Conversation
* update changelog * correct dates * update screenshots --------- Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
….54.0-dev Release: Merge back 2.53.5 into bugfix from: master-into-bugfix/2.53.5-2.54.0-dev
…tialization command (#14002)
* dedupe reopen: add test cases that prove the bug * remove obsolete method * dedupe reopen: proceed with next candidate if candidate is mitigated * rename methods
* added code to remove unwanted vulnerability ids * Update dojo/finding/helper.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Add permission classes and refine queryset in BurpRawRequestResponseViewSet
[docs] Pro changelog: Dec 30
[docs] create sitemap at root on Hugo deploy
There was a problem hiding this comment.
Pull request overview
This PR prepares release 2.54.0 by merging bug fixes into the development branch. The main focus is on improving the deduplication logic to handle edge cases with mitigated findings and refactoring the initialization process.
Key changes:
- Enhanced deduplication logic to properly handle mitigated findings by continuing to the next candidate when exceptions occur
- Refactored initialization from shell scripts to a Django management command for better maintainability
- Added vulnerability ID sanitization to remove empty/whitespace-only entries
- Added permission controls to BurpRawRequestResponseViewSet for improved security
Reviewed changes
Copilot reviewed 20 out of 22 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
dojo/finding/deduplication.py |
Refactored matching functions to yield multiple candidates and improved exception handling with continue/break logic |
dojo/management/commands/complete_initialization.py |
New Django management command consolidating initialization logic previously in shell scripts |
docker/entrypoint-initializer.sh |
Simplified to call the new complete_initialization management command |
dojo/finding/helper.py |
Added sanitization function for vulnerability IDs (has implementation issue) |
dojo/importers/base_importer.py |
Integrated vulnerability ID sanitization into import process |
dojo/api_v2/views.py |
Added permission checks to BurpRawRequestResponseViewSet |
unittests/test_import_reimport.py |
Added comprehensive tests for deduplication edge cases with mitigated findings |
unittests/test_deduplication_logic.py |
Added unit tests for regression scenarios and mixed state candidates |
helm/defectdojo/Chart.yaml |
Updated version to 2.54.0-dev and marked as prerelease |
helm/defectdojo/README.md |
Updated version badges to 2.54.0-dev |
docs/content/en/changelog/changelog.md |
Added changelog entries for recent releases |
docs/layouts/_default/sitemap.xml |
Added sitemap template for documentation |
Dockerfile.django-debian, Dockerfile.django-alpine |
Removed reference to deleted entrypoint-first-boot.sh |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
|
|
||
| def sanitize_vulnerability_ids(vulnerability_ids) -> None: | ||
| """Remove undisired vulnerability id values""" |
There was a problem hiding this comment.
There's a typo in the comment. "undisired" should be "undesired".
| self.endpoint_manager.chunk_endpoints_and_disperse(finding, endpoints_to_add) | ||
|
|
||
| def sanitize_vulnerability_ids(self, finding) -> None: | ||
| """Remove undisired vulnerability id values""" |
There was a problem hiding this comment.
There's a typo in the comment. "undisired" should be "undesired".
| # Synchronize the cve field with the unsaved_vulnerability_ids | ||
| # We do this to be as flexible as possible to handle the fields until | ||
| # the cve field is not needed anymore and can be removed. | ||
| # Remove undisired vulnerability ids |
There was a problem hiding this comment.
There's a typo in the comment. "undisired" should be "undesired".
dojo/importers/base_importer.py
Outdated
| Parse the `unsaved_vulnerability_ids` field from findings after they are parsed | ||
| to create `Vulnerability_Id` objects with the finding associated correctly | ||
| """ | ||
| # Remove undisired vulnerability ids |
There was a problem hiding this comment.
There's a typo in the comment. "undisired" should be "undesired".
| raise Exception(msg) | ||
| if is_duplicate_reopen(new_finding, existing_finding): | ||
| msg = "Found a regression. Ignore this so that a new duplicate chain can be made" | ||
| msg = "Found a regression where a duplicate of a mitigated finding is found. We do not reopen this, but create a new duplicate chain as per @PR 9558: Deduplication: Do not reopen original finding" |
There was a problem hiding this comment.
The error message is very long and complex. Consider breaking it into multiple lines or simplifying it for better readability and maintainability.
| msg = "Found a regression where a duplicate of a mitigated finding is found. We do not reopen this, but create a new duplicate chain as per @PR 9558: Deduplication: Do not reopen original finding" | |
| msg = ( | |
| "Found a regression where a duplicate of a mitigated finding is found. " | |
| "We do not reopen this, but create a new duplicate chain as per @PR 9558: " | |
| "Deduplication: Do not reopen original finding" | |
| ) |
| self.stdout.write("Database not initialized yet; skipping auditlog check") | ||
| return | ||
| raise | ||
| row = dict(zip([col[0] for col in cursor.description], cursor.fetchone(), strict=False)) |
There was a problem hiding this comment.
The zip function call uses strict=False, but this parameter is only available in Python 3.10+. If the project supports earlier Python versions, this will cause a runtime error. Verify the minimum Python version requirement.
| row = dict(zip([col[0] for col in cursor.description], cursor.fetchone(), strict=False)) | |
| row = dict(zip([col[0] for col in cursor.description], cursor.fetchone())) |
| def sanitize_vulnerability_ids(vulnerability_ids) -> None: | ||
| """Remove undisired vulnerability id values""" | ||
| vulnerability_ids = [x for x in vulnerability_ids if x.strip()] |
There was a problem hiding this comment.
The function modifies the vulnerability_ids list but doesn't return it, and the modification is done on a parameter that won't affect the caller since lists passed as parameters would need reassignment. The filtered result should be returned, or the function should operate on the list in-place properly.
| # Remove undisired vulnerability ids | ||
| sanitize_vulnerability_ids(vulnerability_ids) |
There was a problem hiding this comment.
The sanitization function is called but its result is not used. Since sanitize_vulnerability_ids doesn't return a value or modify the list in-place effectively, this call has no effect. The function should return the sanitized list and the result should be assigned back to vulnerability_ids.
🔴 Risk threshold exceeded.This pull request modifies sensitive codepaths (dojo/finding/helper.py, dojo/importers/base_importer.py, and dojo/api_v2/views.py), which the scanner flagged as risky edits; allowed paths and authors can be configured in .dryrunsecurity.yaml. Please review these changes carefully for security implications or update .dryrunsecurity.yaml if these edits are expected.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Release 2.54.0: Merge Bugfix into Dev
No description provided.