Merge branch 'dev' into master-into-dev/2.27.2-2.28.0-dev

.github/workflows/cancel-outdated-workflow-runs.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 3
     steps:
-      - uses: styfle/cancel-workflow-action@0.11.0
+      - uses: styfle/cancel-workflow-action@0.12.0
         with:
           workflow_id: 'integration-tests.yml,k8s-testing.yml,unit-tests.yml'
           access_token: ${{ github.token }}

.github/workflows/plantuml.yml

@@ -33,7 +33,7 @@ jobs:
         with:
           args: -v -tpng ${{ steps.getfile.outputs.files }}
       - name: Push Local Changes
-        uses: stefanzweifel/git-auto-commit-action@v4.16.0
+        uses: stefanzweifel/git-auto-commit-action@v5.0.0
         with:
           commit_user_name: "PlantUML_bot"
           commit_user_email: "[email protected]"

.github/workflows/release-1-create-pr.yml

@@ -75,7 +75,7 @@ jobs:
           grep -H version helm/defectdojo/Chart.yaml
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@v4.16.0
+        uses: stefanzweifel/git-auto-commit-action@v5.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

.github/workflows/release-3-master-into-dev.yml

@@ -57,7 +57,7 @@ jobs:
           grep version components/package.json
       
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@v4.16.0
+        uses: stefanzweifel/git-auto-commit-action@v5.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"
@@ -123,7 +123,7 @@ jobs:
           grep version components/package.json
       
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@v4.16.0
+        uses: stefanzweifel/git-auto-commit-action@v5.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

Dockerfile.nginx-alpine

@@ -140,7 +140,7 @@ COPY manage.py ./
 COPY dojo/ ./dojo/
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.25.2-alpine@sha256:16164a43b5faec40adb521e98272edc528e74f31c1352719132b8f7e53418d70
+FROM nginx:1.25.2-alpine@sha256:4c93a3bd8bf95412889dd84213570102176b6052d88bb828eaf449c56aca55ef
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

Dockerfile.nginx-debian

@@ -75,7 +75,7 @@ COPY dojo/ ./dojo/
 
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.25.2-alpine@sha256:16164a43b5faec40adb521e98272edc528e74f31c1352719132b8f7e53418d70
+FROM nginx:1.25.2-alpine@sha256:4c93a3bd8bf95412889dd84213570102176b6052d88bb828eaf449c56aca55ef
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

docker-compose.yml

@@ -125,7 +125,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   mysql:
-    image: mysql:5.7.43@sha256:2c23f254c6b9444ecda9ba36051a9800e8934a2f5828ecc8730531db8142af83
+    image: mysql:5.7.43@sha256:4f9bfb0f7dd97739ceedb546b381534bb11e9b4abf013d6ad9ae6473fed66099
     profiles:
       - mysql-rabbitmq
       - mysql-redis
@@ -138,7 +138,7 @@ services:
     volumes:
       - defectdojo_data:/var/lib/mysql
   postgres:
-    image: postgres:16.0-alpine@sha256:2ccd6655060d7b06c71f86094e8c7a28bdcc8a80b43baca4b1dabb29cff138a2
+    image: postgres:16.0-alpine@sha256:bfd42bb6358aee8a305ec3f51d505d6b9e406cf3ce800914a66741dba18b8263
     profiles: 
       - postgres-rabbitmq
       - postgres-redis
@@ -149,14 +149,14 @@ services:
     volumes:
       - defectdojo_postgres:/var/lib/postgresql/data
   rabbitmq:
-    image: rabbitmq:3.12.6-alpine@sha256:a21880dc5e2b4581c0dd762337c7112475a2d8daba697e1c6192923ebad91739
+    image: rabbitmq:3.12.6-alpine@sha256:0636edac61179f9c499fec1f8f031101df3fce0bec8b01cf1021278bf5e18ac9
     profiles: 
       - mysql-rabbitmq
       - postgres-rabbitmq
     volumes:
        - defectdojo_rabbitmq:/var/lib/rabbitmq
   redis:
-    image: redis:7.2.1-alpine@sha256:9150d86fe2a9d03bbdb15bb9758fa5e3d24632386af8f6eb4d675ee4c976f499
+    image: redis:7.2.1-alpine@sha256:343e6546f35877801de0b8580274a5e3a8e8464cabe545a2dd9f3c78df77542a
     profiles: 
       - mysql-redis
       - postgres-redis

dojo/tools/awssecurityhub/parser.py

@@ -25,12 +25,14 @@ def get_items(self, tree: dict, test):
         # DefectDojo/django-DefectDojo/issues/2780
         findings = tree.get("Findings", tree.get("findings", None))
 
