Merge branch 'bugfix' into implement_oidc_groups

Author: manuel-sommer

.github/workflows/test-helm-chart.yml

@@ -107,6 +107,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Update values in HELM chart
         if: startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')

dojo/forms.py

@@ -1131,6 +1131,18 @@ def __init__(self, *args, **kwargs):
         else:
             self.fields["lead"].queryset = get_authorized_users(Permissions.Test_View).filter(is_active=True)
 
+    def is_valid(self):
+        valid = super().is_valid()
+
+        # we're done now if not valid
+        if not valid:
+            return valid
+        if self.cleaned_data["target_start"] > self.cleaned_data["target_end"]:
+            self.add_error("target_start", "Your target start date exceeds your target end date")
+            self.add_error("target_end", "Your target start date exceeds your target end date")
+            return False
+        return True
+
     class Meta:
         model = Test
         fields = ["title", "test_type", "target_start", "target_end", "description",

dojo/models.py

@@ -1095,8 +1095,8 @@ def save(self, *args, **kwargs):
                     product.async_updating = True
                     super(Product, product).save()
                 # launch the async task to update all finding sla expiration dates
-                from dojo.sla_config.helpers import update_sla_expiration_dates_sla_config_async  # noqa: I001, PLC0415 circular import
-                update_sla_expiration_dates_sla_config_async(self, products, tuple(severities))
+                from dojo.sla_config.helpers import async_update_sla_expiration_dates_sla_config_sync  # noqa: I001, PLC0415 circular import
+                async_update_sla_expiration_dates_sla_config_sync(self, products, severities=severities)
 
     def clean(self):
         sla_days = [self.critical, self.high, self.medium, self.low]
@@ -1257,8 +1257,8 @@ def save(self, *args, **kwargs):
                     sla_config.async_updating = True
                     super(SLA_Configuration, sla_config).save()
                 # launch the async task to update all finding sla expiration dates
-                from dojo.sla_config.helpers import update_sla_expiration_dates_product_async  # noqa: I001, PLC0415 circular import
-                update_sla_expiration_dates_product_async(self, sla_config)
+                from dojo.sla_config.helpers import async_update_sla_expiration_dates_sla_config_sync  # noqa: I001, PLC0415 circular import
+                async_update_sla_expiration_dates_sla_config_sync(sla_config, Product.objects.filter(id=self.id))
 
     def get_absolute_url(self):
         return reverse("view_product", args=[str(self.id)])
@@ -3148,16 +3148,25 @@ def get_sla_configuration(self):
         return self.test.engagement.product.sla_configuration
 
     def get_sla_period(self):
+        # Determine which method to use to calculate the SLA
+        from dojo.utils import get_custom_method  # noqa: PLC0415 circular import
+        if method := get_custom_method("FINDING_SLA_PERIOD_METHOD"):
+            return method(self)
+        # Run the default method
         sla_configuration = self.get_sla_configuration()
         sla_period = getattr(sla_configuration, self.severity.lower(), None)
         enforce_period = getattr(sla_configuration, str("enforce_" + self.severity.lower()), None)
         return sla_period, enforce_period
 
     def set_sla_expiration_date(self):
+        # First check if SLA is enabled globally
         system_settings = System_Settings.objects.get()
         if not system_settings.enable_finding_sla:
             return
+        # Call the internal method to set the sla expiration date
+        self._set_sla_expiration_date()
 
+    def _set_sla_expiration_date(self):
         # some parsers provide date as a `str` instead of a `date` in which case we need to parse it #12299 on GitHub
         sla_start_date = self.get_sla_start_date()
         if sla_start_date and isinstance(sla_start_date, str):

dojo/sla_config/helpers.py

@@ -2,49 +2,50 @@
 
 from dojo.celery import app
 from dojo.decorators import dojo_async_task
-from dojo.models import Finding, Product, SLA_Configuration
-from dojo.utils import calculate_grade, mass_model_updater
+from dojo.models import Finding, Product, SLA_Configuration, System_Settings
+from dojo.utils import get_custom_method, mass_model_updater
 
 logger = logging.getLogger(__name__)
 
