Merge pull request DefectDojo#5676 from DefectDojo/release/2.6.0

Release: Merge release into master from: release/2.6.0

.github/labeler.yml

@@ -21,3 +21,8 @@ settings_changes:
 
 apiv2:
 - dojo/api_v2/**/*
+
+ui:
+  - dojo/static/**/*
+  - dojo/templates/**/*
+  - dojo/templatetags/**/*

.github/release-drafter.yml

@@ -39,6 +39,8 @@ categories:
     labels:
       - 'dependencies'
       - 'maintenance'
+  - title: '🖌 Updates in UI'
+    label: 'ui'
 exclude-labels:
   - 'skip-changelog'      
 change-template: '- $TITLE @$AUTHOR (#$NUMBER)'

.github/workflows/integration-tests.yml

@@ -99,6 +99,7 @@ jobs:
           "tests/file_test.py",
           "tests/dedupe_test.py",
           "tests/check_various_pages.py",
+          "tests/notifications_test.py",
         ]
       fail-fast: false
 

.github/workflows/k8s-testing.yml

@@ -135,7 +135,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Setup Minikube
-        uses: manusa/[email protected].2
+        uses: manusa/[email protected].3
         with:
           minikube version: 'v1.24.0'
           kubernetes version: ${{ matrix.k8s }}

Dockerfile.django

@@ -90,14 +90,12 @@ USER root
 RUN \
     adduser --system --no-create-home --disabled-password --gecos '' \
         --uid ${uid} ${appuser} && \
-    chown -R ${appuser} /app && \
-    chmod 0700 /app && \
-    chmod 0750 -R /app/* && \
-	chmod g=u /app && \
-	chmod -R g=u /app/* && \
+    chown -R root:root /app && \
+    chmod -R u+rwX,go+rX,go-w /app && \
     mkdir /var/run/${appuser} && \
     chown ${appuser} /var/run/${appuser} && \
-	chmod g=u /var/run/${appuser}
+	  chmod g=u /var/run/${appuser} && \
+    mkdir -p media/threat && chown -R ${uid} media
 USER ${uid}
 ENV \
   DD_ADMIN_USER=admin \
@@ -135,7 +133,6 @@ ENV \
   DD_UWSGI_NUM_OF_THREADS="2" \
   DD_TRACK_MIGRATIONS="True" \
   DD_DJANGO_METRICS_ENABLED="False"
-RUN mkdir -p media && mkdir -p media/threat && chown -R ${uid} media
 ENTRYPOINT ["/entrypoint-uwsgi.sh"]
 
 FROM django as django-unittests

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
@@ -15,8 +15,8 @@
     "clipboard": "^2.0.8",
     "components-jqueryui": "^1.0.0",
     "datatables.net": "^1.11.3",
-    "datatables.net-buttons-bs": "^2.0.1",
-    "datatables.net-buttons-dt": "^2.0.1",
+    "datatables.net-buttons-bs": "^2.1.1",
+    "datatables.net-buttons-dt": "^2.1.1",
     "datatables.net-colreorder": "^1.5.5",
     "datatables.net-dt": "^1.11.3",
     "drmonty-datatables-plugins": "^1.0.0",
@@ -33,7 +33,7 @@
     "jquery.flot.tooltip": "^0.9.0",
     "jquery.hotkeys": "jeresig/jquery.hotkeys#master",
     "jszip": "^3.7.1",
-    "justgage": "^1.5.0",
+    "justgage": "^1.5.1",
     "metismenu": "~3.0.7",
     "moment": "^2.29.1",
     "morris.js": "morrisjs/morris.js",

components/yarn.lock

@@ -269,38 +269,38 @@ dash-ast@^1.0.0:
   resolved "https://registry.yarnpkg.com/dash-ast/-/dash-ast-1.0.0.tgz#12029ba5fb2f8aa6f0a861795b23c1b4b6c27d37"
   integrity sha512-Vy4dx7gquTeMcQR/hDkYLGUnwVil6vk4FOOct+djUnHOUWt+zJPJAaRIXaAFkPXtJjvlY7o3rfRu0/3hpnwoUA==
 
