Conversation
….56.0-dev Release: Merge back 2.55.4 into bugfix from: master-into-bugfix/2.55.4-2.56.0-dev
* Update Quick Start guide in README for Docker Compose * Update README.md --------- Co-authored-by: Matt Tesauro <mtesauro@gmail.com>
Bumps and [minimatch](https://github.com/isaacs/minimatch). These dependencies needed to be updated together. Updates `minimatch` from 3.1.2 to 3.1.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.4) Updates `minimatch` from 10.1.2 to 10.2.3 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.4) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.4 dependency-type: indirect - dependency-name: minimatch dependency-version: 10.2.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ison (#14359) Fix two bugs in the Trivy Operator parser: 1. compliance_handler.py: The severity selection logic was inverted - it attempted to use check_severity when it was empty (causing KeyError) and fell back to result_severity when check_severity was present. Fixed to correctly prefer check-level severity, falling back to result-level severity when the check has no severity. 2. checks_handler.py: The checkID comparison used integer 0 instead of string "0", so `check_id != 0` was always True (string vs int). This caused bogus reference URLs and vulnerability IDs to be generated for checks without a checkID. Also changed from `check.get("checkID", "0")` to `check.get("checkID") or "0"` to handle explicit null values in JSON. Signed-off-by: Sergiy Kulanov <sergiy_kulanov@epam.com>
* add new connectors to docs * update changelog for 2.55.4 * update Jfrog with token scopes
* Fix update-sample-data workflow pushing to protected master branch (#14374) The branch parameter used github.ref_name which resolved to 'master' when triggered via workflow_dispatch, causing a push to a protected branch. Simplify by letting create-pull-request manage the branch using a fixed name, removing the now-redundant manual branch steps. * Also update defect_dojo_sample_data_locations.json in sample data workflow (#14391) The locations fixture is used when the v3 feature locations flag is enabled and needs to be kept up to date alongside the main sample data fixture. * chore(deps-dev): bump rollup from 4.57.1 to 4.59.0 in /docs Bumps [rollup](https://github.com/rollup/rollup) from 4.57.1 to 4.59.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.57.1...v4.59.0) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.59.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com>
…eation and improved validation
…14402) * fix(endpoint_manager): exclude certain endpoint statuses from existing findings * Remove misleading comment * test(import_reimport): skip reactivation for special endpoint statuses * fix(location_manager): exclude special endpoint statuses from reactivation logic fix(location): optimize get_or_create methods for LocationFindingReference and LocationProductReference test(import_reimport): enhance tests to skip reactivation for special statuses in endpoint and location contexts * fix(test_importers_performance): update expected query and async task counts for performance tests * perf(endpoint_manager): avoid double queryset evaluation in update_endpoint_status Evaluate existing_finding_endpoint_status_list once into a list with select_related("endpoint") before the two list comprehensions, preventing a duplicate DB hit and N+1 endpoint lookups. Update expected performance test counts to reflect the reduced query counts. * perf(endpoint_manager): use prefetched status_finding_non_special to avoid extra DB queries Add a named Prefetch to build_candidate_scope_queryset that fetches only non-special endpoint statuses (excluding false_positive, out_of_scope, risk_accepted) with their endpoint joined in via select_related. This replaces the two separate "status_finding" and "status_finding__endpoint" prefetches with a single query and avoids per-finding DB hits in update_endpoint_status and process_matched_special_status_finding. Update expected performance test counts to reflect the reduced query counts. --------- Co-authored-by: Valentijn Scholten <valentijnscholten@gmail.com>
…14396) * fix: don't close old findings when reimport auto-creates a new test When auto_create_context=True and the test doesn't exist yet, the reimport falls back to DefaultImporter. With close_old_findings=True, this would incorrectly close findings from other tests in the same engagement/product scope because the newly created test has no prior findings to compare against. Suppress close_old_findings for this initial-import path. Fixes #14363. * test: regression test for #14363 via API serializer path Add test_reimport_auto_create_does_not_close_findings_in_existing_test to ImportReimportTestAPI. It calls the reimport endpoint with auto_create_context=True and close_old_findings=True targeting a non-existing test title, verifying that the existing test's findings are not closed when the endpoint auto-creates a new test. This test would fail if the close_old_findings=False override in the serializer were reverted.
