Merge pull request DefectDojo#5865 from DefectDojo/release/2.7.0

Release: Merge release into master from: release/2.7.0

.github/workflows/plantuml.yml

@@ -33,7 +33,7 @@ jobs:
         with:
           args: -v -tpng ${{ steps.getfile.outputs.files }}
       - name: Push Local Changes
-        uses: stefanzweifel/git-auto-commit-action@v4.12.0
+        uses: stefanzweifel/git-auto-commit-action@v4.13.1
         with:
           commit_user_name: "PlantUML_bot"
           commit_user_email: "[email protected]"

.github/workflows/release-1-create-pr.yml

@@ -68,7 +68,7 @@ jobs:
           grep -H version helm/defectdojo/Chart.yaml
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@v4.12.0
+        uses: stefanzweifel/git-auto-commit-action@v4.13.1
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

.github/workflows/release-3-master-into-dev.yml

@@ -49,7 +49,7 @@ jobs:
           grep appVersion helm/defectdojo/Chart.yaml
           grep version components/package.json
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@v4.12.0
+        uses: stefanzweifel/git-auto-commit-action@v4.13.1
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

.github/workflows/test-helm-chart.yml

@@ -35,7 +35,7 @@ jobs:
              helm dependency update ./helm/defectdojo
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.1.0
+        uses: helm/chart-testing-action@v2.2.0
 
       - name: Determine target branch
         id: ct-branch-target

Dockerfile.nginx

@@ -65,7 +65,7 @@ COPY dojo/ ./dojo/
 
 RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
-FROM nginx:1.21.4-alpine@sha256:12aa12ec4a8ca049537dd486044b966b0ba6cd8890c4c900ccb5e7e630e03df0
+FROM nginx:1.21.5-alpine@sha256:eb05700fe7baa6890b74278e39b66b2ed1326831f9ec3ed4bdc6361a4ac2f333
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

README.md

@@ -39,14 +39,15 @@ Navigate to <http://localhost:8080>.
 
 ## Documentation
 
-- [Official docs](https://defectdojo.github.io/django-DefectDojo/) ([latest](https://defectdojo.github.io/django-DefectDojo/) | [dev](https://defectdojo.github.io/django-DefectDojo/dev))
+- [Official Docs](https://defectdojo.github.io/django-DefectDojo/) ([latest](https://defectdojo.github.io/django-DefectDojo/) | [dev](https://defectdojo.github.io/django-DefectDojo/dev))
 - [REST APIs](https://defectdojo.github.io/django-DefectDojo/integrations/api-v2-docs/)
 - [Client APIs and Wrappers](https://defectdojo.github.io/django-DefectDojo/integrations/api-v2-docs/#clients--api-wrappers)
-- [Authentication options](readme-docs/AVAILABLE-PLUGINS.md)
+- [Authentication Options](readme-docs/AVAILABLE-PLUGINS.md)
 
 ## Supported Installation Options
 
 * [Docker / Docker Compose](readme-docs/DOCKER.md)
+* [AWS AMI ](https://aws.amazon.com/marketplace/pp/prodview-m2a25gr67xbzk) - Supports the Project
 * [godojo](https://github.com/DefectDojo/godojo)
 
 
@@ -78,19 +79,16 @@ DefectDojo is maintained by:
 
 Core Moderators can help you with pull requests or feedback on dev ideas:
 * Valentijn Scholten ([@valentijnscholten](https://github.com/valentijnscholten) | [sponsor](https://github.com/sponsors/valentijnscholten) | [linkedin](https://www.linkedin.com/in/valentijn-scholten/))
-* Fred Blaise ([@madchap](https://github.com/madchap) | [linkedin](https://www.linkedin.com/in/fredblaise/))
 * Cody Maffucci ([@Maffooch](https://github.com/maffooch) | [linkedin](https://www.linkedin.com/in/cody-maffucci))
 
 Moderators can help you with pull requests or feedback on dev ideas:
 * Damien Carol ([@damnielcarol](https://github.com/damiencarol) | [linkedin](https://www.linkedin.com/in/damien-carol/))
 * Stefan Fleckenstein ([@StefanFl](https://github.com/stefanfl) | ([linkedin](https://www.linkedin.com/in/stefan-fleckenstein-6a456a30/))
 * Jannik Jürgens ([@alles-klar](https://github.com/alles-klar))
-* Pascal Trovatelli ([@ptrovatelli](https://github.com/ptrovatelli) | [Sopra Steria](https://www.soprasteria.com/))
-* Alex Dracea ([linkedin](https://www.linkedin.com/in/alexandru-marin-dracea-910b51122/))
 
