Merge pull request #10852 from DefectDojo/release/2.38.0

Release: Merge release into master from: release/2.38.0

Dockerfile.integration-tests-debian

@@ -1,7 +1,7 @@
 
 # code: language=Dockerfile
 
-FROM openapitools/openapi-generator-cli:v7.7.0@sha256:99924315933d49e7b33a7d2074bb2b64fc8def8f74519939036e24eb48f00336 AS openapitools
+FROM openapitools/openapi-generator-cli:v7.8.0@sha256:c409bfa9b276faf27726d2884b859d18269bf980cb63546e80b72f3b2648c492 AS openapitools
 FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS build
 WORKDIR /app
 RUN \

NOTICE

@@ -1,7 +1,7 @@
 DefectDojo is licensed under the 3-Clause BSD License: https://github.com/DefectDojo/django-DefectDojo/blob/master/LICENSE.md
 
 
-However, DefectDojo’s dependencies may have different licensing requirements and terms.
+However, DefectDojo's dependencies may have different licensing requirements and terms.
 Complete source code for DefectDojo dependencies are made available on PyPi: https://pypi.org/ 
 
 THIRD-PARTY SOFTWARE NOTICES FOR DEFECTDOJO

README.md

@@ -144,7 +144,7 @@ Moderators can help you with pull requests or feedback on dev ideas:
 * Valentijn Scholten ([@valentijnscholten](https://github.com/valentijnscholten) |
   [Sponsor](https://github.com/sponsors/valentijnscholten) |
   [LinkedIn](https://www.linkedin.com/in/valentijn-scholten/)) - Valentijn served as a core moderator for 3 years.
-  Valentijn’s contributions were numerous and extensive. He overhauled, improved, and optimized many parts of the
+  Valentijn's contributions were numerous and extensive. He overhauled, improved, and optimized many parts of the
   codebase. He consistently fielded questions, provided feedback on pull requests, and provided a helping hand wherever
   it was needed.
 * Fred Blaise ([@madchap](https://github.com/madchap) | [LinkedIn](https://www.linkedin.com/in/fredblaise/)) - Fred

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.37.3",
+  "version": "2.38.0",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
@@ -35,7 +35,7 @@
     "metismenu": "~3.0.7",
     "moment": "^2.30.1",
     "morris.js": "morrisjs/morris.js",
-    "pdfmake": "^0.2.10",
+    "pdfmake": "^0.2.12",
     "startbootstrap-sb-admin-2": "1.0.7"
   },
   "engines": {

components/yarn.lock

@@ -824,10 +824,10 @@ path-parse@^1.0.7:
   resolved "https://registry.yarnpkg.com/path-parse/-/path-parse-1.0.7.tgz#fbc114b60ca42b30d9daf5858e4bd68bbedb6735"
   integrity sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==
 
-pdfmake@^0.2.10:
-  version "0.2.10"
-  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.2.10.tgz#a8a0ee8a5acca8f5d728e0dfe4db8be5f1b9ec6b"
-  integrity sha512-doipFnmE1UHSk+Z3wfQuVweVQqx2pE/Ns2G5gCqZmWwqjDj+mZHnZYH/ryXWoIfD+iVdZUAutgI/VHkTCN+Xrw==
+pdfmake@^0.2.12:
+  version "0.2.12"
+  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.2.12.tgz#5156f91ff73797947942aa342423bedaa0c0bc93"
+  integrity sha512-TFsqaG6KVtk+TWermmJNNwom3wmB/xiz07prM74KBhdM+7pz3Uwq2b0uoqhhQRn6cYUTpL8lXZY6xF011o1YcQ==
   dependencies:
     "@foliojs-fork/linebreak" "^1.1.1"
     "@foliojs-fork/pdfkit" "^0.14.0"

docker-compose.override.dev.yml

@@ -5,26 +5,30 @@ services:
     volumes:
       - '.:/app:z'
     environment:
-      PYTHONWARNINGS: always  # We are strict during development so Warnings needs to be more verbose
+      PYTHONWARNINGS: error  # We are strict about Warnings during development
+      DD_DEBUG: 'True'
       DD_ADMIN_USER: "${DD_ADMIN_USER:-admin}"
       DD_ADMIN_PASSWORD: "${DD_ADMIN_PASSWORD:-admin}"
       DD_EMAIL_URL: "smtp://mailhog:1025"
   celeryworker:
     volumes:
       - '.:/app:z'
     environment:
-      PYTHONWARNINGS: always  # We are strict during development so Warnings needs to be more verbose
+      PYTHONWARNINGS: error  # We are strict about Warnings during development
+      DD_DEBUG: 'True'
       DD_EMAIL_URL: "smtp://mailhog:1025"
   celerybeat:
     volumes:
       - '.:/app:z'
     environment:
-      PYTHONWARNINGS: always  # We are strict during development so Warnings needs to be more verbose
+      PYTHONWARNINGS: error  # We are strict about Warnings during development
+      DD_DEBUG: 'True'
   initializer:
     volumes:
       - '.:/app:z'
     environment:
-      PYTHONWARNINGS: always  # We are strict during development so Warnings needs to be more verbose
+      PYTHONWARNINGS: error  # We are strict about Warnings during development
+      DD_DEBUG: 'True'
       DD_ADMIN_USER: "${DD_ADMIN_USER:-admin}"
       DD_ADMIN_PASSWORD: "${DD_ADMIN_PASSWORD:-admin}"
   nginx:

