Releases: DefectDojo/django-DefectDojo
Releases · DefectDojo/django-DefectDojo
1.11.0 🌈
For upgrade notes, see https://defectdojo.readthedocs.io/en/latest/upgrading.html
Changes
🚩 Requires settings change or database migration
- Add redis transit encryption @KarstenSiemer (#3473)
- Fix exception during excess duplicate deletion tasks @valentijnscholten (#3480)
- replace django-tagging by django-tagulous @valentijnscholten (#3333)
- [feat/login-form] Allowing login forms to be hidden @natebwangsut (#3423)
🚀 New importers
- Add support for GitLab Dependency Scanning reports @macedogm (#3534)
- Importer: Add OASIS SARIF format #3445 @damiencarol (#3464)
🚀 General features and enhancements
- Add redis transit encryption @KarstenSiemer (#3473)
- calendar: speedup and security fix @valentijnscholten (#3543)
- Add JIRA_Issue in related fields of Finding @RomainJufer (#3407)
- Retain SLA days for mitigated findings @madchap (#3525)
- Use full absolute url in notifications @marcosValle (#3538)
- Allow to specify the
Environmentwhen importing data from the APIv2 and the UI @xens (#3450) - Allow use of ptvsd debugger when using k8s deployment @madchap (#3418)
- Add BlackDuck import functionality for License Risks that should be reviewed @WheelsVT (#3247)
- enable search tests @valentijnscholten (#3495)
- Tag filtering + general search improvements @valentijnscholten (#3449)
- securityContext related updates to Helm chart @namloc2001 (#3343)
- jira: add api test for adding note/comment @valentijnscholten (#3482)
- Fix exception during excess duplicate deletion tasks @valentijnscholten (#3480)
- jira: don't add notes when creating/linking findings @valentijnscholten (#3481)
- logging: add DD_LOG_LEVEL setting @valentijnscholten (#3439)
- replace django-tagging by django-tagulous @valentijnscholten (#3333)
- Expose nginx status to prometheus in Kubernetes (helm) @uncycler (#3260)
- Nikto parser for scan of multiple hosts @StefanFl (#3428)
- reports: fix performance issues and small bugs @valentijnscholten (#3432)
- [feat/login-form] Allowing login forms to be hidden @natebwangsut (#3423)
- [APIv2] Update put semantic and doc for endpoint /finding/{id}/metadata @RomainJufer (#3408)
- Add duplicate finding support to API v2. @iwalton3 (#3325)
🐛 Bug Fixes
- Various Bug Fixes. Fix reupload via UI. Make 'Active' Default On Scan Import Forms. @devGregA (#3521)
- Fix(helm-unittests): add secret key and credential key @alles-klar (#3489)
- Only mitigate finding if previously active @madchap (#3523)
- fix(risk_acceptance): remove hard coded user_id @alles-klar (#3469)
- Reupload bug fixes @aaronweaver (#3531)
- Fix issue 3527 while importing some Twistlock scans @macedogm (#3532)
- (product) metrics: fixes and speedup @valentijnscholten (#3549)
- Add missing modifications for SARIF format @damiencarol (#3559)
- product list: fix last assessed displaying @valentijnscholten (#3493)
- [fix/helm-rabbitMQ]: Fix incorrect YAML key for RabbitMQ chart @natebwangsut (#3508)
- Bug fix: Add more unit tests for MobSF import #3479 @damiencarol (#3490)
- Jira: Allow status changes from dojo to jira @Maffooch (#3483)
- Fix popup message on SLA displays @Maffooch (#3477)
- Tweaked Fortify Parser To Handle Missing Code Snippet For Finding @ibcoleman (#3461)
- WebInspect Parser fails to process Issues without CWE and ReportSection with an empty SectionText @yilmi (#3492)
- Fix reports: print test names instead of test types - #3252 @yilmi (#3402)
- tagulous/reports: fix old prefetch fields - take 2 @valentijnscholten (#3491)
- tagulous/reports: fix old prefetch fields @valentijnscholten (#3486)
- Fix exception during excess duplicate deletion tasks @valentijnscholten (#3480)