 
 ## Hall of Fame
-
+* Fred Blaise ([@madchap](https://github.com/madchap) | [linkedin](https://www.linkedin.com/in/fredblaise/)) - Fred served as a core moderator during a critical time for DefectDojo. He contributed code, helped the team stay organized, and architected important policies and procedures.
 * Charles Neill ([@ccneill](https://twitter.com/ccneill)) – Charles served as a
     DefectDojo Maintainer for years and wrote some of Dojo's core functionality.
 * Jay Paz ([@jjpaz](https://twitter.com/jjpaz)) – Jay was a DefectDojo

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.6.2",
+  "version": "2.7.0",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
@@ -21,7 +21,7 @@
     "datatables.net-dt": "^1.11.3",
     "drmonty-datatables-plugins": "^1.0.0",
     "drmonty-datatables-responsive": "^1.0.0",
-    "easymde": "^2.15.0",
+    "easymde": "^2.16.0",
     "flot": "flot/flot#~0.8.3",
     "flot-axis": "markrcote/flot-axislabels#*",
     "font-awesome": "^4.0.0",

components/yarn.lock

@@ -42,10 +42,10 @@
   resolved "https://registry.yarnpkg.com/@foliojs-fork/restructure/-/restructure-2.0.2.tgz#73759aba2aff1da87b7c4554e6839c70d43c92b4"
   integrity sha512-59SgoZ3EXbkfSX7b63tsou/SDGzwUEK6MuB5sKqgVK1/XE0fxmpsOb9DQI8LXW3KfGnAjImCGhhEb7uPPAUVNA==
 
-"@types/codemirror@0.0.109":
-  version "0.0.109"
-  resolved "https://registry.yarnpkg.com/@types/codemirror/-/codemirror-0.0.109.tgz#89d575ff1c7b462c4c3b8654f8bb38e5622e9036"
-  integrity sha512-cSdiHeeLjvGn649lRTNeYrVCDOgDrtP+bDDSFDd1TF+i0jKGPDRozno2NOJ9lTniso+taiv4kiVS8dgM8Jm5lg==
+"@types/codemirror@^5.60.4":
+  version "5.60.5"
+  resolved "https://registry.yarnpkg.com/@types/codemirror/-/codemirror-5.60.5.tgz#5b989a3b4bbe657458cf372c92b6bfda6061a2b7"
+  integrity sha512-TiECZmm8St5YxjFUp64LK0c8WU5bxMDt9YaAek1UqUb9swrSCoJhh92fWu1p3mTEqlHjhB5sY7OFBhWroJXZVg==
   dependencies:
     "@types/tern" "*"
 
@@ -54,10 +54,10 @@
   resolved "https://registry.yarnpkg.com/@types/estree/-/estree-0.0.47.tgz#d7a51db20f0650efec24cd04994f523d93172ed4"
   integrity sha512-c5ciR06jK8u9BstrmJyO97m+klJrrhCf9u3rLu3DEAJBirxRqSCvDQoYKmxuYwQI5SZChAWu+tq9oVlGRuzPAg==
 
-"@types/marked@^2.0.2":
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/@types/marked/-/marked-2.0.2.tgz#33a15106383f6e42cd6bdd38093e6b19904e29e1"
-  integrity sha512-P4zanhCQKs4tiWPPBGpB7lHflgFCP9DFGNI5YtpW9MALKoy2qs9rHNWJ+z55cegD9uCfnmsKuaosq9FNvbxrOw==
+"@types/marked@^3.0.1":
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/@types/marked/-/marked-3.0.3.tgz#37878f405d5f0cff0e6128cea330bd0aa8df8cb3"
+  integrity sha512-ZgAr847Wl68W+B0sWH7F4fDPxTzerLnRuUXjUpp1n4NjGSs8hgPAjAp7NQIXblG34MXTrf5wWkAK8PVJ2LIlVg==
 
 "@types/tern@*":
   version "0.23.3"
@@ -219,10 +219,10 @@ [email protected]:
   dependencies:
     typo-js "*"
 
