Merge pull request DefectDojo#8480 from DefectDojo/release/2.25.0

Release: Merge release into master from: release/2.25.0

.github/workflows/flake8.yml

@@ -31,6 +31,6 @@ jobs:
         uses: actions/checkout@v3
 
       # - uses: tayfun/flake8-your-pr@master
-      - uses: valentijnscholten/flake8-your-pr@master
+      - uses: DefectDojo/flake8-your-pr@master
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/integration-tests.yml

@@ -34,6 +34,7 @@ jobs:
           "tests/check_various_pages.py",
           "tests/notifications_test.py",
           "tests/tool_config.py",
+          "openapi-validatator",
         ]
         profile: ["mysql-rabbitmq", "postgres-redis"]
         os: [alpine, debian]

.github/workflows/release-drafter.yml

@@ -19,7 +19,7 @@ jobs:
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5.23.0
+      - uses: release-drafter/release-drafter@v5.24.0
         with:
           version: ${{github.event.inputs.version}}  
         env:

Dockerfile.django-alpine

@@ -106,7 +106,10 @@ RUN \
     chown ${appuser} /var/run/${appuser} && \
     chmod g=u /var/run/${appuser} && \
     chmod 775 /*.sh && \
-    mkdir -p media/threat && chown -R ${uid} media
+    mkdir -p media/threat && chown -R ${uid} media && \
+    # To avoid warning: (staticfiles.W004) The directory '/app/components/node_modules' in the STATICFILES_DIRS setting does not exist.
+    mkdir -p components/node_modules && \
+    chown ${appuser} components/node_modules
 USER ${uid}
 ENV \
   # Only variables that are not defined in settings.dist.py

Dockerfile.django-debian

@@ -5,7 +5,7 @@
 # Dockerfile.nginx to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.11.4-slim-bullseye@sha256:91d194f58f50594cda71dcd2e8fdefd90e7ecc57d07823813b67c8521e565dcd as base
+FROM python:3.11.4-slim-bullseye@sha256:52c7a54aa5e5068ce76edaf3f8652a64fb99e378fb89fb0bfbe21a8756d0013c as base
 FROM base as build
 WORKDIR /app
 RUN \
@@ -111,7 +111,10 @@ RUN \
     chown ${appuser} /var/run/${appuser} && \
     chmod g=u /var/run/${appuser} && \
     chmod 775 /*.sh && \
-    mkdir -p media/threat && chown -R ${uid} media
+    mkdir -p media/threat && chown -R ${uid} media && \
+    # To avoid warning: (staticfiles.W004) The directory '/app/components/node_modules' in the STATICFILES_DIRS setting does not exist.
+    mkdir -p components/node_modules && \
+    chown ${appuser} components/node_modules
 USER ${uid}
 ENV \
   # Only variables that are not defined in settings.dist.py

Dockerfile.integration-tests-debian

@@ -1,7 +1,8 @@
 
 # code: language=Dockerfile
 
-FROM python:3.11.4-slim-bullseye@sha256:91d194f58f50594cda71dcd2e8fdefd90e7ecc57d07823813b67c8521e565dcd as build
+FROM openapitools/openapi-generator-cli:v6.6.0@sha256:54381220aecf2e77bb4b6694c4e1a03e733b49453292cd1af6f48b510f1f008a as openapitools
+FROM python:3.11.4-slim-bullseye@sha256:52c7a54aa5e5068ce76edaf3f8652a64fb99e378fb89fb0bfbe21a8756d0013c as build
 WORKDIR /app
 RUN \
   apt-get -y update && \
@@ -11,7 +12,8 @@ RUN \
     curl \
     unzip \
     gpg \
-    jq \ 
+    default-jre-headless \
+    jq \
     && \
   apt-get clean && \
   rm -rf /var/lib/apt/lists && \
@@ -43,6 +45,9 @@ RUN \
   chmod -R 0755 .
 WORKDIR /app
 
+# install openapi-generator-cli
+COPY --from=openapitools /opt/openapi-generator/modules/openapi-generator-cli/target/openapi-generator-cli.jar /usr/local/bin/openapi-generator-cli.jar
+
 COPY docker/wait-for-it.sh \
   docker/entrypoint-integration-tests.sh \
   /

