Merge pull request #12236 from DefectDojo/release/2.45.1

Release: Merge release into master from: release/2.45.1

Author: rossops

.github/renovate.json

@@ -6,6 +6,7 @@
   "dependencyDashboardApproval": false,
   "baseBranches": ["dev"],
   "rebaseWhen": "conflicted",
+  "separateMinorPatch": true,
   "ignorePaths": ["requirements.txt", "requirements-lint.txt", "components/package.json", "components/package-lock.json", "dojo/components/yarn.lock", "dojo/components/package.json", "Dockerfile**"],
   "ignoreDeps": [],
   "packageRules": [{

README.md

@@ -35,7 +35,7 @@ deduplication, remediation, and reporting.
 Try out DefectDojo on our demo server at [demo.defectdojo.org](https://demo.defectdojo.org)
 
 Log in with username `admin` and password `1Defectdojo@demo#appsec`. Please note that the demo is publicly accessible
-and regularly reset. Do not put sensitive data in the demo.
+and regularly reset. Do not put sensitive data in the demo. An easy way to test Defect Dojo is to upload some [sample scan reports](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans).
 
 ## Quick Start for Compose V2
 

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.45.0",
+  "version": "2.45.1",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docs/assets/images/pro_calendar_view.png

@@ -8,17 +8,24 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/en/open_source/upgrading/upgrading_guide/).
 
+## Apr 2025: v2.45
+
+### Apr 7, 2025: v2.45.0
+- **(Beta UI)** Added Calendar view to Beta UI: Calendar view now displays Tests and Engagements, and can be filtered.  Clicking on a Calendar entry now displays a more detailed description of the object.
+![image](images/pro_calendar_view.png)
+- **(Universal Parser)** Added the ability to map an EPSS score from a file.  Note that this field **will** be updated by EPSS database sync, but this gives a user the ability to capture that field from initial import.
+
 ## Mar 2025: v2.44
 
-### Mar 31, 2025, v2.44.4
+### Mar 31, 2025: v2.44.4
 
 - **(Beta UI)** Group and Configuration permissions can now be assigned quickly from a User page.  For more information, see [DefectDojo Pro Permissions](/en/customize_dojo/user_management/pro_permissions_overhaul/).
 
-### Mar 24, 2025, v2.44.3
+### Mar 24, 2025: v2.44.3
 
 - **(Import)** Generic Findings Import will now parse tags in the JSON payload when Async Import is enabled.
 
-### Mar 17, 2025, v2.44.2
+### Mar 17, 2025: v2.44.2
 
 - **(Beta UI)** Added a new method to quickly assign permissions to Products or Product Types.  See our [Pro Permissions](/en/customize_dojo/user_management/pro_permissions_overhaul/) for more details.
 

docs/content/en/changelog/changelog.md

@@ -1,15 +1,43 @@
 ---
-title: "Anchore-Engine"
+title: "Anchore Enterprise Vulnerability"
 toc_hide: true
 ---
 
 ### File Types
 DefectDojo parser accepts a .json file.
 
-Using the [Anchore CLI](https://docs.anchore.com/current/docs/using/cli_usage/images/inspecting_image_content/) is the most reliable way to generate an Anchore report which DefectDojo can parse. When generating a report with the Anchore CLI, please use the following command to ensure complete data: `anchore-cli --json image vuln <image:tag> all`
+You can generate vulnerability data using the Anchore Enterprise CLI tool, [Anchorectl](https://docs.anchore.com/current/docs/using/cli_usage/images/inspecting_image_content/), or through the Enterprise UI. 
+
+## Generating a Vulnerability Report:
+Using Anchorectl: Run the following command to generate a vulnerability report in JSON format
+
+ `anchorectl image vulnerabilities ubuntu:latest -o json `
+
+Using the Anchore UI: Navigate to the desired image in the Anchore Enterprise UI, click on the Vulnerabilities tab, and download the report in JSON format.
 
 ### Acceptable JSON Format
+
 All properties are strings and are required by the parser. As the parser evolved, two anchore engine parser JSON formats are present till now. Both ([old](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchore_engine/many_vulns.json) / [new](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchore_engine/new_format_issue_11552.json)) are supported.
 