- report: fix report from products list and more @valentijnscholten (#3448)
- apiv2: fix endpoint status creation during scan import @alles-klar (#3468)
- [FIX] jira: fix adding note to finding and send to jira @RomainJufer (#3453)
- pin all python / pip dependencies @valentijnscholten (#3457)
- Allow Info findings to be pushed to JIRA without SLA @Maffooch (#3435)
- Fix import: binary analysis in MobSF scans #3134 @damiencarol (#3429)
- reports: fix performance issues and small bugs @valentijnscholten (#3432)
- celery imports for dojo.tools.tool_issue_updater @valentijnscholten (#3414)
- Fix finding export for non-staff users. @iwalton3 (#3286)
- Fix popup message on SLA displays @Maffooch (#3477)
📝 Documentation updates
- add note about initializer duration @valentijnscholten (#3499)
- Update README Valentijn @valentijnscholten (#3440)
🧰 Maintenance
- Release drafter categories adaptation @madchap (#3560)
- Test suite and scripts cleanup @valentijnscholten (#3500)
- celery entrypoints: support all settings related mounts @valentijnscholten (#3545)
- Bump pdfmake from 0.1.68 to 0.1.69 in /components @dependabot (#3558)
- chore(deps): update rabbitmq:3.8.9 docker digest from 3.8.9 to 3.8.9 (docker-compose.yml) @renovate (#3553)
- Bump pygithub from 1.54 to 1.54.1 @dependabot (#3551)
- Bump pytz from 2020.4 to 2020.5 @dependabot (#3552)
- chore(deps): update manusa/actions-setup-minikube action from v2.2.0 to v2.3.0 (.github/workflows/k8s-testing.yml) @renovate (#3541)
- chore(deps): update mysql:5.7.32 docker digest from 5.7.32 to 5.7.32 (docker-compose.yml) @renovate (#3540)
- Add PyJWT to requirements.txt @squ1rr3lly (#3536)
- Bump coverage from 5.3 to 5.3.1 @dependabot (#3509)
- Bump nginx from 1.19.5-alpine to 1.19.6-alpine @dependabot (#3510)
- Update manusa/actions-setup-minikube action from v2.1.0 to v2.2.0 (.github/workflows/k8s-testing.yml) @renovate (#3505)
- Bump datatables.net-dt from 1.10.22 to 1.10.23 in /components @dependabot (#3496)
- Bump datatables.net-bs from 1.10.22 to 1.10.23 in /components @dependabot (#3498)
- Bump requests from 2.25.0 to 2.25.1 @dependabot (#3484)
- chore(deps): update rabbitmq:3.8.9 docker digest from 3.8.9 to 3.8.9 (docker-compose.yml) @renovate (#3487)
- chore(deps): update stefanzweifel/git-auto-commit-action action from v4.7.2 to v4.8.0 (.github/workflows/plantuml.yml) @renovate (#3476)
- Bump google-auth from 1.23.0 to 1.24.0 @dependabot (#3465)
- Bump humanize from 3.1.0 to 3.2.0 @dependabot (#3466)
- Bump nginx from
210a2ddto6ceeeab@dependabot (#3467) - make build image for nginx the same as django @valentijnscholten (#3415)
- chore(deps): update mysql:5.7.32 docker digest to b3b2703 (docker-compose.yml) @renovate (#3462)
- chore(deps): update rabbitmq:3.8.9 docker digest to 70dcefa (docker-compose.yml) @renovate (#3463)
- Bump bleach from 3.1.0 to 3.2.1 @dependabot (#3458)
- Bump pandas from 1.1.2 to 1.1.5 @dependabot (#3459)
- pin all python / pip dependencies @valentijnscholten (#3457)
- Revert "Revert "release workflow: simplify matrix"" @valentijnscholten (#3456)
- Revert "release workflow: simplify matrix" @valentijnscholten (#3454)
- release workflow: simplify matrix @valentijnscholten (#3416)
- Bump mysqlclient from 2.0.1 to 2.0.2 @dependabot (#3443)
- Bump cryptography from 3.3 to 3.3.1 @dependabot (#3444)
- Bump cryptography from 3.2.1 to 3.3 @dependabot (#3434)
- chore(deps): update rabbitmq:3.8.9 docker digest to 39a4fca (docker-compose.yml) @renovate (#3430)
- Bump pandas from 1.1.5 to 1.2.0 @dependabot (#3557)
- k8s testing workflow: remove docker secrets @valentijnscholten (#3519)