Dockerfile.nginx-debian

@@ -5,7 +5,7 @@
 # Dockerfile.django-debian to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.11.4-slim-bullseye@sha256:91d194f58f50594cda71dcd2e8fdefd90e7ecc57d07823813b67c8521e565dcd as base
+FROM python:3.11.4-slim-bullseye@sha256:52c7a54aa5e5068ce76edaf3f8652a64fb99e378fb89fb0bfbe21a8756d0013c as base
 FROM base as build
 WORKDIR /app
 RUN \

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.24.4",
+  "version": "2.25.0",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docker-compose.yml

@@ -130,7 +130,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   mysql:
-    image: mysql:5.7.42@sha256:bd873931ef20f30a5a9bf71498ce4e02c88cf48b2e8b782c337076d814deebde
+    image: mysql:5.7.42@sha256:2eabad08824e3120dbec9096c276e3956e1922636c06fbb383ae9ea9c499bf43
     profiles: 
       - mysql-rabbitmq
       - mysql-redis
@@ -154,14 +154,14 @@ services:
     volumes:
       - defectdojo_postgres:/var/lib/postgresql/data
   rabbitmq:
-    image: rabbitmq:3.12.0-alpine@sha256:670efbfec7e9501ff877eca67f0653f421803269e113b4e8cf17cb5965ea415d
+    image: rabbitmq:3.12.2-alpine@sha256:e6ed332cd6598a62d119b5e37e5a665ddb082586e3de5eef626a68a392d924ab
     profiles: 
       - mysql-rabbitmq
       - postgres-rabbitmq
     volumes:
        - defectdojo_rabbitmq:/var/lib/rabbitmq
   redis:
-    image: redis:7.0.11-alpine@sha256:121bac949fb5f623b9fa0b4e4c9fb358ffd045966e754cfa3eb9963f3af2fe3b
+    image: redis:7.0.12-alpine@sha256:1717c713d3b2161db30cd026ceffdb9c238fe876f6959bf62caff9c768fb47ef
     profiles: 
       - mysql-redis
       - postgres-redis

docker/entrypoint-integration-tests.sh

@@ -41,12 +41,22 @@ function success() {
 
 echo "IT FILENAME: $DD_INTEGRATION_TEST_FILENAME"
 if [[ ! -z "$DD_INTEGRATION_TEST_FILENAME" ]]; then
-    test=$DD_INTEGRATION_TEST_FILENAME
-    echo "Running: $test"
-    if python3 $DD_INTEGRATION_TEST_FILENAME; then
-        success $test
+    if [[ "$DD_INTEGRATION_TEST_FILENAME" == "openapi-validatator" ]]; then
+        test="OpenAPI schema validation"
+        echo "Running: $test"
+        if java -jar /usr/local/bin/openapi-generator-cli.jar validate -i "$DD_BASE_URL/api/v2/oa3/schema/?format=json" --recommend; then
+            success $test
+        else fail
+            fail $test
+        fi
     else
-        fail $test
+        test=$DD_INTEGRATION_TEST_FILENAME
+        echo "Running: $test"
+        if python3 $DD_INTEGRATION_TEST_FILENAME; then
+            success $test
+        else
+            fail $test
+        fi
     fi
 
 else
@@ -279,5 +289,13 @@ else
         fail $test
     fi
 
+    test="OpenAPI schema validation"
+    echo "Running: $test"
+    if java -jar /usr/local/bin/openapi-generator-cli.jar validate -i "$DD_BASE_URL/api/v2/oa3/schema/?format=json" --recommend; then
+        success $test
+    else fail
+        fail $test
+    fi
+
     exec echo "Done Running all configured integration tests."
 fi

docs/content/en/getting_started/upgrading.md

@@ -72,6 +72,34 @@ godojo installations
 
 If you have installed DefectDojo on "iron" and wish to upgrade the installation, please see the [instructions in the repo](https://github.com/DefectDojo/godojo/blob/master/docs-and-scripts/upgrading.md).
 
