Release: Merge release into master from: release/2.42.0 #11512

github-actions · 2025-01-06T14:38:46Z

Release triggered by Maffooch

….0-dev Release: Merge back 2.41.0 into bugfix from: master-into-dev/2.41.0-2.42.0-dev

…e.json) (#11351) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2024.11.1 to 2024.12.1. - [Commits](tfranzel/drf-spectacular-sidecar@2024.11.1...2024.12.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps nginx from 1.27.2-alpine to 1.27.3-alpine. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* remove psycopg2-binary * 🎉 Add GLSA vulnid * 🎉 Add GLSA vulnid * update sha sum * sha sum * sha sum

Bumps [boto3](https://github.com/boto/boto3) from 1.35.71 to 1.35.73. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.35.71...1.35.73) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [drf-spectacular](https://github.com/tfranzel/drf-spectacular) from 0.27.2 to 0.28.0. - [Release notes](https://github.com/tfranzel/drf-spectacular/releases) - [Changelog](https://github.com/tfranzel/drf-spectacular/blob/master/CHANGELOG.rst) - [Commits](tfranzel/drf-spectacular@0.27.2...0.28.0) --- updated-dependencies: - dependency-name: drf-spectacular dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* initial add of filters * remove unneeded things * mostly the same * small tweaks * fix access error * fix access error add product --------- Co-authored-by: Cody Maffucci <[email protected]>

Bumps [django](https://github.com/django/django) from 5.1.3 to 5.1.4. - [Commits](django/django@5.1.3...5.1.4) --- updated-dependencies: - dependency-name: django dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [redis](https://github.com/redis/redis-py) from 5.2.0 to 5.2.1. - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@v5.2.0...v5.2.1) --- updated-dependencies: - dependency-name: redis dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ckage.json) (#11370) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

….3.0 to v1.4.0 (helm/defectdojo/values.yaml) (#11373) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

…cs/package.json) (#11360) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

…thub/workflows/gh-pages.yml) (#11329) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

…e.json) (#11380) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps [boto3](https://github.com/boto/boto3) from 1.35.73 to 1.35.76. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.35.73...1.35.76) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

….0-dev Release: Merge back 2.41.1 into dev from: master-into-dev/2.41.1-2.42.0-dev

…7.2-alpine (docker-compose.yml) (#11397) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps nginx from `5acf10c` to `4152318`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [boto3](https://github.com/boto/boto3) from 1.35.76 to 1.35.78. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.35.76...1.35.78) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.2.16 to 0.2.17. - [Release notes](https://github.com/bpampuch/pdfmake/releases) - [Changelog](https://github.com/bpampuch/pdfmake/blob/0.2.17/CHANGELOG.md) - [Commits](bpampuch/pdfmake@0.2.16...0.2.17) --- updated-dependencies: - dependency-name: pdfmake dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e.json) (#11471) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Bumps [boto3](https://github.com/boto/boto3) from 1.35.85 to 1.35.87. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.35.85...1.35.87) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [boto3](https://github.com/boto/boto3) from 1.35.87 to 1.35.88. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.35.87...1.35.88) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

….0-dev Release: Merge back 2.41.4 into dev from: master-into-dev/2.41.4-2.42.0-dev

….42.0-dev Release: Merge back 2.41.4 into bugfix from: master-into-bugfix/2.41.4-2.42.0-dev

Bumps [boto3](https://github.com/boto/boto3) from 1.35.88 to 1.35.90. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.35.88...1.35.90) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](python-gitlab/python-gitlab@v5.2.0...v5.3.0) --- updated-dependencies: - dependency-name: python-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* update group jira RA, use helper for UI * ruff it up * return endpoint update * move func to jira_helper, update calls * the endpoints fail the test? * rearrange risk changes * fix for minor e.text error, minor grammar issue * added test for changing jira group status * remove newline at end of file

Bumps [boto3](https://github.com/boto/boto3) from 1.35.90 to 1.35.91. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.35.90...1.35.91) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Merge `bugfix` -> `dev` for release 2.42.0

dryrunsecurity · 2025-01-06T14:39:54Z

DryRun Security Summary

The pull request focuses on improving the security, reliability, and consistency of DefectDojo's GitHub Actions workflows by updating dependency and action versions, implementing security best practices, and integrating static code analysis tools.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates to the GitHub Actions workflows and configuration files used in the DefectDojo project. The changes focus on improving the reliability, consistency, and security of the project's build, testing, and release processes.

