration to enable/disable Google Sheets and Rules Framework (PR 1 of 3) @Maffooch (#5587)
• Revert "Release: Merge release into master from: release/2.5.0" @Maffooch (#5567)

🚩 Security

• Give readers the permission to add notes @StefanFl (#5593)

🚀 New importers

• Revamp of the Anchore Grype parser @StefanFl (#5640)
• New parser for pip-audit @StefanFl (#5642)

🚀 General features and enhancements

• Updating engineer metrics and removing research metrics @StefanFl (#5613)
• Configuration authorization 2: Making more staff-permissions configurable @StefanFl (#5621)
• Mail notification improvement @kiblik (#5610)
• Give readers the permission to add notes @StefanFl (#5593)
• Show descriptions for scan types on pages for import and re-import @StefanFl (#5645)
• Move USER_PROFILE_EDITABLE to system_settings @dsever (#5611)
• Disable not supported notifications @dsever (#5624)

🚀 API features and enhancements

• Release: Merge release into master from: release/2.6.0 @github-actions (#5676)
• Adjust several permissions for API and UI @StefanFl (#5672)
• Close old findings of same service only @StefanFl (#5631)
• Configuration authorization 2: Making more staff-permissions configurable @StefanFl (#5621)
• simplify and add comments for auto_create_context @valentijnscholten (#5591)
• add scan_date fix also for reimport, fix validation @valentijnscholten (#5574)
• Configuration authorization: Permission checks and editing of permissions for users and groups @StefanFl (#5423)
• Revert "Release: Merge release into master from: release/2.5.0" @Maffooch (#5567)

🐛 Bug Fixes

• add missing comma @valentijnscholten (#5673)
• Extend scan_date functionality to Endpoints created at import time @Maffooch (#5665)
• Close old findings of same service only @StefanFl (#5631)
• Fix enclosing variable redefinition @damiencarol (#5632)
• Slack notification: get user by email instead of searching all users @valentijnscholten (#5091)
• jira: respect summary max length (255) @valentijnscholten (#5653)
• Checkmarx parser: fix empty filename @damiencarol (#5638)
• Restrict deletion of environments @StefanFl (#5592)
• add scan_date fix also for reimport, fix validation @valentijnscholten (#5574)

🧰 Maintenance

• Bump django from 3.2.10 to 3.2.11 @dependabot (#5670)
• Remove Objects_Engagement and introduce flag to enable/disable Objects_Product @StefanFl (#5608)
• Update dependency autoprefixer from 10.4.0 to v10.4.1 (docs/package.json) @renovate (#5647)
• Bump psycopg2-binary from 2.9.2 to 2.9.3 @dependabot (#5650)
• Bump redis from 4.0.2 to 4.1.0 @dependabot (#5643)
• Update busybox Docker tag to v1.35.0 (docker-compose.override.unit_tests_cicd.yml) @renovate (#5654)
• Bump supervisor from 4.2.2 to 4.2.4 @dependabot (#5655)
• add logic if external redis is used @sandroded (#5534)
• Fix database migration for deletion of development environments @StefanFl (#5649)
• simplify and add comments for auto_create_context @valentijnscholten (#5591)
• Bump sqlalchemy from 1.4.27 to 1.4.29 @dependabot (#5634)
• Bump argon2-cffi from 21.2.0 to 21.3.0 @dependabot (#5598)
• Bump django-tagulous from 1.3.2 to 1.3.3 @dependabot (#5644)
• Bump django-tagulous from 1.3.1 to 1.3.2 @dependabot (#5641)
• Bump django-prometheus from 2.1.0 to 2.2.0 @dependabot (#5622)
• Bump numpy from 1.21.4 to 1.21.5 @dependabot (#5627)
• Bump django-debug-toolbar from 3.2.2 to 3.2.4 @dependabot (#5616)
• Bump cryptography from 36.0.0 to 36.0.1 @dependabot (#5609)
• Update nginx/nginx-prometheus-exporter Docker tag from 0.9.0 to v0.10.0 (helm/defectdojo/values.yaml) @renovate (#5630)
• Bump django-test-migrations from 1.1.0 to 1.2.0 @dependabot (#5604)
• Bump json-log-formatter from 0.4.0 to 0.5.0 @dependabot (#5637)
• Bump djangorestframework from 3.12.4 to 3.13.1 @dependabot (#5615)
• Update dependency postcss-cli from 9.0.2 to v9.1.0 (docs/package.json) @renovate (#5590)
• Update dependency postcss from 8.4.4 to v8.4.5 (docs/package.json) @renovate (#5594)
• Update manusa/actions-setup-minikube action from v2.4.2 to v2.4.3 (.github/workflows/k8s-testing.yml) @renovate (#5589)
• Bump justgage from 1.5.0 to 1.5.1 in /components @dependabot (#5600)
• Bump drf-spectacular from 0.21.0 to 0.21.1 @dependabot (#5623)
• Update to Django 3.2.10 @StefanFl (#5633)
• Support version 8 of gitleaks @StefanFl (#5625)
• update tagulous to 1.3.1 instead of hotfix commit @valentijnscholten (#5626)
• Bump lxml from 4.6.4 to 4.7.1 @dependabot (#5605)
• Add migration to enable/disable Google Sheets and Rules Framework (PR 1 of 3) @Maffooch (#5587)
• Bump datatables.net-buttons-dt from 2.0.1 to 2.1.1 in /components @dependabot (#5571)
• Update gcr.io/cloudsql-docker/gce-proxy Docker tag from 1.27.0 to v1.27.1 (helm/defectdojo/values.yaml) @renovate (#5565)
• Bump datatables.net-buttons-bs from 2.0.1 to 2.1.1 in /components @dependabot (#5572)
• Bump google-api-python-client from 2.32.0 to 2.33.0 @dependabot (#5577)
• Bump argon2-cffi from 21.1.0 to 21.2.0 @dependabot (#5578)

🖌 Updates in UI

• Adjust several permissions for API and UI @StefanFl (#5672)
• Updating engineer metrics and removing research metrics @StefanFl (#5613)
• Remove Objects_Engagement and introduce flag to enable/disable Objects_Product @StefanFl (#5608)