- gha: switch to pull_request from pull_request_target @valentijnscholten (#3512, #3514)
- Update unit-tests.yml @valentijnscholten (#3506, #3507)
- move renovate.json @valentijnscholten (#3503, #3504)
- maintenance: Update cancel-outdated-workflow-runs.yml @valentijnscholten (#3502)
1.10.4 👾 (security release)
🚩 Security
- security: correct incomplete fix for #3410 / GHSA-96vq-gqr9-vf2c @StefanFl (#3417)
1.10.3 👾 (security release)
This is a security release addressing GHSA-96vq-gqr9-vf2c
🚩 Security
1.10.2 🌈
Changes
- pip: use old legacy resolver @valentijnscholten (#3379)
1.10.1 🌈
🐛 Bug Fixes
- jira: fix add/edit product jira logic @valentijnscholten (#3366)
- Helm posgreSQL, use existing secret even if postgres not enabled @madchap (#3350)
- Fix helm rabbitMQ not grabbing secret after move to bitnami @madchap (#3347)
- Align Qualys WAS severities with the those in the UI @Maffooch (#3348)
- jira: fix link existing jira issue @valentijnscholten (#3355)
🧰 Maintenance
1.10.0 🌈
Changes
See upgrade notes for details on upgrading:https://defectdojo.readthedocs.io/en/latest/upgrading.html
💣 Breaking changes
- Move charts to bitnami's repo @madchap (#2859)
- JIRA: Allow config per engagement, incl big JIRA refactor @valentijnscholten (#3200)
🚩 Requires settings change
- Acunetix parser: Import all affected items + technical details @steeve85 (#2289)
- performance: optimize a bit view_finding, max similar findings=25 @valentijnscholten (#3293)
- Various bug fixes in various places @Maffooch (#3308)
- sla notify: disable by default, add explanation to settings @valentijnscholten (#3289)
- Celery: only send model ids and not full instances @valentijnscholten (#3092)
🚀 Features and enhancements
- tags: add testcases @valentijnscholten (#3324)
- reimport: set component_name&version on existing findings @valentijnscholten (#3288)
- API_V2 : Add metadata operation on findings endpoints @RomainJufer (#3254)
- performance: optimize a bit view_finding, max similar findings=25 @valentijnscholten (#3293)
- Various bug fixes in various places @Maffooch (#3308)
- sla notify: disable by default, add explanation to settings @valentijnscholten (#3289)
- Reintroduce HTML report builder @Maffooch (#3250)
- JIRA: Allow config per engagement, incl big JIRA refactor @valentijnscholten (#3200)
- Celery: only send model ids and not full instances @valentijnscholten (#3092)
- jira: set jira_project when creating JIRA_Issue @valentijnscholten (#3294)
- Set flag for auto refresh of alert/counts @Maffooch (#3275)
🐛 Bug Fixes
- apiv2: set mitigated date if applicable @keenan-v1 (#3285)
- Acunetix parser: Import all affected items + technical details @steeve85 (#2289)
- Correct filter for findings for non-staff users @StefanFl (#3339)
- jira: fix add/edit engagement if no jira config used @valentijnscholten (#3335)
- fix importing aws securityhub timestamp @Enigmatyk (#3329)
- Fix Product Metrics link to false positives. @tohch4 (#3334)
- jira_webhook: improve error handling @valentijnscholten (#3321)
- Nikto quick fix to hostname/url parsing (fixes #3268) @madchap (#3318)
- reimport: don't try to set component_name for absent findings @valentijnscholten (#3331)
- debug_toolbar: add known issue + fix for static files @valentijnscholten (#3309)
- Added steps to reproduce in Jira Description Template @FallenAtticus (#2990)
- aws security hub: fix handling of missing lastObservedAt @valentijnscholten (#3277)
- jira: fix mailto link in description @valentijnscholten (#3281)
- jira: split url handling for issues and projects @valentijnscholten (#3284)
- Various bug fixes in various places @Maffooch (#3308)
- Allow re-import scan to function without JIRA @Maffooch (#3295)