-datatables.net-bs@>=1.10.25:
-  version "1.11.1"
-  resolved "https://registry.yarnpkg.com/datatables.net-bs/-/datatables.net-bs-1.11.1.tgz#40b0db039625afb21ec2af2db7b11049943621fd"
-  integrity sha512-r6nhiNKiL94T8gTdShMfCxGCeXG9FxVDRlUEABSJch5OxvAWprm/FuYHXS77woJfDZTbAU87e97efRFiDlb7qw==
+datatables.net-bs@>=1.11.3:
+  version "1.11.3"
+  resolved "https://registry.yarnpkg.com/datatables.net-bs/-/datatables.net-bs-1.11.3.tgz#4bca92330474733e0936db631fc12021f257a095"
+  integrity sha512-Db1YwAhO0QAWQbZTsKriUrOInT66+xaA+fV616KTKpQt5Zt+p6OsEKK+xv8LxLgG8qu5dPwMBlkhqSiS/hV2sg==
   dependencies:
     datatables.net ">=1.10.25"
     jquery ">=1.7"
 
-datatables.net-buttons-bs@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/datatables.net-buttons-bs/-/datatables.net-buttons-bs-2.0.1.tgz#d1454d5f8584162109105135dd2c6f42f8656bc6"
-  integrity sha512-VyfZj+SZIHVE40wCaYDYIPgCxNzcctxG4JtGj/ssOAQzLg4DU88wnZ6RCmAeLqEaRmcJfSajBJaVAU0bjFww5g==
+datatables.net-buttons-bs@^2.1.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/datatables.net-buttons-bs/-/datatables.net-buttons-bs-2.1.1.tgz#c90fb44bb2e96e45b4c66c423a89a5625edb1f4d"
+  integrity sha512-fKCyJs4vy3kXn/ztWdUfhc/nABDgwp7va36epRgRN0bFwLCOdZSlH7HeYKrWGvNuPf1ZCZ9OG4CgTHjcO6XW3g==
   dependencies:
-    datatables.net-bs ">=1.10.25"
-    datatables.net-buttons ">=1.7.1"
+    datatables.net-bs ">=1.11.3"
+    datatables.net-buttons ">=2.0.1"
     jquery ">=1.7"
 
-datatables.net-buttons-dt@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/datatables.net-buttons-dt/-/datatables.net-buttons-dt-2.0.1.tgz#184bace6f29c77885ba3a2c399802247e847fedb"
-  integrity sha512-AjfXdeaTjSj629BE7htiGHLfTNT1thUWfv5YZXJiJYFwfdITG6BtBR1VJwdaTUY+Fe+w0rKIetfprvEKQjg2yw==
+datatables.net-buttons-dt@^2.1.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/datatables.net-buttons-dt/-/datatables.net-buttons-dt-2.1.1.tgz#a276707b04dae48d2547d823d1e0fcb44e2c70b8"
+  integrity sha512-oPTEHv4NpVgbZPprh+JE2g3FiiTPZ10IhYMyB1+IzVlSwMeQgq1a4a1OL2AvGdRyZkUvHMJUjFrwH58XUjNc1Q==
   dependencies:
-    datatables.net-buttons ">=1.7.1"
-    datatables.net-dt ">=1.10.25"
+    datatables.net-buttons ">=2.0.1"
+    datatables.net-dt ">=1.11.3"
     jquery ">=1.7"
 
-datatables.net-buttons@>=1.7.1:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/datatables.net-buttons/-/datatables.net-buttons-2.0.0.tgz#a1452e4f851164d4a7fecc46ad4aff82186fac79"
-  integrity sha512-2DGrCekliPiVESRGJKXkNjxM6ECyZrHDREVb+VRBmz5TSX4y34xobxPdAkVEtYUMnLu+1OarOzOSeGevXrwGeA==
+datatables.net-buttons@>=2.0.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/datatables.net-buttons/-/datatables.net-buttons-2.1.1.tgz#5969913415aac9013ed269dbb61d7f732399f06c"
+  integrity sha512-MLHKIOlwWfZ1I6vI+w7B0w7szWDkuelTVnwuNXGhh0nMV2hP9nL7t0zgfxPraOmbVXAmJnHQa4o7pd1PfKbJ3g==
   dependencies:
-    datatables.net ">=1.10.25"
+    datatables.net ">=1.11.3"
     jquery ">=1.7"
 
 datatables.net-colreorder@^1.5.5:
@@ -311,23 +311,15 @@ datatables.net-colreorder@^1.5.5:
     datatables.net ">=1.11.3"
     jquery ">=1.7"
 
