:tada: added humble #8988 by manuel-sommer · Pull Request #8989 · DefectDojo/django-DefectDojo

manuel-sommer · 2023-11-13T21:35:05Z

See #8988

manuel-sommer · 2023-11-13T22:01:04Z

Waiting for rfc-st/humble#13

manuel-sommer · 2023-11-15T09:27:39Z

Ready to review :-)

kiblik · 2023-11-15T09:45:38Z

Please follow

manuel-sommer · 2023-11-15T10:50:13Z

Done @kiblik

mtesauro

Approved

kiblik

First sorry, I forgot to come back to this PR

Not that sure that Do not parse URLs by hand means

            import re
            host = re.compile(r"https?://(www\.)?")
            host = host.sub('', url).strip().strip('/')

Some notes:
The original idea with endpoints (and how most of the parsers are implemented right now) is that: If multiple endpoints have the same Finding, let's define it as one finding and use Endpoint_Status to identify, which Endpoints are affected. Yes, it is not possible in all cases (especially if there are some different metadata for each endpoint - but it is not the case here).
It means that information about the endpoint should not be presented in the Finding.title or Finding.description (if it is possible). It is also the reason why Finding.url:

django-DefectDojo/dojo/models.py

Lines 2157 to 2161 in 393f460

    
           url = models.TextField(null=True, 
        
                                  blank=True, 
        
                                  editable=False, 
        
                                  verbose_name=_('URL'), 
        
                                  help_text=_("External reference that provides more information about this flaw."))  # not displayed and pretty much the same as references. To remove?

is not used anywhere anymore (and should be removed).

Next, information about protocol (http vs https) is valuable. So we should not avoid it. Also path (different paths might have different results for scanning). And www. should not be removed from the host as well.

So if it is not necessary because of some specific metadata (which is not in this case), please:

Avoid adding the name of the endpoint/host to the content of the finding
Use endpoint in the full form (including protocol and path)

manuel-sommer · 2023-11-17T23:26:19Z

@kiblik, I accepted your review, but is the finding title now not too general? I would rather make it more unique. Maybe we now need deduplication settings?

Maffooch · 2023-11-20T14:41:36Z

Maybe we now need deduplication settings?

This would be ideal. Even if they happen to match the default dedupe settings, it affords other users to override the fields used without a code change being required

dryrunsecurity · 2023-11-28T07:22:36Z

Contextual Security Analysis

As DryRun Security performs checks, we’ll summarize them here. You can always dive into the results in the section below for checks.

Status	DryRun Security Check
✅	Configured Sensitive Files Check
✅	AI-powered Sensitive Files Check

Chat with your AI-powered Security Buddy by typing /dryrunsec: (or /drs:) followed by your question. Example: /dryrunsec: From a security perspective, what are some sensitive files in an Express application?

Install and configure more repositories at DryRun Security

manuel-sommer · 2023-11-28T07:54:03Z

@Maffooch ready to review and then merge

manuel-sommer · 2023-11-29T19:49:22Z

@cneill ready to review and merge

manuel-sommer · 2023-11-30T10:30:09Z

Could you also please merge :-)

* 🎉 added humble * fixed humble * added endpoints * fix according to comment * fix according to review * update * added deduplication setting * fix