- Fix Accepted Risk reporter/owner in engineer metrics @Maffooch (#3297)
- Fix JIRA owner instead of reporter @madchap (#3282)
- settings.dist.py: reduce default log level from DEBUG to INFO @valentijnscholten (#3280)
- jira: use correct url for dojo_alert notification @valentijnscholten (#3273)
- Update open finding definition on product level @Maffooch (#3267)
- uwsgi: increase default buffer-size @valentijnscholten (#3269)
- Change encoding from utf-8 to utf-8-sig @jhamba (#2583)
- Commented out print statement 'ready(): initializing watson' as it breaks 'manage.py dumpdata' @mtesauro (#3274)
- Fix NoneType error on Metrics page @danielnaab (#3323)
- unittests: delete erroneously committed empty ZoneIdentifier metatdata files @valentijnscholten (#3304)
🧰 Maintenance
- build(deps): bump django-celery-results from 1.2.1 to 2.0.0 @dependabot-preview (#3311)
- Move charts to bitnami's repo @madchap (#2859)
- chore(deps): update mysql:5.7.32 docker digest to ec6742a (docker-compose.yml) @renovate (#3300)
- chore(deps): update rabbitmq:3.8.9 docker digest to b05476a (docker-compose.yml) @renovate (#3301)
- build(deps): bump google-api-python-client from 1.12.6 to 1.12.8 @dependabot-preview (#3305)
- build(deps): bump django-crispy-forms from 1.9.2 to 1.10.0 @dependabot-preview (#3307)
- Release drafter - add breaking changes section @madchap (#3291)
- build(deps): bump google-api-python-client from 1.12.5 to 1.12.6 @dependabot-preview (#3287)
- build(deps): bump asteval from 0.9.20 to 0.9.21 @dependabot-preview (#3266)
- Update CONTRIBUTING.md @madchap (#3314)
- Update SPONSORING.md @madchap (#3316)
- Update MAINTAINERS.md @madchap (#3315)
- Update CONTRIBUTING.md @madchap (#3317)
- Updated contributing doc to have Python 3.6 instead of 3.5 @mtesauro (#3306)
- Release: Merge release into master from: release/1.10.0 @github-actions (#3344)
- Release: Merge back master into dev from: master-into-dev/1.10.0-dev @github-actions (#3268
1.9.3 👾 (security release)
This is a security release.
Please see the security advisory for more details.
- JIRA and Tool Configuration credentials exposed in plain text (merge commit)
- Fixes report creation - missing Q import (#3263)
1.9.2 🌈
🐛 Bug Fixes
- fix jira add/edit configuration @valentijnscholten (#3165)
- fix view all endpoints: added import statement for #3167 @Seppl2202 (#3168)
🧰 Maintenance
- jira: add logging of metadata @valentijnscholten (#3187)
1.9.1 🌈
1.9.0 🌈
Note: Please see our upgrade notes for additional details
🚀 New scanners
🚀 Features and enhancements
- Add DD_LOGGING_FORMAT variable, celery logger section @madchap (#3072)
- Add annotations for pods @madchap (#3012)
- Add json logging to Django @madchap (#3062)
- Modify uwsgi entrypoint to allow for overriding settings.py @mtesauro (#3045)
- Add configurable SAML2 logout endpoint @Maffooch (#3046)
- Add filter to product metrics @Maffooch (#2974)
- Add SSL verification variable to JIRA integration @Maffooch (#3016)
- swagger ui: use sessions, more compact UI @valentijnscholten (#3025)
- dedupe / false positive history: make queries more performant @valentijnscholten (#3028)
- Add authorized users at the product type level @Maffooch (#3007)
- Allow specifying the key for the database secrets @uncycler (#2906)
- Add delete methods for products and environments in api v2 @RomainJufer (#3014)
- Add Component overview @ricardomeulendijks (#2977)
- ZAP parser: do not resolve hostname to IP address during endpoint creation (#2284) @AlexanderTyutin (#2286)
- Remove HipChat integration, add support for Microsoft Teams instead @StefanFl (#2975)
- Fixes and add missing index for simple search @valentijnscholten (#2955)