-datatables.net-dt@>=1.10.25:
-  version "2.1.1"
-  resolved "https://registry.yarnpkg.com/datatables.net-dt/-/datatables.net-dt-2.1.1.tgz#cbae9230956e4e7e3460082b48934b3084248db8"
-  integrity sha1-y66SMJVuTn40YAgrSJNLMIQkjbg=
-  dependencies:
-    datatables.net ">=1.10.9"
-    jquery ">=1.7"
-
-datatables.net-dt@^1.11.3:
+datatables.net-dt@>=1.11.3, datatables.net-dt@^1.11.3:
   version "1.11.3"
   resolved "https://registry.yarnpkg.com/datatables.net-dt/-/datatables.net-dt-1.11.3.tgz#242556a490585b457b7d2b9f5fd8fb10761d621b"
   integrity sha512-EX/thRwXpQRj8hZSb+ZMDNQ4uW1zLZa9BoAhhw1b5HIDH1nJ9WRTkERsoxE+3WISeX8bDiaEydf8TTQBSqxXVw==
   dependencies:
     datatables.net ">=1.10.25"
     jquery ">=1.7"
 
-datatables.net@>=1.10.25, datatables.net@>=1.10.9, datatables.net@>=1.11.3, datatables.net@^1.11.3:
+datatables.net@>=1.10.25, datatables.net@>=1.11.3, datatables.net@^1.11.3:
   version "1.11.3"
   resolved "https://registry.yarnpkg.com/datatables.net/-/datatables.net-1.11.3.tgz#80e691036efcd62467558ee64c07dd566cb761b4"
   integrity sha512-VMj5qEaTebpNurySkM6jy6sGpl+s6onPK8xJhYr296R/vUBnz1+id16NVqNf9z5aR076OGcpGHCuiTuy4E05oQ==
@@ -733,10 +725,10 @@ jszip@^3.7.1:
     readable-stream "~2.3.6"
     set-immediate-shim "~1.0.1"
 
-justgage@^1.5.0:
-  version "1.5.0"
-  resolved "https://registry.yarnpkg.com/justgage/-/justgage-1.5.0.tgz#b378fb680fb4d68fc244ef41f8dc2e38d6f9eb16"
-  integrity sha512-9BqZ+OQ+XrxoMg74U7NMnG8sdjlIreHAQ6uWBzqooAOjoVl2tVCoXg4BrZT9rkK+anRuGXacUtY/BgEKPhxbCQ==
+justgage@^1.5.1:
+  version "1.5.1"
+  resolved "https://registry.yarnpkg.com/justgage/-/justgage-1.5.1.tgz#03c7782a4331bd9fd3ded569c7ae46b6ec07257c"
+  integrity sha512-AD0EjNOT0489u/Or+lXKj9SAgD62u4TFtOS3oBmnrxH+uITBDhWtqC3AxNzoUDOy6XpzQDOC2eloLS4rLEfN9A==
   dependencies:
     raphael "^2.3.0"
 

docker-compose.override.unit_tests.yml

@@ -2,7 +2,7 @@
 version: '3.7'
 services:
   nginx:
-    image: busybox:1.34.1-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'nginx']
     volumes:
       - defectdojo_media_unittest:/usr/share/nginx/html/media
@@ -25,13 +25,13 @@ services:
       DD_CELERY_BROKER_PATH: '/dojo.celerydb.sqlite'
       DD_CELERY_BROKER_PARAMS: ''
   celerybeat:
-    image: busybox:1.34.1-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'celery beat']
   celeryworker:
-    image: busybox:1.34.1-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'celery worker']
   initializer:
-    image: busybox:1.34.1-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'initializer']
   mysql:
     ports:
@@ -44,7 +44,7 @@ services:
     volumes:
        - defectdojo_data_unittest:/var/lib/mysql
   rabbitmq:
-    image: busybox:1.34.0-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'rabbitmq']
 volumes:
   defectdojo_data_unittest: {}

docker-compose.override.unit_tests_cicd.yml

@@ -2,7 +2,7 @@
 version: '3.7'
 services:
   nginx:
-    image: busybox:1.34.1-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'nginx']
     volumes:
       - defectdojo_media_unittest:/usr/share/nginx/html/media
@@ -25,13 +25,13 @@ services:
       DD_CELERY_BROKER_PATH: '/dojo.celerydb.sqlite'
       DD_CELERY_BROKER_PARAMS: ''
   celerybeat:
-    image: busybox:1.34.1-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'celery beat']
   celeryworker:
-    image: busybox:1.34.1-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'celery worker']
   initializer:
-    image: busybox:1.34.1-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'initializer']
   mysql:
     ports:
@@ -44,7 +44,7 @@ services:
     volumes:
        - defectdojo_data_unittest:/var/lib/mysql
   rabbitmq:
-    image: busybox:1.34.0-musl
+    image: busybox:1.35.0-musl
     entrypoint: ['echo', 'skipping', 'rabbitmq']
 volumes:
   defectdojo_data_unittest: {}

docs/content/en/getting_started/running-in-production.md

@@ -87,6 +87,8 @@ and see what is in effect.
 