The Question and Answer models intentionally use models.Manager() as their default objects manager instead of PolymorphicManager(). This is a deliberate trade-off introduced in #9574 to fix cascade deletion failures (ForeignKeyViolation on dojo_choiceanswer and ValueError during Product/ProductType deletion) caused by Django's inability to correctly order polymorphic child row deletions before parent row deletions when using PolymorphicManager as the default. Using models.Manager() as the default ensures Django's collector can walk the full object graph and delete child rows (TextAnswer, ChoiceAnswer) before their parent Answer rows, satisfying FK constraints. A named polymorphic manager is retained on both models for all queryset operations that require polymorphic behavior (used throughout dojo/survey/views.py and dojo/forms.py). The resulting polymorphic.W001 and polymorphic.W002 warnings are therefore expected and benign — they describe the intentional configuration, not a bug. Silencing them here prevents noise in CI and local development output without masking any real misconfiguration. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Optimize language import process with bulk creation and improved validation
fix the way bulk update endpoints in finding view works in v3
* Adjust decorators for new permissions model Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Decorator and permissions updates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Align get_object_or_404 filtering strategy with dev branch Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix test assertions and serializer type hint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Enhance permission tests with detailed docstrings for clarity and maintainability --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Refactor zip handling with safe_open_zip and safe_read_all_zip
🔴 Risk threshold exceeded.This pull request modifies multiple sensitive codepaths (including dojo/api_v2/serializers.py, dojo/finding/deduplication.py, several importers and managers, and template files like endpoints.html and view_finding.html), and the scanner flags these as sensitive edits that should be reviewed against the configured
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py (drs_8d1e0aab)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/deduplication.py (drs_c2deb718)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py (drs_17dc19c8)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py (drs_40420c22)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/deduplication.py (drs_d744c8c7)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/endpoint_manager.py (drs_e8267b5e)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/location_manager.py (drs_185cb599)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/snippets/endpoints.html (drs_c33b5dfb)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html (drs_55125488)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py (drs_53f3ae13)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/endpoint_manager.py (drs_62493d2a)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/location_manager.py (drs_f94c32c4)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/snippets/endpoints.html (drs_d8cb7dea)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html (drs_1f6ba37a)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
There was a problem hiding this comment.
Pull request overview
This PR merges a bugfix/security hardening set into dev as part of the 2.56.0 release line, including permission/IDOR fixes, safer ZIP parsing, importer performance tweaks, and documentation/chart version bumps.
Changes:
- Added/updated authorization checks to prevent cross-object IDOR and data exposure (risk acceptance, questionnaires, engagement presets, benchmarks, credential mappings, tool/object parent mismatches).
- Introduced ZIP bomb protections and migrated multiple parsers/importers to use safe ZIP utilities.
- Improved importer behavior/performance (endpoint/location status handling, language bulk writes, query count adjustments) and expanded test coverage + docs updates.
Reviewed changes
Copilot reviewed 54 out of 86 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| unittests/tools/test_trivy_operator_parser.py | Updates/extends Trivy Operator parser tests (severity logic + missing checkID regression). |
| unittests/test_rest_framework.py | Strengthens cloc import test by validating initial + updated payloads and expected language rows. |
| unittests/test_permissions_audit.py | Adds a comprehensive permission/IDOR regression test suite across multiple endpoints. |
| unittests/test_importers_performance.py | Adjusts expected query counts to reflect importer/perf changes. |
| unittests/test_import_reimport.py | Adds regression tests for endpoint-status reactivation rules and auto_create reimport behavior. |
| unittests/scans/trivy_operator/configauditreport_missing_checkid.json | New Trivy sample for missing checkID. |
| unittests/scans/trivy_operator/compliance_severity.json | New Trivy sample to verify check vs result severity precedence. |
| helm/defectdojo/README.md | Bumps chart/app badges to 2.56.0-dev / 1.9.15-dev. |
| helm/defectdojo/Chart.yaml | Marks chart prerelease + bumps chart/app versions. |
| dojo/url/ui/views.py | Refactors finding location bulk update to set a single selected status via set_status. |
