Merge remote-tracking branch 'upstream/dev' into pghistory-for-real

Author: valentijnscholten

components/node_modules/.gitkeep

@@ -2,7 +2,7 @@
 title: 'Upgrading to DefectDojo Version 2.54.x'
 toc_hide: true
 weight: -20251201
-description: Removal of django-auditlog and exclusive use of django-pghistory for audit logging.
+description: Removal of django-auditlog and exclusive use of django-pghistory for audit logging & Dropped support for DD_PARSER_EXCLUDE
 ---
 
 ## Breaking Change: Removal of django-auditlog
@@ -39,4 +39,9 @@ The switch to `django-pghistory` provides several advantages:
 
 The backfill migration is not mandatory to succeed. If it fails for some reason, the only side effect will be that the first auditlog diff will contain all fields of an object instead just the changed fields.
 
+## Dropped support for DD_PARSER_EXCLUDE
+
+To simplify the management of the DefectDojo application, parser exclusions are no longer controlled via the environment variable DD_PARSER_EXCLUDE or application settings. This variable is now unsupported.
+From now on, you should use the active flag in the Test_Type model to enable or disable parsers. Only parsers associated with active Test_Type entries will be available for use.
+
 Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.54.0) for the contents of the release.

docs/content/en/open_source/upgrading/2.54.md

@@ -25,6 +25,19 @@ Any Findings associated with a Full Risk Acceptance will be set to **Inactive**,
 
 Generally, any Risk Acceptances should follow your internal security policy and be re\-examined at an appropriate time. As a result, Risk Acceptances also have expiration dates. Once a Risk Acceptance expires, any Findings will be set to Active again.
 
+### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances
+
+**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that aid in managing risk decisions at scale:
+
+* **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio.
+* **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to.
+
+**DefectDojo Open Source** implements Risk Acceptances at the Engagement level:
+
+* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Engagement.
+
+Both approaches follow the same Risk Acceptance workflow described below, but the scope differs based on your DefectDojo edition.
+
 ### Add a new Full Risk Acceptance
 
 Risk Acceptances can be added to a Finding in two ways:

docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md

@@ -93,7 +93,7 @@
 from dojo.risk_acceptance.queries import get_authorized_risk_acceptances
 from dojo.test.queries import get_authorized_tests
 from dojo.user.queries import get_authorized_users
-from dojo.utils import get_system_setting, is_finding_groups_enabled, truncate_timezone_aware
+from dojo.utils import get_system_setting, get_visible_scan_types, is_finding_groups_enabled, truncate_timezone_aware
 
 logger = logging.getLogger(__name__)
 
@@ -2030,6 +2030,9 @@ def __init__(self, *args, **kwargs):
         # Don't show the product filter on the product finding view
         self.set_related_object_fields(*args, **kwargs)
 
+        if "test__test_type" in self.form.fields:
+            self.form.fields["test__test_type"].queryset = get_visible_scan_types()
+
     def set_related_object_fields(self, *args: list, **kwargs: dict):
         finding_group_query = Finding_Group.objects.all()
         if self.pid is not None:

dojo/filters.py

@@ -118,6 +118,7 @@
     get_page_items_and_count,
     get_return_url,
     get_system_setting,
+    get_visible_scan_types,
     get_words_for_field,
     match_finding_to_existing_findings,
     process_tag_notifications,
@@ -302,6 +303,7 @@ def get_initial_context(self, request: HttpRequest):
             "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
             "title_words": get_words_for_field(Finding, "title"),
             "component_words": get_words_for_field(Finding, "component_name"),
+            "visible_test_types": get_visible_scan_types(),
         }
         # Look to see if the product was used
         if product_id := self.get_product_id():

dojo/finding/views.py

@@ -275,7 +275,6 @@
     # regular expression to exclude one or more parsers
     # could be usefull to limit parser allowed
     # AWS Scout2 Scan Parser is deprecated (see https://github.com/DefectDojo/django-DefectDojo/pull/5268)
-    DD_PARSER_EXCLUDE=(str, ""),
     # when enabled in sytem settings,  every minute a job run to delete excess duplicates
     # we limit the amount of duplicates that can be deleted in a single run of that job
     # to prevent overlapping runs of that job from occurrring
@@ -1849,9 +1848,6 @@ def saml2_attrib_map_format(din):
 # If using this, lines for Qualys WAS deduplication functions must be un-commented
 QUALYS_WAS_UNIQUE_ID = False
 