* Created _init_.py * Created parser.py * Update README.md (#9048) * Fixing README links and formatting (#9022) * fixing up some links/etc * formatting * more formatting, links, etc * formatting table HTML * Fixing links * typo * formatting, links * typo; adding Aaron Weaver to hall of fame * reorganizing * Bump python-gitlab from 3.15.0 to 4.2.0 (#9064) Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 3.15.0 to 4.2.0. - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](python-gitlab/python-gitlab@v3.15.0...v4.2.0) --- updated-dependencies: - dependency-name: python-gitlab dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump fontawesomefree from 6.4.2 to 6.5.0 (#9074) Bumps [fontawesomefree](https://github.com/FortAwesome/Font-Awesome) from 6.4.2 to 6.5.0. - [Release notes](https://github.com/FortAwesome/Font-Awesome/releases) - [Changelog](https://github.com/FortAwesome/Font-Awesome/blob/6.x/CHANGELOG.md) - [Commits](FortAwesome/Font-Awesome@6.4.2...6.5.0) --- updated-dependencies: - dependency-name: fontawesomefree dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🎉 added humble #8988 (#8989) * 🎉 added humble * fixed humble * added endpoints * fix according to comment * fix according to review * update * added deduplication setting * fix * Bump social-auth-core from 4.5.0 to 4.5.1 (#9073) Bumps [social-auth-core](https://github.com/python-social-auth/social-core) from 4.5.0 to 4.5.1. - [Release notes](https://github.com/python-social-auth/social-core/releases) - [Changelog](https://github.com/python-social-auth/social-core/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-core@4.5.0...4.5.1) --- updated-dependencies: - dependency-name: social-auth-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Adding subcomponent labels for celery beat and worker (#9078) * Update rabbitmq Docker tag from 3.12.9 to v3.12.10 (docker-compose.yml) (#9075) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update postgres:16.1-alpine Docker digest from 16.1 to 16.1-alpine (docker-compose.yml) (#9082) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update redis:7.2.3-alpine Docker digest from 7.2.3 to 7.2.3-alpine (docker-compose.yml) (#9083) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump boto3 from 1.29.7 to 1.33.5 (#9085) Bumps [boto3](https://github.com/boto/boto3) from 1.29.7 to 1.33.5. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](boto/boto3@1.29.7...1.33.5) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump fontawesomefree from 6.5.0 to 6.5.1 (#9086) Bumps [fontawesomefree](https://github.com/FortAwesome/Font-Awesome) from 6.5.0 to 6.5.1. - [Release notes](https://github.com/FortAwesome/Font-Awesome/releases) - [Changelog](https://github.com/FortAwesome/Font-Awesome/blob/6.x/CHANGELOG.md) - [Commits](FortAwesome/Font-Awesome@6.5.0...6.5.1) --- updated-dependencies: - dependency-name: fontawesomefree dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add logging statement for failed password reset validation logic (#9087) * Finding Template: Correct save ordering (#9088) * Feature/parser jfrog xray binary scan (#9015) * new parser Jfrog Xray on Demand Binary Scan * new parser Jfrog Xray on Demand Binary Scan * delete blank line at end of file * rename function * More sample reports * Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/settings/settings.dist.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/settings/settings.dist.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik <kiblik@gjh.sk> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik <kiblik@gjh.sk> * First round of Improvements * Drop duplicates in component_id and full_path * Process per component * Visual improvements * Use+clean summary in Title, fix dedup, parse version, drop useless functions * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik <kiblik@gjh.sk> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik <kiblik@gjh.sk> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik <kiblik@gjh.sk> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik <kiblik@gjh.sk> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik <kiblik@gjh.sk> * fix test rename class * Last Improvements and tests * capitalization skills --------- Co-authored-by: Tomas Kubla <tomas@kubla.sk> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik <kiblik@gjh.sk> * Update postgres:16.1-alpine Docker digest from 16.1 to 16.1-alpine (docker-compose.yml) (#9089) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Nosey Parker Test Cases * Updated Parser * Bump cryptography from 41.0.5 to 41.0.7 (#9065) Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.5 to 41.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@41.0.5...41.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * NoseyParker Parser Flake8 compliance * NoseyParker fix for 0.16 * JSON lines fix * Nosey Parker Parser: v0.16 fix * Comma for consistency * Flake8 requirements * Update docs/content/en/integrations/parsers/file/noseyparker.md * Update dojo/tools/noseyparker/parser.py * Update docs/content/en/integrations/parsers/file/noseyparker.md * Removed example JSONL file * Add link to 0.16.0 Release * Spacing --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Greg Anderson <greg.anderson@owasp.org> Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Co-authored-by: Manuel Venega <127304555+veneber@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: renejal <40049733+renejal@users.noreply.github.com> Co-authored-by: Tomas Kubla <tomas@kubla.sk> Co-authored-by: kiblik <kiblik@gjh.sk>

manuel-sommer marked this pull request as draft November 13, 2023 21:35

github-actions Bot added docs unittests parser labels Nov 13, 2023

manuel-sommer marked this pull request as ready for review November 14, 2023 22:17

mtesauro approved these changes Nov 17, 2023

View reviewed changes

blakeaowens approved these changes Nov 17, 2023

View reviewed changes

kiblik requested changes Nov 17, 2023

View reviewed changes

grendel513 approved these changes Nov 17, 2023

View reviewed changes

manuel-sommer added 5 commits November 18, 2023 00:00

🎉 added humble

e7db24c

fixed humble

d6f57d3

added endpoints

b7184e4

fix according to comment

1594758

fix according to review

9da2efc

manuel-sommer force-pushed the add_humble branch from bb7297b to 9da2efc Compare November 17, 2023 23:02

manuel-sommer requested a review from kiblik November 17, 2023 23:02

update

4bf9e06

added deduplication setting

502346b

github-actions Bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Nov 28, 2023

kiblik reviewed Nov 28, 2023

View reviewed changes

Comment thread dojo/settings/settings.dist.py Outdated

fix

d029670

kiblik approved these changes Nov 28, 2023

View reviewed changes

cneill approved these changes Nov 30, 2023

View reviewed changes

cneill merged commit 9a36fac into DefectDojo:dev Nov 30, 2023

manuel-sommer deleted the add_humble branch November 30, 2023 22:39

	url = models.TextField(null=True,
	blank=True,
	editable=False,
	verbose_name=_('URL'),
	help_text=_("External reference that provides more information about this flaw.")) # not displayed and pretty much the same as references. To remove?

Conversation

manuel-sommer commented Nov 13, 2023

Uh oh!

manuel-sommer commented Nov 13, 2023

Uh oh!

manuel-sommer commented Nov 15, 2023

Uh oh!

kiblik commented Nov 15, 2023

Uh oh!

manuel-sommer commented Nov 15, 2023

Uh oh!

mtesauro left a comment

Choose a reason for hiding this comment

Uh oh!

kiblik left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

manuel-sommer commented Nov 17, 2023

Uh oh!

Maffooch commented Nov 20, 2023

Uh oh!

dryrunsecurity Bot commented Nov 28, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Contextual Security Analysis

Uh oh!

manuel-sommer commented Nov 28, 2023

Uh oh!

Uh oh!

manuel-sommer commented Nov 29, 2023

Uh oh!

manuel-sommer commented Nov 30, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

dryrunsecurity Bot commented Nov 28, 2023 •

edited

Loading