 
 @dojo_async_task
 @app.task
-def update_sla_expiration_dates_sla_config_async(sla_config, products, severities, *args, **kwargs):
-    update_sla_expiration_dates_sla_config_sync(sla_config, products, severities)
+def async_update_sla_expiration_dates_sla_config_sync(sla_config: SLA_Configuration, products: list[Product], *args, severities: list[str] | None = None, **kwargs):
+    if method := get_custom_method("FINDING_SLA_EXPIRATION_CALCULATION_METHOD"):
+        method(sla_config, products, severities=severities)
+    else:
+        update_sla_expiration_dates_sla_config_sync(sla_config, products, severities=severities)
 
 
-@dojo_async_task
-@app.task
-def update_sla_expiration_dates_product_async(product, sla_config, *args, **kwargs):
-    update_sla_expiration_dates_sla_config_sync(sla_config, [product])
-
-
-def update_sla_expiration_dates_sla_config_sync(sla_config, products, severities=None):
+def update_sla_expiration_dates_sla_config_sync(sla_config: SLA_Configuration, products: list[Product], severities: list[str] | None = None):
     logger.info("Updating finding SLA expiration dates within the %s SLA configuration", sla_config)
+    # First check if SLA is enabled globally
+    system_settings = System_Settings.objects.get()
+    if not system_settings.enable_finding_sla:
+        return
     # update each finding that is within the SLA configuration that was saved
     findings = Finding.objects.filter(test__engagement__product__sla_configuration_id=sla_config.id)
     if products:
         findings = findings.filter(test__engagement__product__in=products)
     if severities:
         findings = findings.filter(severity__in=severities)
 
-    findings = findings.prefetch_related(
+    findings = (
+        findings.prefetch_related(
             "test",
             "test__engagement",
             "test__engagement__product",
             "test__engagement__product__sla_configuration",
+        )
+        .order_by("id")
+        .only("id", "sla_start_date", "date", "severity", "test")
     )
-
-    findings = findings.order_by("id").only("id", "sla_start_date", "date", "severity", "test")
-
+    # Call the internal method so that we are not checking system settings for each finding
     mass_model_updater(Finding, findings, lambda f: f.set_sla_expiration_date(), fields=["sla_expiration_date"])
 
     # reset the async updating flag to false for all products using this sla config
-    for product in products:
-        product.async_updating = False
-        super(Product, product).save()
-        calculate_grade(product)
+    # use update as we don't want save() and signals to be triggered
+    products.update(async_updating=False)
 
     # reset the async updating flag to false for this sla config
     sla_config.async_updating = False

dojo/tools/nancy/parser.py

@@ -1,6 +1,7 @@
 import json
 
 from cvss.cvss3 import CVSS3
+from cvss.cvss4 import CVSS4
 
 from dojo.models import Finding
 
@@ -64,17 +65,18 @@ def get_items(self, vulnerable, test):
                         out_of_scope=False,
                         static_finding=True,
                         dynamic_finding=False,
-                        vuln_id_from_tool=associated_vuln["Id"],
+                        vuln_id_from_tool=associated_vuln.get("Id", associated_vuln.get("ID")),
                         references="\n".join(references),
                     )
-
                     finding.unsaved_vulnerability_ids = vulnerability_ids
-
+                    cvss_vector = associated_vuln["CvssVector"]
                     # CVSSv3 vector
-                    if associated_vuln["CvssVector"]:
+                    if cvss_vector and cvss_vector.startswith("CVSS:3."):
                         finding.cvssv3 = CVSS3(
                             associated_vuln["CvssVector"]).clean_vector()
-
+                    elif cvss_vector and cvss_vector.startswith("CVSS:4."):
+                        finding.cvssv4 = CVSS4(
+                            associated_vuln["CvssVector"]).clean_vector()
                     # do we have a CWE?
                     if associated_vuln["Title"].startswith("CWE-"):
                         cwe = (associated_vuln["Title"]

helm/defectdojo/Chart.yaml

@@ -34,4 +34,8 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "true"
-  artifacthub.io/changes: ""
+  artifacthub.io/changes: |
+    - kind: fixed
+      description: Broken rendering of media PVC
+    - kind: fixed
+      description: Typo in description of digests