-# exclusion list for parsers
-PARSER_EXCLUDE = env("DD_PARSER_EXCLUDE")
-
 SERIALIZATION_MODULES = {
     "xml": "tagulous.serializers.xml_serializer",
     "json": "tagulous.serializers.json",

dojo/settings/settings.dist.py

@@ -87,7 +87,7 @@ def add_finding(self, finding, dupes):
     def get_filename_and_path_from_dependency(
         self, dependency, related_dependency, namespace,
     ):
-        if not related_dependency:
+        if related_dependency is None:
             return dependency.findtext(
                 f"{namespace}fileName",
             ), dependency.findtext(f"{namespace}filePath")
@@ -105,10 +105,10 @@ def get_component_name_and_version_from_dependency(
         self, dependency, related_dependency, namespace,
     ):
         identifiers_node = dependency.find(namespace + "identifiers")
-        if identifiers_node:
+        if identifiers_node is not None:
             # analyzing identifier from the more generic to
             package_node = identifiers_node.find(".//" + namespace + "package")
-            if package_node:
+            if package_node is not None:
                 pck_id = package_node.findtext(f"{namespace}id")
                 purl = PackageURL.from_string(pck_id)
                 purl_parts = purl.to_dict()
@@ -166,7 +166,7 @@ def get_component_name_and_version_from_dependency(
             maven_node = identifiers_node.find(
                 ".//" + namespace + 'identifier[@type="maven"]',
             )
-            if maven_node:
+            if maven_node is not None:
                 maven_parts = maven_node.findtext(f"{namespace}name").split(
                     ":",
                 )
@@ -181,7 +181,7 @@ def get_component_name_and_version_from_dependency(
         evidence_collected_node = dependency.find(
             namespace + "evidenceCollected",
         )
-        if evidence_collected_node:
+        if evidence_collected_node is not None:
             # <evidenceCollected>
             # <evidence type="product" confidence="HIGH">
             #     <source>file</source>
@@ -199,12 +199,12 @@ def get_component_name_and_version_from_dependency(
             product_node = evidence_collected_node.find(
                 ".//" + namespace + 'evidence[@type="product"]',
             )
-            if product_node:
+            if product_node is not None:
                 component_name = product_node.findtext(f"{namespace}value")
                 version_node = evidence_collected_node.find(
                     ".//" + namespace + 'evidence[@type="version"]',
                 )
-                if version_node:
+                if version_node is not None:
                     component_version = version_node.findtext(
                         f"{namespace}value",
                     )
@@ -280,7 +280,7 @@ def get_finding_from_vulnerability(
         mitigated = None
         is_Mitigated = False
         name = vulnerability.findtext(f"{namespace}name")
-        if vulnerability.find(f"{namespace}cwes"):
+        if vulnerability.find(f"{namespace}cwes") is not None:
             cwe_field = vulnerability.find(f"{namespace}cwes").findtext(
                 f"{namespace}cwe",
             )
@@ -425,14 +425,14 @@ def get_findings(self, filename, test):
 
         dependencies = scan.find(namespace + "dependencies")
         scan_date = None
-        if scan.find(f"{namespace}projectInfo"):
+        if scan.find(f"{namespace}projectInfo") is not None:
             projectInfo_node = scan.find(f"{namespace}projectInfo")
             if projectInfo_node.findtext(f"{namespace}reportDate"):
                 scan_date = dateutil.parser.parse(
                     projectInfo_node.findtext(f"{namespace}reportDate"),
                 )
 