| dojo/tools/utils.py | Adds safe_open_zip / safe_read_all_zip with zip-bomb protection limits. |
| dojo/tools/trivy_operator/compliance_handler.py | Fixes compliance severity selection logic (check severity preferred, else result severity). |
| dojo/tools/trivy_operator/checks_handler.py | Ensures missing checkIDs don’t generate bogus references/IDs. |
| dojo/tools/sonarqube/parser.py | Switches ZIP reading to safe ZIP utility. |
| dojo/tools/ms_defender/parser.py | Switches ZIP reading to safe ZIP utility. |
| dojo/tools/fortify/fpr_parser.py | Switches ZIP reading to safe ZIP utility. |
| dojo/tools/blackduck_component_risk/importer.py | Uses safe ZIP opening for BlackDuck Component Risk reports. |
| dojo/tools/blackduck/importer.py | Uses safe ZIP opening for BlackDuck reports. |
| dojo/tool_product/views.py | Prevents cross-product tool setting edits/deletes (403/404 instead of bad request). |
| dojo/templates/dojo/view_finding.html | Updates bulk edit UI to support Locations (radio-based status selection). |
| dojo/templates/dojo/snippets/endpoints.html | Displays location status via display name and adjusts header formatting. |
| dojo/survey/views.py | Scopes Answered_Survey lookups to engagement to prevent cross-engagement access. |
| dojo/settings/settings.dist.py | Silences polymorphic warnings in default system checks list. |
| dojo/product/views.py | Scopes Engagement Preset lookups to product to prevent cross-product access. |
| dojo/object/views.py | Prevents cross-product object edits/deletes (403/404 instead of bad request). |
| dojo/location/models.py | Changes association helpers to return existing refs early (status update behavior changed). |
| dojo/importers/location_manager.py | Avoids mitigating special statuses and improves set membership for locations. |
| dojo/importers/endpoint_manager.py | Uses prefetched non-special endpoint statuses for reimport status updates. |
| dojo/importers/default_reimporter.py | Uses prefetched non-special endpoint statuses during reactivation. |
| dojo/finding/views.py | Requires global Finding_Edit for template discovery endpoint. |
| dojo/finding/helper.py | Truncates finding group names to DB length constraints. |
| dojo/finding/deduplication.py | Adds optimized Prefetch for non-special endpoint statuses in reimport mode. |
| dojo/engagement/views.py | Scopes risk acceptance routes to the owning engagement to prevent IDOR. |
| dojo/cred/views.py | Tightens credential authorization to configuration-level and Cred_Mapping-level checks. |
| dojo/benchmark/views.py | Scopes benchmark updates and summaries to product to prevent IDOR. |
| dojo/api_v2/views.py | Fixes permissions for engagement update_jira_epic and enforces parent perms in metadata batch. |
| dojo/api_v2/serializers.py | Hides accepted_risks if user lacks permission; prevents closing old findings on auto-create reimport; bulk-writes language stats. |
| docs/layouts/_markup/render-image.html | Adds Hugo image render hook and disables costly WebP conversion in this hook. |
| docs/content/releases/pro/changelog.md | Updates Pro changelog entries. |
| docs/content/import_data/pro/connectors/connectors_tool_reference.md | Adds Akamai API Security + JFrog Xray connector docs. |
| docs/content/import_data/pro/connectors/about_connectors.md | Adds Akamai API Security + JFrog Xray to the supported connectors list. |
| docs/content/import_data/import_intro/comparison.md | Updates connectors list in import method comparison table. |
| docs/content/get_started/about/demo.md | Updates Pro demo URL. |
| docs/content/automation/rules_engine/scheduling.md | Adds Rules Engine scheduling documentation (Pro). |
| docs/content/automation/rules_engine/about.md | Updates Rules Engine docs to reflect scheduling + expanded actions. |
| docs/content/asset_modelling/PRO_surveys/_index.md | Adds Pro surveys docs index. |
| docs/content/asset_modelling/PRO_surveys/PRO__surveys.md | Adds Pro surveys documentation page. |
| docs/content/asset_modelling/OS_questionnaires/_index.md | Adds Open Source questionnaires docs index. |
| docs/content/asset_modelling/OS_questionnaires/OS__questionnaires.md | Adds Open Source questionnaires documentation page. |
| docs/content/admin/user_management/user_permission_chart.md | Updates permission chart with prioritization engines + scheduling permissions. |
| docs/config/development/params.toml | Adds dev-only docs image processing overrides to reduce OOM risk. |
| components/package.json | Bumps component version to 2.56.0-dev. |
| README.md | Simplifies Docker Compose quick start instructions and adds development docs link. |
| .github/workflows/update-sample-data.yml | Updates workflow to also refresh Locations fixture and uses a fixed PR branch name. |
Files not reviewed (1)
- docs/package-lock.json: Language not supported
Comments suppressed due to low confidence (12)
dojo/location/models.py:1
- This changes
associate_with_findingsemantics: if a reference already exists, the method returns early and will never apply the providedstatus/auditor/audit_time. Given the signature still acceptsstatusand audit fields, this is likely to break callers that relied on updating status through this helper. A safer approach is toget_or_createthe reference (atomically) and, ifstatus(or audit fields) are provided, call the appropriate status/audit update method on the existing/new reference.