- Add related fields on findings @xens (#2949)
🐛 Bug Fixes
- Add 'options' to JIRA connections @Maffooch (#3106)
- Test header bar - findings count fix @madchap (#3074)
- apiv2: add doc for finding's related_fields + stick to OAv3 @xens (#3066)
- Add DD_LOGGING_FORMAT variable, celery logger section @madchap (#3072)
- Add verbose importing flow to Fortify scans @Maffooch (#3055)
- Fix nginx port in docker-compose.override.https.yml @rookies (#3059)
- Fix burp request/response encoding errors in API @Maffooch (#3044)
- Set finding is_Mitigated on finding update @madchap (#3032)
- view_test: fix javascript for bulk edit enablement @valentijnscholten (#3035)
- sonatype parser: truncate filepath @valentijnscholten (#3036)
- Fix nginx port definition in docker-compose.yml @rookies (#3041)
- fix jira column on similar findings rows @valentijnscholten (#3030)
- Fix APIv1 Endpoint_Status bug @rookies (#3020)
- Make Product Type reports more descriptive @cody-m-tibco (#2783)
- add engagement: fix permission checks @valentijnscholten (#3005)
- apiv2: add misssing fields for filtering and remove UI related stuff @xens (#3000)
- Bugfix: Authorized User only gets findings through API of which he is the reporter of #2992 @Yuuichi89 (#2998)
- Bugfix typo in docker integration tests @alles-klar (#2995)
- Fix APIv2 Endpoint Status bug @Maffooch (#2983)
- Don't copy inexistent certs folder in Dockerfile.django @uncycler (#2946)
- Fixes and add missing index for simple search @valentijnscholten (#2955)
- jira: fix looping when pushing from api @valentijnscholten (#2951)
- HackerOne: Added unique_id_from_tool to fix deduplication @reinier-vegter (#2935)
- fix: prevent saving empty cve @edersonbrilhante (#2669)
🧰 Maintenance
- v0.1 of GHA release automation @madchap (#3094)
- apiv1 deprecation: show warning on docs and api key pages @valentijnscholten (#3089)
- build(deps): bump markdown from 3.3.2 to 3.3.3 @dependabot-preview (#3095)
- build(deps): bump cryptography from 3.1.1 to 3.2 @dependabot-preview (#3096)
- Update stefanzweifel/git-auto-commit-action action from v4.7.1 to v4.7.2 (.github/workflows/plantuml.yml) @renovate (#3086)
- build(deps): bump pillow from 8.0.0 to 8.0.1 @dependabot-preview (#3076)
- build(deps): bump drf-yasg2 from 1.19.2 to 1.19.3 @dependabot-preview (#3077)
- build(deps): bump google-api-python-client from 1.12.3 to 1.12.5 @dependabot-preview (#3075)
- master->dev: github action workflow config sync @valentijnscholten (#3078)
- integration tests: fix mark finding for review errors @valentijnscholten (#3073)
- Add endpoint_status creation script @Maffooch (#3068)
- build(deps): bump humanize from 3.0.1 to 3.1.0 @dependabot-preview (#3049)
- upgrade to drf_yasg2 which is needed for django rest framework 3.12 and higher @valentijnscholten (#3052)
- Update mysql Docker tag from 5.7.31 to v5.7.32 (docker-compose.yml) @renovate (#3070)
- Update stefanzweifel/git-auto-commit-action action from v4.6.0 to v4.7.1 (.github/workflows/plantuml.yml) @renovate (#3071)
- master->dev sync: modifications to workflow files @valentijnscholten (#3067)
- GitHub Actions: Add unit tests workflow @valentijnscholten (#3063)
- chore(deps): update stefanzweifel/git-auto-commit-action action from v4.1.2 to v4.6.0 (.github/workflows/plantuml.yml) @renovate (#3050)
- chore(deps): update actions/checkout action from v1 to v2 (.github/workflows/plantuml.yml) @renovate (#3051)
- Remove that comment to make my sed life easier @madchap (#3048)
- build(deps): bump markdown from 3.3.1 to 3.3.2 @dependabot-preview (#3047)
- build(deps): bump urllib3 from 1.25.10 to 1.25.11 @dependabot-preview (#3040)