-codemirror@^5.61.0:
-  version "5.61.0"
-  resolved "https://registry.yarnpkg.com/codemirror/-/codemirror-5.61.0.tgz#318e5b034a707207948b92ffc2862195e8fdb08e"
-  integrity sha512-D3wYH90tYY1BsKlUe0oNj2JAhQ9TepkD51auk3N7q+4uz7A/cgJ5JsWHreT0PqieW1QhOuqxQ2reCXV1YXzecg==
+codemirror@^5.63.1:
+  version "5.65.0"
+  resolved "https://registry.yarnpkg.com/codemirror/-/codemirror-5.65.0.tgz#50344359393579f526ca53797e510ff75477117f"
+  integrity sha512-gWEnHKEcz1Hyz7fsQWpK7P0sPI2/kSkRX2tc7DFA6TmZuDN75x/1ejnH/Pn8adYKrLEA1V2ww6L00GudHZbSKw==
 
 components-jqueryui@^1.0.0:
   version "1.12.1"
@@ -381,16 +381,16 @@ duplexer2@~0.1.4:
   dependencies:
     readable-stream "^2.0.2"
 
-easymde@^2.15.0:
-  version "2.15.0"
-  resolved "https://registry.yarnpkg.com/easymde/-/easymde-2.15.0.tgz#73667c4879d8687b07651d6259ee652bba5d0b00"
-  integrity sha512-9jMRIVvKt1d0UjRN45yotUYECAM4xvw0TTAQw8sYDONP++keWJVnd8Xrn+V+vQEN/v9/X0SWEoo1rFSgCooGpw==
+easymde@^2.16.0:
+  version "2.16.0"
+  resolved "https://registry.yarnpkg.com/easymde/-/easymde-2.16.0.tgz#631608e51565430c469be56c6aef1c0ead748495"
+  integrity sha512-RNeb+JGCBfbhlyuwGfBqImt3lWeb8sy/3AH7O7IRk0N6YMwVXIKAam5Ph2H4cbjHl1mkAJ/ssxqbytLQvZsISA==
   dependencies:
-    "@types/codemirror" "0.0.109"
-    "@types/marked" "^2.0.2"
-    codemirror "^5.61.0"
+    "@types/codemirror" "^5.60.4"
+    "@types/marked" "^3.0.1"
+    codemirror "^5.63.1"
     codemirror-spell-checker "1.1.2"
-    marked "^2.0.3"
+    marked "^3.0.4"
 
 es-abstract@^1.17.0-next.1, es-abstract@^1.17.5:
   version "1.17.6"
@@ -754,10 +754,10 @@ [email protected]:
   dependencies:
     sourcemap-codec "^1.4.1"
 
-marked@^2.0.3:
-  version "2.0.3"
-  resolved "https://registry.yarnpkg.com/marked/-/marked-2.0.3.tgz#3551c4958c4da36897bda2a16812ef1399c8d6b0"
-  integrity sha512-5otztIIcJfPc2qGTN8cVtOJEjNJZ0jwa46INMagrYfk0EvqtRuEHLsEe0LrFS0/q+ZRKT0+kXK7P2T1AN5lWRA==
+marked@^3.0.4:
+  version "3.0.8"
+  resolved "https://registry.yarnpkg.com/marked/-/marked-3.0.8.tgz#2785f0dc79cbdc6034be4bb4f0f0a396bd3f8aeb"
+  integrity sha512-0gVrAjo5m0VZSJb4rpL59K1unJAMb/hm8HRXqasD8VeC8m91ytDPMritgFSlKonfdt+rRYYpP/JfLxgIX8yoSw==
 
 [email protected]:
   version "1.0.4"

docker-compose.yml

@@ -103,7 +103,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   mysql:
-    image: mysql:5.7.36@sha256:7a3a7b7a29e6fbff433c339fc52245435fa2c308586481f2f92ab1df239d6a29
+    image: mysql:5.7.36@sha256:f2ad209efe9c67104167fc609cca6973c8422939491c9345270175a300419f94
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
       DD_DATABASE_URL: "${DD_DATABASE_URL:-mysql://defectdojo:defectdojo@mysql:3306/defectdojo}"

docker/entrypoint-initializer.sh

@@ -1,11 +1,16 @@
 #!/bin/sh
 
-# Test types shall be initialized every time by the initializer, to make sure test types are complete
-# when new parsers have been implemented
-initialize_test_types()
+initialize_data()
 {
+    # Test types shall be initialized every time by the initializer, to make sure test types are complete
+    # when new parsers have been implemented
     echo "Initialization of test_types"
     python3 manage.py initialize_test_types
+
+    # Non-standard permissions cannot be created with a database migration, because the content type will only
+    # be available after the dojo migrations
+    echo "Creation of non-standard permissions"
+    python3 manage.py initialize_permissions
 }
 