dojo/location/models.py:1 - This
exists()+get()sequence is non-atomic and performs two queries; under concurrency it can also race with create/delete. Prefer a singleget_or_create()(optionally wrapped in the existing transaction block below) and handle status updates consistently for both 'created' and 'fetched existing' cases.
dojo/importers/endpoint_manager.py:1 existing_finding.status_finding_non_specialonly exists if the queryset was built via the specificPrefetch(..., to_attr='status_finding_non_special')path. Ifupdate_endpoint_statusis ever called with anexisting_findingcoming from a different code path, this will raiseAttributeError. Consider falling back to the previous queryset expression when the attribute is missing (e.g.,getattr(existing_finding, 'status_finding_non_special', existing_finding.status_finding.exclude(...))).
dojo/importers/default_reimporter.py:1- Same risk as in
endpoint_manager.update_endpoint_status: this assumesstatus_finding_non_specialis always present onexisting_finding. Ifexisting_findingwasn’t loaded via the reimport-modePrefetch(..., to_attr=...), this will crash. Add a defensive fallback to the excluded queryset when the attribute is absent.
dojo/url/ui/views.py:1 - The guard
status in FindingLocationStatusis not reliably correct for all enum/choices types (it may fail for string values), yet the next line casts viaFindingLocationStatus(status)which will raise if invalid. Consider validating using the choices values (e.g.,status in FindingLocationStatus.valuesfor DjangoTextChoices) or wrapping the cast in a try/except and treating invalid values as a no-op with an error message. Also, iffinding_locations_to_updatecontains IDs, usinglocation_id__in=...is clearer thanlocation__in=....
dojo/tools/utils.py:1 - The compression-ratio protection is bypassed when
compress_size == 0. A malicious ZIP can reportcompress_size=0in metadata (or store entries in ways that defeat this heuristic) while still expanding significantly on read. Consider explicitly handlingcompress_size == 0whenfile_size > 0as suspicious (either reject or apply a stricter limit), and ensure the ratio calculation can’t be skirted by zero/near-zero compressed sizes.
dojo/tools/utils.py:1 - New security-critical helpers (
safe_open_zip/safe_read_all_zip) were introduced, but this PR doesn’t add focused unit tests covering each rejection path (member count, per-member size, total size, ratio/zero compressed size). Adding targeted tests will help prevent regressions and ensure these limits behave as intended across Python/zipfile edge cases.
unittests/test_import_reimport.py:1 - Returning early from a test can silently hide failures and makes test reporting less clear. Prefer
self.skipTest(...)(orpytest.skip(...)depending on test framework) so the test run explicitly records the case as skipped with a reason.
unittests/test_import_reimport.py:1 - Typo in variable name
related_obects(should berelated_objects). Renaming improves readability and avoids propagating the misspelling across the test.
dojo/tool_product/views.py:1 - Raising
PermissionDeniedwithout a message results in a generic 403, which makes troubleshooting harder (and previously this path surfaced a specific mismatch message). Consider raisingPermissionDenied(<clear mismatch message>)so logs/UI provide actionable context while still returning 403.
docs/content/import_data/pro/connectors/connectors_tool_reference.md:1 - This reads as an incomplete instruction ('for example' with no example). Add an explicit example URL format (and/or where to find it in Akamai) to make the setup steps actionable.
docs/content/asset_modelling/OS_questionnaires/OS__questionnaires.md:1 - Correct spelling of 'Questionaires' to 'Questionnaires'.
github-actions
Bot
added
the
settings_changes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.