Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: Merge release into master from: release/2.43.4 #11887

Merged
merged 7 commits into from
Feb 24, 2025
Merged

Release: Merge release into master from: release/2.43.4 #11887

merged 7 commits into from
Feb 24, 2025

Conversation

github-actions[bot]
Copy link
Contributor

Release triggered by rossops

DefectDojo release bot and others added 6 commits February 18, 2025 15:41
Update versions in application files
7e7efd8
@Maffooch
Merge pull request #11849 from DefectDojo/master-into-bugfix/2.43.3-2…
5396719 
….44.0-dev

Release: Merge back 2.43.3 into bugfix from: master-into-bugfix/2.43.3-2.44.0-dev
@manuel-sommer
Return Feedback about wrong File Format in ZAP (#11772)
3b32f3e 
* Return Feedback about wrong File Format in ZAP

* ruff
@Maffooch
Surveys: Correct Question 404 (#11862)
4ae1eb5 
* Surveys: Correct Question 404

When editing a survey question, a 404 is presented for a valid object. At some point, the content type for Questions changed to `Defect Dojo` (the verbose name of the app) rather than `dojo` (the common name)

There is only one place where the name of the content type is accessed, so adding some backward compatible checks corrected the issue

[sc-10195]

* Update views.py
@Maffooch
API Tags: Add filter for AND expressions (#11743)
0fb088f 
* API Tags: Add filter for `AND` expressions

* Fix some ruff stuff

* Small corrections

* Update dojo/filters.py
Update versions in application files
c0be2eb
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Feb 24, 2025
edited
Loading

DryRun Security Summary

The PR upgrades DefectDojo to version 2.43.4, adding tag filtering and test cases while addressing security concerns in package dependencies, XML parsing, and API filtering validation.

Expand for full summary

The PR updates DefectDojo from version 2.43.3 to 2.43.4, involving version bumps across multiple files and adding new tag filtering capabilities and test cases.

Security findings:

  1. In components/package.json: Potential security risks from third-party dependencies referenced via GitHub direct links
  2. In dojo/tools/zap/parser.py: Added file extension validation for XML parsing, but validation is based solely on file extension which can be circumvented
  3. In unittests/dojo_test_case.py: Recommended adding input validation for dynamic API filtering parameters to prevent potential injection

Code Analysis

We ran 9 analyzers against 8 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

View PR in the DryRun Dashboard.

@rossops rossops merged commit 400437f into master Feb 24, 2025
74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
helm parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rossops @Maffooch @manuel-sommer