 # Allow for bind-mount setting.py overrides
@@ -65,7 +70,7 @@ then
     echo "Admin password: Initialization detected that the admin user ${DD_ADMIN_USER} already exists in your database."
     echo "If you don't remember the ${DD_ADMIN_USER} password, you can create a new superuser with:"
     echo "$ docker-compose exec uwsgi /bin/bash -c 'python manage.py createsuperuser'"
-    initialize_test_types
+    initialize_data
     exit
 fi
 
@@ -118,6 +123,6 @@ EOD
   echo "Migration of textquestions for surveys"
   python3 manage.py migrate_textquestions
 
-  initialize_test_types
+  initialize_data
 
 fi

docs/content/en/getting_started/installation.md

@@ -2,22 +2,34 @@
 title: "Installation"
 description: "DefectDojo supports various installation options."
 draft: false
-weight: 2
+weight: 3
 ---
 
-## Docker Compose install (recommended)
+## **Recommended Options**
+---
+
+### Docker Compose
 
 See instructions in [DOCKER.md](<https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md>)
 
-## Kubernetes install
+### AWS AMI (Supports the Project)
+
+[Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-m2a25gr67xbzk), and complete [walkthrough](https://www.10security.com/defectdojo-aws-launch-guide)
+
+---
+## **Options for the Brave**
+---
+### Kubernetes
 
 See instructions in [KUBERNETES.md](<https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/KUBERNETES.md>)
 
-## Local install with godojo
+### Local install with godojo
 
 See instructions in [README.md](<https://github.com/DefectDojo/godojo/blob/master/README.md>)
 in the godojo repository
 
+---
+
 ## Customizing of settings
 
 See [Configuration](../configuration)

docs/content/en/getting_started/upgrading.md

@@ -61,13 +61,20 @@ godojo installations
 
 If you have installed DefectDojo on "iron" and wish to upgrade the installation, please see the [instructions in the repo](https://github.com/DefectDojo/godojo/blob/master/docs-and-scripts/upgrading.md).
 
+## Upgrading to DefectDojo Version 2.7.x.
+
+This release is a breaking change regarding the Choctaw Hog parser. As the maintainers of this project unified multiple parsers under the RustyHog parser, we now support the parsing of Choctaw Hog JSON output files through the Rusty Hog parser. Furthermore, we also support Gottingen Hog JSON output files with the RustyHog parser.
+
+The functionality using the flag `AUTHORIZATION_STAFF_OVERRIDE` has been removed. The same result can be achieved with giving the staff users
+a global Owner role. To make that easier you can run a migration script with ``./manage.py migrate staff_users``. This script creates a group
+for all staff users and sets the global Owner role, if `AUTHORIZATION_STAFF_OVERRIDE` is set to True.
+
 ## Upgrading to DefectDojo Version 2.6.x.
 
 There are no special instruction for upgrading to 2.6.0. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.6.0) for the contents of the release.
 
 Please consult the security advisories [GHSA-f82x-m585-gj24](https://github.com/DefectDojo/django-DefectDojo/security/advisories/GHSA-f82x-m585-gj24) (moderate) and [GHSA-v7fv-g69g-x7p2](https://github.com/DefectDojo/django-DefectDojo/security/advisories/GHSA-v7fv-g69g-x7p2) (high) to see what security issues were fixed in this release. These will be published and become visible at January 18th, 2022.
 
-
 ## Upgrading to DefectDojo Version 2.5.x.
 
 Legacy authorization has been completely removed with version 2.5.0. This includes removal of the migration of users

docs/content/en/integrations/jira.md

@@ -28,7 +28,8 @@ Enabling the Webhook
 1.  Visit <https://>\<**YOUR JIRA URL**\>/plugins/servlet/webhooks
 2.  Click \'Create a Webhook\'
 3.  For the field labeled \'URL\' enter: <https://>\<**YOUR DOJO
-    DOMAIN**\>/webhook/
+    DOMAIN**\>/jira/webhook/<**YOUR GENERATED WEBHOOK SECRET**>
+    This value can be found under Defect Dojo System settings
 4.  Under \'Comments\' enable \'Created\'. Under Issue enable
     \'Updated\'.
 