helm/defectdojo/README.md

@@ -674,11 +674,11 @@ A Helm chart for Kubernetes to install DefectDojo
 | host | string | `"defectdojo.default.minikube.local"` | Primary hostname of instance |
 | imagePullPolicy | string | `"Always"` |  |
 | imagePullSecrets | string | `nil` | When using a private registry, name of the secret that holds the registry secret (eg deploy token from gitlab-ci project) Create secrets as: kubectl create secret docker-registry defectdojoregistrykey --docker-username=registry_username --docker-password=registry_password --docker-server='https://index.docker.io/v1/' |
-| images.django.image.digest | string | `""` | Prefix "sha@" is expected in this place |
+| images.django.image.digest | string | `""` | Prefix "sha256:" is expected in this place |
 | images.django.image.registry | string | `""` |  |
 | images.django.image.repository | string | `"defectdojo/defectdojo-django"` |  |
 | images.django.image.tag | string | `""` | If empty, use appVersion. Another possible values are: latest, X.X.X, X.X.X-debian, X.X.X-alpine (where X.X.X is version of DD). For dev builds (only for testing purposes): nightly-dev, nightly-dev-debian, nightly-dev-alpine. To see all, check https://hub.docker.com/r/defectdojo/defectdojo-django/tags. |
-| images.nginx.image.digest | string | `""` | Prefix "sha@" is expected in this place |
+| images.nginx.image.digest | string | `""` | Prefix "sha256:" is expected in this place |
 | images.nginx.image.registry | string | `""` |  |
 | images.nginx.image.repository | string | `"defectdojo/defectdojo-nginx"` |  |
 | images.nginx.image.tag | string | `""` | If empty, use appVersion. Another possible values are: latest, X.X.X, X.X.X-alpine (where X.X.X is version of DD). For dev builds (only for testing purposes): nightly-dev, nightly-dev-alpine. To see all, check https://hub.docker.com/r/defectdojo/defectdojo-nginx/tags. |

helm/defectdojo/templates/media-pvc.yaml

@@ -4,7 +4,7 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  {{- with .Values.extraAnnotations }}
+  {{- with $.Values.extraAnnotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ quote $value }}
@@ -16,19 +16,19 @@ metadata:
     app.kubernetes.io/instance: {{ $.Release.Name }}
     app.kubernetes.io/managed-by: {{ $.Release.Service }}
     helm.sh/chart: {{ include "defectdojo.chart" $ }}
-    {{- range $key, $value := .Values.extraLabels }}
+    {{- range $key, $value := $.Values.extraLabels }}
     {{ $key }}: {{ quote $value }}
     {{- end }}
   name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
 spec:
   accessModes: 
   {{- toYaml .persistentVolumeClaim.accessModes | nindent 4 }}
   resources:
     requests:
       storage: {{ .persistentVolumeClaim.size }}
-  {{- if .persistentVolumeClaim.storageClassName }}
-  storageClassName: {{ .persistentVolumeClaim.storageClassName }}
+  {{- with .persistentVolumeClaim.storageClassName }}
+  storageClassName: {{ . }}
   {{- end }}
 {{- end }}
 {{- end }}

helm/defectdojo/values.schema.json

@@ -865,7 +865,7 @@
                             "type": "object",
                             "properties": {
                                 "digest": {
-                                    "description": "Prefix \"sha@\" is expected in this place",
+                                    "description": "Prefix \"sha256:\" is expected in this place",
                                     "type": "string"
                                 },
                                 "registry": {
@@ -889,7 +889,7 @@
                             "type": "object",
                             "properties": {
                                 "digest": {
-                                    "description": "Prefix \"sha@\" is expected in this place",
+                                    "description": "Prefix \"sha256:\" is expected in this place",
                                     "type": "string"
                                 },
                                 "registry": {

helm/defectdojo/values.yaml

@@ -37,7 +37,7 @@ images:
       # For dev builds (only for testing purposes): nightly-dev, nightly-dev-debian, nightly-dev-alpine.
       # To see all, check https://hub.docker.com/r/defectdojo/defectdojo-django/tags.
       tag: ""
-      # -- Prefix "sha@" is expected in this place
+      # -- Prefix "sha256:" is expected in this place
       digest: ""
   nginx:
     image:
@@ -48,7 +48,7 @@ images:
       # For dev builds (only for testing purposes): nightly-dev, nightly-dev-alpine.
       # To see all, check https://hub.docker.com/r/defectdojo/defectdojo-nginx/tags.
       tag: ""
-      # -- Prefix "sha@" is expected in this place
+      # -- Prefix "sha256:" is expected in this place
       digest: ""
 
 # -- Enables application network policy