+## Upgrading to DefectDojo Version 2.25.x.
+
+There are no special instruction for upgrading to 2.25.0. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.25.0) for the contents of the release.
+
+A few query parameters related to filtering object via API related to a products tags have been renamed to be more consistent with the other "related object tags":
+
+**Breaking Change**
+
+ - Engagement
+   - `product__tags__name` -> `product__tags` 
+   - `not_product__tags__name` -> `not_product__tags` 
+ - Test
+   - `engagement__product__tags__name` -> `engagement__product__tags`
+   - `not_engagement__product__tags__name` -> `not_engagement__product__tags`
+ - Finding
+   - `test__engagement__product__tags__name` -> `test__engagement__product__tags`
+   - `not_test__engagement__product__tags__name` -> `not_test__engagement__product__tags`
+
+**Deprecation**
+
+The OpenAPI 2.0 Swagger API documentation is being deprecated in favor of the existing
+OpenAPI 3.0 API documentation page. The OpenAPI 2.0 Swagger API documentation page is
+slated for removal in version 2.30.0
+
+*Note*: The API has not changed in any way and behaves the same between OAPI2 and OAPI3
+
+For all other changes, check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.25.0) for the contents of the release.
+
 ## Upgrading to DefectDojo Version 2.24.x.
 
 There are no special instruction for upgrading to 2.24.0. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.24.0) for the contents of the release.

docs/content/en/integrations/parsers/file/veracode.md

@@ -2,4 +2,47 @@
 title: "Veracode"
 toc_hide: true
 ---
-Detailed XML Report
+
+Veracode reports can be ingested in either XML or JSON Format
+
+- Detailed XML Report
+- JSON REST Findings from `/appsec/v2/applications/{application_guid}/findings/`
+  - Acceptable scan types include `STATIC`, `DYNAMIC`, and `SCA`
+  - Findings with a status of `CLOSED` will not be imported into DefectDojo
+  - Acceptable formats are as follows:
+    - Findings list
+      - Requires slight modification of the response returned from the API
+      - Exmample of a request being: `url <endpoint> | jq "{findings}"`
+      - Desired Format:
+        ```
+        {
+            "findings": [
+                {
+                    ...
+                },
+                ...
+            ]
+        }
+        ```
+    - Embedded 
+      - This response can be saved directly to a file and uploaded
+      - Not as ideal for crafting a refined report consisting of multiple requests
+      - Desired Format:
+        ```
+        {
+            "_embedded": {
+                "findings": [
+                   {
+                        ...
+                    },
+                    ... 
+                ]
+            },
+            "_links": {
+                ...
+            },
+            "page": {
+               ...
+            }
+        }
+        ```

docs/package.json

@@ -1,6 +1,6 @@
 {
   "devDependencies": {
-    "postcss": "8.4.24",
+    "postcss": "8.4.27",
     "autoprefixer": "10.4.14",
     "postcss-cli": "10.1.0"
   }

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa
 
-__version__ = '2.24.4'
+__version__ = '2.25.0'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'https://documentation.defectdojo.com'

dojo/announcement/signals.py

@@ -10,12 +10,15 @@ def add_announcement_to_new_user(sender, instance, **kwargs):
     if announcements.count() > 0:
         dojo_user = Dojo_User.objects.get(id=instance.id)
         announcement = announcements.first()
-        cloud_announcement = "Cloud and On-Premise Subscriptions Now Available!" in announcement.message
+        cloud_announcement = (
+            "Cloud and On-Premise Subscriptions Now Available!"
+            in announcement.message
+        )
         if not cloud_announcement or settings.CREATE_CLOUD_BANNER:
             user_announcements = UserAnnouncement.objects.filter(
-                user=dojo_user,
-                announcement=announcement)
+                user=dojo_user, announcement=announcement
+            )
             if user_announcements.count() == 0:
                 UserAnnouncement.objects.get_or_create(
-                    user=dojo_user,
-                    announcement=announcement)
+                    user=dojo_user, announcement=announcement
+                )

dojo/announcement/urls.py

@@ -2,8 +2,14 @@
 from dojo.announcement import views
 
 urlpatterns = [
-    re_path(r'^configure_announcement$', views.configure_announcement,
-     name='configure_announcement'),
-    re_path(r'^dismiss_announcement$', views.dismiss_announcement,
-     name='dismiss_announcement'),
+    re_path(
+        r"^configure_announcement$",
+        views.configure_announcement,
+        name="configure_announcement",
+    ),
+    re_path(
+        r"^dismiss_announcement$",
+        views.dismiss_announcement,
+        name="dismiss_announcement",
+    ),
 ]