+~~~
+
+{
+   
+            "vulnerabilityId": "CVE-2023-24531",
+            "cves": "CVE-2023-24531",
+            "severity": "Critical",
+            "detectedAt": "2025-03-18T08:09:03Z",
+            "packageType": "Go",
+            "path": "/usr/local/bin/gosu",
+            "package": "stdlib-go1.18.2",
+            "fixAvailable": "1.21.0-0",
+            "fixObservedAt": "2025-03-18T08:09:03Z",
+            "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24531",
+            "nvdCvssBaseScore": 9.8
+    
+}
+~~~
+
+
 ### Sample Scan Data
-Sample Anchore-Engine scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchore_engine).
+Sample Anchore-Engine scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchore_engine)

docs/content/en/connecting_your_tools/parsers/file/anchore_engine.md

@@ -18,9 +18,13 @@ Attributes supported for CSV:
 - Verified: Indicator if the finding has been verified. Must be empty, TRUE, or FALSE
 - FalsePositive: Indicator if the finding is a false positive. Must be TRUE, or FALSE.
 - Duplicate:Indicator if the finding is a duplicate. Must be TRUE, or FALSE
+- IsMitigated: Indicator if the finding is mitigated.  Must be TRUE, or FALSE
+- MitigatedDate: Date the finding was mitigated in mm/dd/yyyy format or ISO format
 
 The CSV expects a header row with the names of the attributes.
 
+Date fields are parsed using [dateutil.parse](https://dateutil.readthedocs.io/en/stable/parser.html) supporting a variety of formats such a YYYY-MM-DD or ISO-8601.
+
 Example of JSON format:
 
 ```JSON
@@ -70,6 +74,34 @@ Example of JSON format:
             "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
             "file_path": "src/threeeeeeeeee.cpp",
             "line": 1353
+        },
+        {
+            "title": "test title mitigated",
+            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
+            "severity": "Critical",
+            "mitigation": "Some mitigation",
+            "date": "2021-01-06",
+            "cve": "CVE-2020-36236",
+            "cwe": 287,
+            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
+            "file_path": "src/threeeeeeeeee.cpp",
+            "line": 1353,
+            "is_mitigated": true,
+            "mitigated": "2021-01-16"
+        },
+        {
+            "title": "test title mitigated ISO",
+            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
+            "severity": "Critical",
+            "mitigation": "Some mitigation",
+            "date": "2024-01-04T11:02:11Z",
+            "cve": "CVE-2020-36236",
+            "cwe": 287,
+            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
+            "file_path": "src/threeeeeeeeee.cpp",
+            "line": 1353,
+            "is_mitigated": true,
+            "mitigated": "2024-01-24T11:02:11Z"
         }
     ]
 }

docs/content/en/connecting_your_tools/parsers/file/generic.md

@@ -2,7 +2,7 @@
 title: "HackerOne Cases"
 toc_hide: true
 ---
-Import HackerOne cases findings in JSON format
+Import HackerOne cases findings in JSON format (vulnerability disclosure parser) or Bug Bounties in JSON or CSV format (bug bounty parser)
 
 ### Sample Scan Data
 Sample HackerOne Cases scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/h1).

docs/content/en/connecting_your_tools/parsers/file/h1.md

@@ -2,7 +2,7 @@
 title: "Immuniweb Scan"
 toc_hide: true
 ---
-XML Scan Result File from Immuniweb Scan.
+XML or JSON Scan Result File from [Immuniweb Scan](https://www.immuniweb.com/).
 
 ### Sample Scan Data
 Sample Immuniweb Scan scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/immuniweb).

docs/content/en/connecting_your_tools/parsers/file/immuniweb.md

@@ -14,5 +14,7 @@ DefectDojo currently supports the parsing of the following Rusty Hog JSON output
 RustyHog scans only one target at a time. This is not efficient if you want to scan all targets (e.g. all JIRA tickets) and upload each single report to DefectDojo.
 [Rusty-Hog-Wrapper](https://github.com/manuel-sommer/Rusty-Hog-Wrapper) deals with this and scans a whole JIRA Project or Confluence Space, merges the findings into a valid file which can be uploaded to DefectDojo. (This is no official recommendation from DefectDojo, but rather a pointer in a direction on how to use this vulnerability scanner in a more efficient way.)
 
+You can either select "Rusty Hog Scan" directly, or specify the sub scanner (e.g. "Duroc Hog Scan"). If you choose "Rusty Hog Scan", we recommend to re-import scans into the same test. For more information look at [this issue](https://github.com/DefectDojo/django-DefectDojo/issues/10584).
+
 ### Sample Scan Data
 Sample Rusty Hog parser scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/rusty_hog).

docs/content/en/connecting_your_tools/parsers/file/rusty_hog.md

@@ -0,0 +1,8 @@
+---
+title: "Sysdig Vulnerability Reports"
+toc_hide: true
+---
+Import CSV report files generated by the [Sysdig CLI Scanner](https://docs.sysdig.com/en/sysdig-secure/install-agent-components/install-vulnerability-cli-scanner/)
+
+### Sample Scan Data
+Sample Sysdig Vulnerability Reports scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/sysdig_cli).

docs/content/en/connecting_your_tools/parsers/file/sysdig_cli.md

@@ -4,8 +4,7 @@ toc_hide: true
 ---
 Import CSV report files from Sysdig or a Sysdig UI JSON Report
 Parser will accept Pipeline, Registry and Runtime reports created from the UI
-
-More information available at [our reporting docs page](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/reporting)
+More information available at [sysdig reporting docs page](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/reporting)
 
 ### Sample Scan Data
 Sample Sysdig Vulnerability Reports scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/sysdig_reports).

docs/content/en/connecting_your_tools/parsers/file/sysdig_reports.md

@@ -177,7 +177,7 @@ Example of use:
 from cvss.cvss3 import CVSS3
 import cvss.parser
 vectors = cvss.parser.parse_cvss_from_text("CVSS:3.0/S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X")
-if len(vectors) > 0 and type(vectors[0]) == CVSS3:
+if len(vectors) > 0 and type(vectors[0]) is CVSS3:
     print(vectors[0].severities())  # this is the 3 severities
 
     cvssv3 = vectors[0].clean_vector()
@@ -192,7 +192,7 @@ Good example:
 