-        if not findings:
-            return list()
+        if not isinstance(findings, list):
+            raise ValueError("Incorrect Security Hub report format")
 
         for node in findings:
             item = get_item(node, test)
             key = node["Id"]
+            if not isinstance(key, str):
+                raise ValueError("Incorrect Security Hub report format")
             items[key] = item
 
         return list(items.values())
@@ -42,6 +44,8 @@ def get_item(finding: dict, test):
     title = finding.get("Title", "")
     severity = finding.get("Severity", {}).get("Label", "INFORMATIONAL").title()
     mitigation = ""
+    impact = []
+    references = []
     unsaved_vulnerability_ids = []
     if aws_scanner_type == "Inspector":
         description = f"This is an Inspector Finding\n{finding.get('Description', '')}"
@@ -50,12 +54,18 @@ def get_item(finding: dict, test):
             # Save the CVE if it is present
             if cve := vulnerability.get("Id"):
                 unsaved_vulnerability_ids.append(cve)
+            for alias in vulnerability.get("RelatedVulnerabilities", []):
+                if alias != cve:
+                    unsaved_vulnerability_ids.append(alias)
             # Add information about the vulnerable packages to the description and mitigation
             vulnerable_packages = vulnerability.get("VulnerablePackages", [])
             for package in vulnerable_packages:
                 mitigation += f"- Update {package.get('Name', '')}-{package.get('Version', '')}\n"
                 if remediation := package.get("Remediation"):
                     mitigation += f"\t- {remediation}\n"
+            if vendor := vulnerability.get("Vendor"):
+                if vendor_url := vendor.get("Url"):
+                    references.append(vendor_url)
 
         if finding.get("ProductFields", {}).get("aws/inspector/FindingStatus", "ACTIVE") == "ACTIVE":
             mitigated = None
@@ -91,27 +101,44 @@ def get_item(finding: dict, test):
             is_Mitigated = False
             active = True
 
-    resources = finding.get("Resources", "")
-    resource_id = resources[0]["Id"].split(":")[-1]
-    references = finding.get("Remediation", {}).get("Recommendation", {}).get("Url")
+    title_suffix = ""
+    for resource in finding.get("Resources", []):
+        if resource.get("Type") == "AwsEcrContainerImage":
+            details = resource.get("Details", {}).get("AwsEcrContainerImage")
+            arn = resource.get("Id")
+            if details:
+                impact.append(f"Image ARN: {arn}")
+                impact.append(f"Registry: {details.get('RegistryId')}")
+                impact.append(f"Repository: {details.get('RepositoryName')}")
+                impact.append(f"Image digest: {details.get('ImageDigest')}")
+            title_suffix = f" - Image: {arn.split('/', 1)[1]}"  # repo-name/sha256:digest
+        else:  # generic implementation
+            resource_id = resource["Id"].split(":")[-1]
+            impact.append(f"Resource: {resource_id}")
+            title_suffix = f" - Resource: {resource_id}"
+
+    if remediation_rec_url := finding.get("Remediation", {}).get("Recommendation", {}).get("Url"):
+        references.append(remediation_rec_url)
     false_p = False
 
-    finding = Finding(
-        title=f"{title} - Resource: {resource_id}",
+    result = Finding(
+        title=f"{title}{title_suffix}",
         test=test,
         description=description,
         mitigation=mitigation,
-        references=references,
+        references="\n".join(references),
         severity=severity,
-        impact=f"Resource: {resource_id}",
+        impact="\n".join(impact),
         active=active,
         verified=False,
         false_p=false_p,
         unique_id_from_tool=finding_id,
         mitigated=mitigated,
         is_mitigated=is_Mitigated,
+        static_finding=True,
+        dynamic_finding=False,
     )
     # Add the unsaved vulnerability ids
-    finding.unsaved_vulnerability_ids = unsaved_vulnerability_ids
+    result.unsaved_vulnerability_ids = unsaved_vulnerability_ids
 
-    return finding
+    return result

requirements.txt

@@ -1,9 +1,9 @@
 # requirements.txt for DefectDojo using Python 3.x
 asteval==0.9.31
-bleach==6.0.0
+bleach==6.1.0
 bleach[css]
 celery==5.3.4
-coverage==7.3.1
+coverage==7.3.2
 defusedxml==0.7.1
 django_celery_results==2.5.1
 django-auditlog==2.3.0
@@ -32,18 +32,18 @@ humanize==4.8.0
 jira==3.5.2
 PyGithub==1.58.2
 lxml==4.9.3
-Markdown==3.4.4
+Markdown==3.5
 mysqlclient==2.1.1
 openpyxl==3.1.2
 xlrd==1.2.0
 Pillow==10.0.1  # required by django-imagekit
-psycopg2-binary==2.9.8
+psycopg2-binary==2.9.9
 cryptography==41.0.4
 python-dateutil==2.8.2
 pytz==2023.3.post1
 redis==5.0.1
 requests==2.31.0
-sqlalchemy==2.0.21  # Required by Celery broker transport
+sqlalchemy==2.0.22  # Required by Celery broker transport
 supervisor==4.2.5
 urllib3==1.26.17
 uWSGI==2.0.22
@@ -78,7 +78,7 @@ django-ratelimit==4.1.0
 argon2-cffi==23.1.0
 blackduck==1.1.0
 pycurl==7.45.2  # Required for Celery Broker AWS (SQS) support
-boto3==1.28.57  # Required for Celery Broker AWS (SQS) support
+boto3==1.28.63  # Required for Celery Broker AWS (SQS) support
 netaddr==0.8.0
-vulners==2.1.0
+vulners==2.1.1
 fontawesomefree==6.4.2

unittests/scans/awssecurityhub/README.md

@@ -10,7 +10,7 @@ To keep some order, let's keep them prefixed with the names of the services that
 
 * `inspector_ec2_`: findings from AWS Inspector with results of scanning EC2 instances
 
-* `inspector_ecr_`: findings from AWS Inspector with results of Enhanced ECR Scanning
+* `inspector_ecr_`: findings from AWS Inspector with results of Enhanced ECR Scanning, currently contains 7 findings with vulnerabilities associated with 8 different values of `PackageManager`
 
 * `inspector_lambda_`: findings from AWS Inspector with results of scanning Lambdas