@@ -38,6 +39,8 @@ Configurations in Dojo
 1.  Navigate to the System Settings from the menu on the left side
     or by directly visiting \<your url\>/system\_settings.
 2.  Enable \'Enable JIRA integration\' and click submit.
+3.  For the webhook created in Enabling the Webhook, enable
+    \'Enable JIRA web hook\' and click submit.
 
 Adding JIRA to Dojo
 -------------------
@@ -46,7 +49,9 @@ Adding JIRA to Dojo
 2.  Select \'Add Configuration\' from the drop-down.
 3.  If you use Jira Cloud, you will need to generate an [API token
     for Jira](https://id.atlassian.com/manage/api-tokens) to use as
-    the password
+    the password. If you use Jira Server, you will need to provide a
+    username and password for Defect Dojo to authenticate to Jira; a
+    username and Jira Personal Access Token will not necessarily work.
 4.  To obtain the \'open status key\' and \'closed status key\'
     visit <https://>\<**YOUR JIRA
     URL**\>/rest/api/latest/issue/\<**ANY VALID ISSUE

docs/content/en/integrations/parsers.md

@@ -227,11 +227,6 @@ Example GraphQL query to get issue details:
 
 Import JSON output of cargo-audit scan report <https://crates.io/crates/cargo-audit>
 
-### CCVS Report
-
-Import JSON reports from \[CCVS
-API\](<https://github.com/William-Hill-Online/CCVS-API>)
-
 ### Checkov Report
 
 Import JSON reports of Infrastructure as Code vulnerabilities.
@@ -268,9 +263,12 @@ Follow these steps to setup API importing:
     must also select which Cobalt.io API Scan Configuratio to use.
 
 ### CodeQL
+
 CodeQL can be used to generate a SARIF report, that can be imported into Defect Dojo:
 
-`codeql database analyze db python-security-and-quality.qls --sarif-add-snippets --format=sarif-latest --output=security-extended.sarif`
+```shell
+codeql database analyze db python-security-and-quality.qls --sarif-add-snippets --format=sarif-latest --output=security-extended.sarif
+```
 
 The same can be achieved by running the CodeQL GitHub action with the `add-snippet` property set to true.
 
@@ -309,11 +307,6 @@ To generate the OSA report using Checkmarx CLI:
 That will generate three files, two of which are needed for defectdojo. Build the file for defectdojo with the jq utility:
 `jq -s . CxOSAVulnerabilities.json CxOSALibraries.json`
 
-
-### Choctaw Hog parser
-
-From: <https://github.com/newrelic/rusty-hog> Import the JSON output.
-
 ### Cloudsploit (AquaSecurity)
 
 From: https://github.com/aquasecurity/cloudsploit . Import the JSON output.
@@ -927,6 +920,15 @@ report as follows
 -   Removing both fields will allow retrieval of all findings in the
     Risk Recon instance.
 
+### Rusty Hog parser
+
+From: <https://github.com/newrelic/rusty-hog> Import the JSON output.
+Rusty Hog is a secret scanner built in Rust for performance, and based on TruffleHog which is written in Python.
+
+DefectDojo currently supports the parsing of the following Rusty Hog JSON outputs:
+- Choctaw Hog: Scans for secrets in a Git repository.
+- Gottingen Hog: Scans for secrets in a JIRA issue.
+
 ### SARIF
 
 OASIS Static Analysis Results Interchange Format (SARIF). SARIF is

docs/content/en/usage/permissions.md

@@ -8,7 +8,7 @@ draft: false
 ## System-wide permissions
 
 * Administrators (aka super users) have no limitations in the system. They can change all settings, manage users  and have read and write access to all data.
-* Staff users can add Product Types, and have access to data according to their role in a Product or Product Type. There is the parameter `AUTHORIZATION_STAFF_OVERRIDE` in the settings to give all staff users full access to all Products and Product Types.
+* Staff users can add Product Types, and have access to data according to their role in a Product or Product Type.
 * Regular users have limited functionality available. They cannot add Product Types but have access to data according to their role in a Product or Product Type
 
 ## Product and Product Type permissions