 ```python
 vectors = cvss.parser.parse_cvss_from_text(item['cvss_vect'])
-if len(vectors) > 0 and type(vectors[0]) == CVSS3:
+if len(vectors) > 0 and type(vectors[0]) is CVSS3:
     finding.cvss = vectors[0].clean_vector()
     finding.severity = vectors[0].severities()[0]  # if your tool does generate severity
 ```

docs/content/en/open_source/contributing/how-to-write-a-parser.md

@@ -28,6 +28,18 @@ With a separate database, the minimum recommendations to run DefectDojo are:
     a different disk than your OS\'s for potential performance
     improvements.
 
+### Security
+Verify the `nginx` configuration and other run-time aspects such as security headers to comply with your compliance requirements.
+Change the AES256 encryption key `&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw` in `docker-compose.yml` to something unique for your instance.
+This encryption key is used to encrypt API keys and other credentials stored in Defect Dojo to connect to external tools such as SonarQube. A key can be generated in various ways for example using a password manager or `openssl`:
+
+```
+     openssl rand -base64 32
+```
+```
+      DD_CREDENTIAL_AES_256_KEY: "${DD_CREDENTIAL_AES_256_KEY:-<PUT THE GENERATED KEY HERE>o}"
+```
+
 ## File Backup
 
 In both cases (dedicated DB or containerized), if you are self-hosting, it is recommended that you implement and create periodic backups of your data.
@@ -55,7 +67,7 @@ concurrent connections.
 
 ### Celery worker
 
-By default, a single mono-process celery worker is spawned. When storing a large amount of findings, leveraging async functions (like deduplication), or both. Eventually, it is important to adjust these parameters to prevent resource starvation. 
+By default, a single mono-process celery worker is spawned. When storing a large amount of findings or running large imports it might be helpful to adjust these parameters to prevent resource starvation.
 
 The following variables can be changed to increase worker performance, while keeping a single celery container.
 
@@ -80,8 +92,8 @@ and see what is in effect.
 
 <span style="background-color:rgba(242, 86, 29, 0.3)">This experimental feature has been deprecated as of DefectDojo 2.44.0 (March release).  Please exercise caution if using this feature with an older version of DefectDojo, as results may be inconsistent.</span>
 
-Import and Re-Import can also be configured to handle uploads asynchronously to aid in 
-processing especially large scans. It works by batching Findings and Endpoints by a 
+Import and Re-Import can also be configured to handle uploads asynchronously to aid in
+processing especially large scans. It works by batching Findings and Endpoints by a
 configurable amount. Each batch will be be processed in separate celery tasks.
 
 The following variables impact async imports.
@@ -90,7 +102,7 @@ The following variables impact async imports.
 -   `DD_ASYNC_FINDING_IMPORT_CHUNK_SIZE` defaults to 100
 
 When using asynchronous imports with dynamic scanners, Endpoints will continue to "trickle" in
-even after the import has returned a successful response. This is because processing continues 
+even after the import has returned a successful response. This is because processing continues
 to occur after the Findings have already been imported.
 
 To determine if an import has been fully completed, please see the progress bar in the appropriate test.