- build(deps): bump mysql-connector-python from 8.0.21 to 8.0.22 @dependabot-preview (#3039)
- build(deps): bump lxml from 4.5.2 to 4.6.1 @dependabot-preview (#3037)
- title: suppress superfluous log lines @valentijnscholten (#3031)
- Revert "Move helm deps to Chart.yaml (#3013)" @madchap (#3022)
- build(deps): bump pillow from 7.2.0 to 8.0.0 @dependabot-preview (#3010)
- linting @valentijnscholten (#3024)
- chore(deps): update mysql:5.7.31 docker digest to 3830eda (docker-compose.yml) @renovate (#3006)
- Add required fields in package.json @alles-klar (#3008)
- Move helm deps to Chart.yaml @madchap (#3013)
- build(deps): bump markdown from 3.3 to 3.3.1 @dependabot-preview (#2996)
- more tests for import and deduplication @valentijnscholten (#2959)
- Removing deprecated keys @dsever (#2994)
- build(deps): bump nginx from 1.19.2-alpine to 1.19.3-alpine @dependabot-preview (#2988)
- build(deps): bump datatables.net-buttons-bs from 1.6.4 to 1.6.5 in /components @dependabot-preview (#2981)
- build(deps): bump datatables.net-buttons-dt from 1.6.4 to 1.6.5 in /components @dependabot-preview (#2982)
- build(deps): bump django-slack from 5.15.2 to 5.15.3 @dependabot-preview (#2986)
- chore(deps): update helm chart rabbitmq from 6.16.0 to v6.18.2 (helm/defectdojo/requirements.yaml) @renovate (#2967)
- build(deps): bump packageurl-python from 0.9.2 to 0.9.3 @dependabot-preview (#2971)
- build(deps): bump markdown from 3.2.2 to 3.3 @dependabot-preview (#2970)
- build(deps): bump easymde from 2.12.0 to 2.12.1 in /components @dependabot-preview (#2972)
- build(deps): bump moment from 2.29.0 to 2.29.1 in /components @dependabot-preview (#2973)
- chore(deps): update helm chart redis from 10.3.1 to v10.5.7 (helm/defectdojo/requirements.yaml) @renovate (#2968)
- chore(deps): update helm chart postgresql from 8.1.2 to v8.6.4 (helm/defectdojo/requirements.yaml) @renovate (#2966)
- chore(deps): update helm chart mysql from 1.6.2 to v1.6.7 (helm/defectdojo/requirements.yaml) @renovate (#2965)
- Veracode: use unique_id_from_tool (fixed deduplication issues) @reinier-vegter (#2909)
- build(deps): bump google-auth from 1.22.0 to 1.22.1 @dependabot-preview (#2964)
- Move onetime command code to respective files @valentijnscholten (#2960)
- Remove heroku demo from README @madchap (#2963)
- build(deps): bump humanize from 2.6.0 to 3.0.1 @dependabot-preview (#2957)
- build(deps): bump google-api-python-client from 1.12.2 to 1.12.3 @dependabot-preview (#2933)
- chore(deps): update rabbitmq docker tag from 3.7.26 to v3.8.9 (docker-compose.yml) @renovate (#2941)
- Start celery without uid @uncycler (#2923)
- chore(deps): update mysql docker tag from 5.7.29 to v5.7.31 (docker-compose.yml) @renovate (#2940)
- sync renovate config from master @valentijnscholten (#2956)
- build(deps): bump easymde from 2.11.0 to 2.12.0 in /components @dependabot-preview (#2934)
- Merge renovate config from master into dev @valentijnscholten (#2942)
- Configure Renovate dev @renovate (#2936)
- Merge back 1.8.0 from master into dev @valentijnscholten (#2932)
- Release PR - release/1.9.0 @github-actions (#3107)
- sync dev from master after renovate config update @valentijnscholten (#2953)
- Configure Renovate @renovate (#2941
🚩 Requires settings change
- Add DD_LOGGING_FORMAT variable, celery logger section @madchap (#3072)
- Add json logging to Django @madchap (#3062)
- Add configurable SAML2 logout endpoint @Maffooch (#3046)
- Add SSL verification variable to JIRA integration @Maffooch (#3016)
- swagger ui: use sessions, more compact UI @valentijnscholten (#3025)
- Fixes and add missing index for simple search @valentijnscholten (#2955)