 ###### Asynchronous Imports
 
+This is an experimental features that has some [concerns](https://github.com/DefectDojo/django-DefectDojo/pull/5553#issuecomment-989679555) that need to be addressed before it can be used reliably.
+
 Import and Re-Import can also be configured to handle uploads asynchronously to aid in 
 importing especially large files. It works by batching Findings and Endpoints by a 
 configurable amount. Each batch will be be processed in seperate celery tasks.

docs/content/en/integrations/api-v2-docs.md

@@ -158,7 +158,6 @@ Example for importing a scan result:
     active:true
     lead:1
     tags:test
-    scan_date:2019-04-30
     scan_type:ZAP Scan
     minimum_severity:Info
     skip_duplicates:true

docs/content/en/integrations/importing.md

@@ -50,7 +50,6 @@ An import can be performed by specifying the names of these entities in the API
 
 ```JSON
 {
-    "scan_date": '2020-06-04',
     "minimum_severity": 'Info',
     "active": True,
     "verified": Trued,
@@ -69,7 +68,6 @@ A classic way of importing a scan is by specifying the ID of the engagement inst
 
 ```JSON
 {
-    "scan_date": '2020-06-04',
     "minimum_severity": 'Info',
     "active": True,
     "verified": Trued,
@@ -88,7 +86,6 @@ An reimport can be performed by specifying the names of these entities in the AP
 
 ```JSON
 {
-    "scan_date": '2020-06-04',
     "minimum_severity": 'Info',
     "active": True,
     "verified": Trued,
@@ -111,7 +108,6 @@ A classic way of reimporting a scan is by specifying the ID of the test instead:
 
 ```JSON
 {
-    "scan_date": '2020-06-04',
     "minimum_severity": 'Info',
     "active": True,
     "verified": Trued,
@@ -122,11 +118,11 @@ A classic way of reimporting a scan is by specifying the ID of the test instead:
 
 ## Using the Scan Completion Date (API: `scan_date`) field
 
-DefectDojo offers a plethora of supported scanner reports, but not all of them contain the 
+DefectDojo offers a plethora of supported scanner reports, but not all of them contain the
 information most important to a user. The `scan_date` field is a flexible smart feature that
 allows users to set the completion date of the a given scan report, and have it propagate
-down to all the findings imported. This field is **not** mandatory, but the default value for 
-this field is the date of import (whenever the request is processed and a successful response is returned). 
+down to all the findings imported. This field is **not** mandatory, but the default value for
+this field is the date of import (whenever the request is processed and a successful response is returned).
 
 Here are the following use cases for using this field:
 

docs/content/en/usage/permissions.md

@@ -68,14 +68,14 @@ Users can be assigned as members to Products and Product Types, giving them one
 | View Components             | x      | x      | x          | x     | x            |
 |                             |        |        |            |       |              |
 | View Note History           | x      | x      | x          | x     |              |
-| Add Note                    |        | x      | x          | x     |              |
-| Edit Note                   |        | x      | x          | x     |              |
-| Delete Note                 |        | (x) <sup>2)</sub> | x          | x     |              |
+| Add Note                    | x      | x      | x          | x     |              |
+| Edit Note                   | (x) <sup>2)</sub> | x                 | x          | x     |              |
+| Delete Note                 | (x) <sup>2)</sub> | (x) <sup>2)</sub> | x          | x     |              |
 
 
 <sup>1)</sup> Every staff user and administrator can add Product Types. Regular users are not allowed to add Product Types, unless they are Global Owner or Maintainer.
 
-<sup>2)</sup> Every user is allowed to delete his own notes.
+<sup>2)</sup> Every user is allowed to edit and delete his own notes.
 
 The role of a user within a Product Type is inherited by all Products of that Product Type, unless the user is explicitly defined as a member of a Product with a different role. In that case, if a user doesn't have a certain right for the Product Type, it is then checked if he has the right for the Product.