Key security-related updates include:

Updating dependency versions to the latest stable versions, which helps mitigate potential security vulnerabilities.
Pinning the versions of GitHub Actions used in the workflows to specific commit hashes, ensuring consistent and reproducible behavior.
Implementing security-conscious practices, such as validating user inputs, sanitizing sensitive data, and properly managing secrets.
Improving the security of the Helm chart deployment and Docker image building processes.
Integrating static code analysis tools, like ShellCheck and Ruff, to catch potential security issues early in the development process.

Overall, the changes in this pull request demonstrate a strong focus on maintaining the security and integrity of the DefectDojo project. The application security engineer's review has not identified any immediate security concerns, but it's important to continue monitoring the project's dependencies and infrastructure for any future security-related updates or vulnerabilities.

Files Changed:

.github/workflows/cancel-outdated-workflow-runs.yml: Updated the version of the "styfle/cancel-workflow-action" GitHub action.
.github/workflows/fetch-oas.yml: Updated the versions of the "actions/checkout" and "actions/upload-artifact" actions.
.github/workflows/build-docker-images-for-testing.yml: Updated the versions of the "actions/checkout", "docker/setup-buildx-action", "docker/build-push-action", and "actions/upload-artifact" actions.
.github/workflows/detect-merge-conflicts.yaml: Updated the version of the "eps1lon/actions-label-merge-conflict" action.
.github/workflows/gh-pages.yml: Updated the versions of various GitHub Actions used in the workflow, including "peaceiris/actions-hugo", "actions/setup-node", "actions/cache", "actions/checkout", "actions/configure-pages", and "peaceiris/actions-gh-pages".
.github/workflows/plantuml.yml: Updated the versions of the "actions/checkout" and "stefanzweifel/git-auto-commit-action" actions.
.github/workflows/integration-tests.yml: Updated the versions of the "actions/checkout" and "actions/download-artifact" actions.
.github/workflows/k8s-tests.yml: Updated the versions of the "actions/checkout" and "manusa/actions-setup-minikube" actions.
.github/workflows/pr-labeler.yml: Updated the version of the "actions/labeler" action.
.github/workflows/release-1-create-pr.yml: No significant changes.
.github/workflows/release-2-tag-docker-push.yml: No significant changes.
.github/workflows/release-3-master-into-dev.yml: No significant changes.
.github/workflows/release-drafter.yml: Updated the versions of the "release-drafter/release-drafter", "actions/download-artifact", and "actions/upload-release-asset" actions.
.github/workflows/release-x-manual-helm-chart.yml: Updated the versions of the "actions/checkout", "mikefarah/yq", and "softprops/action-gh-release" actions.
.github/workflows/release_drafter_valentijn.yml: No significant changes.
.github/workflows/release-x-manual-docker-containers.yml: Updated the versions of the "docker/login-action", "actions/checkout", "docker/setup-buildx-action", and "docker/build-push-action" actions.
.github/workflows/shellcheck.yml: Updated the version of the "actions/checkout" action.
.github/workflows/ruff.yml: Updated the version of the "actions/checkout" action.
.github/workflows/rest-framework-tests.yml: Updated the versions of the "actions/checkout" and "actions/download-artifact" actions.
Dockerfile.nginx-alpine: Updated the NGINX base image version from 1.27.2 to 1.27.3.
.github/workflows/test-helm-chart.yml: Updated the versions of various GitHub

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	6 findings
Sensitive Files Analyzer	2 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

Maffooch and others added 30 commits December 2, 2024 13:00

Add next version release notes

d5d6296

Merge pull request #11359 from DefectDojo/master-into-dev/2.41.0-2.42…

62bec0e

….0-dev Release: Merge back 2.41.0 into bugfix from: master-into-dev/2.41.0-2.42.0-dev

chore(deps): update dependency vite from 6.0.1 to v6.0.2 (docs/packag…

98e4385

…e.json) (#11351) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Add GLSA gentoo vulnid (#9813)

dea6e3d

* remove psycopg2-binary * 🎉 Add GLSA vulnid * 🎉 Add GLSA vulnid * update sha sum * sha sum * sha sum