-        if dependencies:
+        if dependencies is not None:
             for dependency in dependencies.findall(namespace + "dependency"):
                 vulnerabilities = dependency.find(
                     namespace + "vulnerabilities",
@@ -441,7 +441,7 @@ def get_findings(self, filename, test):
                     for vulnerability in vulnerabilities.findall(
                         namespace + "vulnerability",
                     ):
-                        if vulnerability:
+                        if vulnerability is not None:
                             finding = self.get_finding_from_vulnerability(
                                 dependency,
                                 None,
@@ -456,7 +456,7 @@ def get_findings(self, filename, test):
                             relatedDependencies = dependency.find(
                                 namespace + "relatedDependencies",
                             )
-                            if relatedDependencies:
+                            if relatedDependencies is not None:
                                 for (
                                     relatedDependency
                                 ) in relatedDependencies.findall(
@@ -479,7 +479,7 @@ def get_findings(self, filename, test):
                     for suppressedVulnerability in vulnerabilities.findall(
                         namespace + "suppressedVulnerability",
                     ):
-                        if suppressedVulnerability:
+                        if suppressedVulnerability is not None:
                             finding = self.get_finding_from_vulnerability(
                                 dependency,
                                 None,

dojo/tools/dependency_check/parser.py

@@ -6,8 +6,6 @@
 from inspect import isclass
 from pathlib import Path
 
-from django.conf import settings
-
 from dojo.models import Test_Type, Tool_Configuration, Tool_Type
 
 PARSERS = {}
@@ -37,12 +35,12 @@ def get_parser(scan_type):
     if scan_type not in PARSERS:
         msg = f"Parser '{scan_type}' does not exist"
         raise ValueError(msg)
-    rg = re.compile(settings.PARSER_EXCLUDE)
-    if not rg.match(scan_type) or not settings.PARSER_EXCLUDE.strip():
-        # update DB dynamically
-        test_type, _ = Test_Type.objects.get_or_create(name=scan_type)
-        if test_type.active:
-            return PARSERS[scan_type]
+
+    # update DB dynamically
+    test_type, _ = Test_Type.objects.get_or_create(name=scan_type)
+    if test_type.active:
+        return PARSERS[scan_type]
+
     msg = f"Parser {scan_type} is not active"
     raise ValueError(msg)
 

dojo/tools/factory.py

@@ -86,7 +86,7 @@ def xml_structure_before_24_2(self, root, test):
                 for group in ReportSection.iter("GroupingSection"):
                     title = group.findtext("groupTitle")
                     maj_attr_summary = group.find("MajorAttributeSummary")
-                    if maj_attr_summary:
+                    if maj_attr_summary is not None:
                         meta_info = maj_attr_summary.findall("MetaInfo")
                         meta_pair[place][title] = {
                             x.findtext("Name"): x.findtext("Value")
@@ -115,11 +115,11 @@ def xml_structure_before_24_2(self, root, test):
                 "FilePath": issue.find("Primary").find("FilePath").text,
                 "LineStart": issue.find("Primary").find("LineStart").text,
             }
-            if issue.find("Primary").find("Snippet"):
+            if issue.find("Primary").find("Snippet") is not None:
                 details["Snippet"] = issue.find("Primary").find("Snippet").text
             else:
                 details["Snippet"] = "n/a"
-            if issue.find("Source"):
+            if issue.find("Source") is not None:
                 source = {
                     "FileName": issue.find("Source").find("FileName").text,
                     "FilePath": issue.find("Source").find("FilePath").text,

dojo/tools/fortify/xml_parser.py

@@ -96,7 +96,8 @@ def get_findings(self, file, test):
                         )
                     description += service_info
                 script_id = None
-                if script := port_element.find("script"):
+                script = port_element.find("script")
+                if script is not None:
                     if script_id := script.attrib.get("id"):
                         description += f"**Script ID:** {script_id}\n"
                     if script_output := script.attrib.get("output"):