Ruff: Enable and fix RUF027 (#11332)

40942b5

Ruff: Enable and fix RUF010 (#11331)

fb173d0

Update 2.36.md to fix typo's in version number (#11319)

64f4da7

fix(ruff): Fix RUF039 for v0.8.0 (#11326)

b201a19

Add Filters to the Products under View Product Type (#11321)

5cff5bc

* initial add of filters * remove unneeded things * mostly the same * small tweaks * fix access error * fix access error add product --------- Co-authored-by: Cody Maffucci <[email protected]>

Fix ruff

4e2bb75

chore(deps): update dependency prettier from 3.4.1 to v3.4.2 (docs/pa…

6ea595b

…ckage.json) (#11370) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

chore(deps): update nginx/nginx-prometheus-exporter docker tag from 1…

95bb5d6

….3.0 to v1.4.0 (helm/defectdojo/values.yaml) (#11373) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

fix(deps): update dependency @tabler/icons from 3.23.0 to v3.24.0 (do…

0fd3fc7

…cs/package.json) (#11360) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

chore(deps): update actions/configure-pages action from v4 to v5 (.gi…

fd55fc8

…thub/workflows/gh-pages.yml) (#11329) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

chore(deps): update dependency vite from 6.0.2 to v6.0.3 (docs/packag…

4641b12

…e.json) (#11380) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Update versions in application files

86e6ea1

Merge branch 'dev' into master-into-dev/2.41.1-2.42.0-dev

b39749f

Removing dupes

70941b0

Merge pull request #11393 from DefectDojo/master-into-dev/2.41.1-2.42…

dd32d9a

….0-dev Release: Merge back 2.41.1 into dev from: master-into-dev/2.41.1-2.42.0-dev

chore(deps): update postgres:17.2-alpine docker digest from 17.2 to 1…

99c101f

…7.2-alpine (docker-compose.yml) (#11397) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

feat(GHA): Add digest pinning (#11364)

890b6cb

dependabot bot and others added 17 commits December 26, 2024 11:47

chore(deps): update dependency vite from 6.0.5 to v6.0.6 (docs/packag…

ce5cf51

…e.json) (#11471) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Update versions in application files

b91ae3e

Update versions in application files

c0f2ba8

Merge branch 'dev' into master-into-dev/2.41.4-2.42.0-dev

7ae7a8c

Merge pull request #11478 from DefectDojo/master-into-dev/2.41.4-2.42…

c67e81f

….0-dev Release: Merge back 2.41.4 into dev from: master-into-dev/2.41.4-2.42.0-dev

Merge pull request #11479 from DefectDojo/master-into-bugfix/2.41.4-2…

1dfce36

….42.0-dev Release: Merge back 2.41.4 into bugfix from: master-into-bugfix/2.41.4-2.42.0-dev

add ordering to test_import API endpoint (#11448)

e7f9f24

Update dependency vite from 6.0.6 to v6.0.7 (docs/package.json) (#11494)

7a7ed5c

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Merge pull request #11511 from DefectDojo/bugfix

ebcd590

Merge `bugfix` -> `dev` for release 2.42.0

Update versions in application files

848aa5e

Maffooch closed this Jan 6, 2025

Maffooch reopened this Jan 6, 2025

github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm labels Jan 6, 2025

Maffooch merged commit 5f69079 into master Jan 6, 2025
70 of 71 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release: Merge release into master from: release/2.42.0 #11512

Release: Merge release into master from: release/2.42.0 #11512

github-actions bot commented Jan 6, 2025

dryrunsecurity bot commented Jan 6, 2025 •

edited

Loading

Release: Merge release into master from: release/2.42.0 #11512

Release: Merge release into master from: release/2.42.0 #11512

Conversation

github-actions bot commented Jan 6, 2025

dryrunsecurity bot commented Jan 6, 2025 • edited Loading

DryRun Security Summary

Code Analysis

Overall Riskiness

dryrunsecurity bot commented Jan 6, 2025 •

edited

Loading