docker-compose.yml

@@ -103,7 +103,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   postgres:
-    image: postgres:16.3-alpine@sha256:36ed71227ae36305d26382657c0b96cbaf298427b3f1eaeb10d77a6dea3eec41
+    image: postgres:16.4-alpine@sha256:492898505cb45f9835acc327e98711eaa9298ed804e0bb36f29e08394229550d
     environment:
       POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
       POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}

docker/install_chrome_dependencies.py

@@ -18,7 +18,7 @@ def find_packages(library_name):
 
 
 def run_command(cmd, cwd=None, env=None):
-    result = subprocess.run(cmd, cwd=cwd, env=env, capture_output=True, text=True)
+    result = subprocess.run(cmd, cwd=cwd, env=env, capture_output=True, text=True, check=False)
     return result.stdout
 
 
@@ -27,7 +27,7 @@ def ldd(file_path):
     # For simplicity, I'm assuming if we get an error, the code is non-zero.
     try:
         result = subprocess.run(
-            ["ldd", file_path], capture_output=True, text=True,
+            ["ldd", file_path], capture_output=True, text=True, check=False,
         )
         stdout = result.stdout
         code = result.returncode

docker/setEnv.sh

@@ -5,7 +5,6 @@
 target_dir="${0%/*}/.."
 override_link='docker-compose.override.yml'
 override_file_dev='docker-compose.override.dev.yml'
-override_file_debug='docker-compose.override.debug.yml'
 override_file_unit_tests='docker-compose.override.unit_tests.yml'
 override_file_unit_tests_cicd='docker-compose.override.unit_tests_cicd.yml'
 override_file_integration_tests='docker-compose.override.integration_tests.yml'
@@ -77,19 +76,6 @@ function set_dev {
     fi
 }
 
-function set_debug {
-    get_current
-    if [ "${current_env}" != debug ]
-    then
-        docker compose down
-        rm -f ${override_link}
-        ln -s ${override_file_debug} ${override_link}
-        echo "Now using 'debug' configuration."
-    else
-        echo "Already using 'debug' configuration."
-    fi
-}
-
 function set_unit_tests {
     get_current
     if [ "${current_env}" != unit_tests ]

docs/content/en/contributing/documentation.md

@@ -14,7 +14,7 @@ Static files for the webside are build with github actions and are publish in th
 
 2. Install JavaScript packages
 
-    To build or update your site’s CSS resources, you also need PostCSS to create the final assets. If you need to install it, you must have a recent version of NodeJS installed on your machine so you can use npm, the Node package manager. By default, npm installs tools under the directory where you run npm install:
+    To build or update your site's CSS resources, you also need PostCSS to create the final assets. If you need to install it, you must have a recent version of NodeJS installed on your machine so you can use npm, the Node package manager. By default, npm installs tools under the directory where you run npm install:
 
     {{< highlight bash >}}
     cd docs

docs/content/en/contributing/how-to-write-a-parser.md

@@ -94,7 +94,7 @@ class MyToolParser(object):
 
 ## API Parsers
 
-DefectDojo has a limited number of API parsers. While we won’t remove these connectors, adding API connectors has been problematic and thus we cannot accept new API parsers / connectors from the community at this time for supportability reasonsing. To maintain a high quality API connector, it is necessary to have a license to the tool. To get that license requires partnership with the author or vendor. We're close to announcing a new program to help address this and bring API connectors to DefectDojo.
+DefectDojo has a limited number of API parsers. While we won't remove these connectors, adding API connectors has been problematic and thus we cannot accept new API parsers / connectors from the community at this time for supportability reasonsing. To maintain a high quality API connector, it is necessary to have a license to the tool. To get that license requires partnership with the author or vendor. We're close to announcing a new program to help address this and bring API connectors to DefectDojo.
 
 ## Template Generator
 

docs/content/en/getting_started/upgrading/2.38.md

@@ -0,0 +1,28 @@
+---
+title: 'Upgrading to DefectDojo Version 2.38.x'
+toc_hide: true
+weight: -20240805
+description: Breaking Change for HELM deployments
+---
+
+**Breaking Change**
+
+Previous HELM `values.yaml` file was not following the official HELM best practicies on key naming - [https://helm.sh/docs/chart_best_practices/values/#naming-conventions](https://helm.sh/docs/chart_best_practices/values/#naming-conventions)
+
+The following `snake_case` keys are replaced with `camelCase` keys in the `values.yaml`:
+
+- `site_url` is replaced with `siteUrl`
+- `celery.worker.app_settings` block is replaced with `celery.worker.appSettings`. In this block:
+
+  - `pool_type` is replaced with `poolType`
+  - `autoscale_min` is replaced with `autoscaleMin`
+  - `autoscale_max` is replaced with `autoscaleMax`
+  - `prefetch_multiplier` is replaced with `prefetchMultiplier`
+
+- `django.uwsgi.app_settings` block is changed to `django.uwsgi.appSettings`. In this block:
+
+  - `max_fd` is changed to `maxFd`
+
+- `django.uwsgi.enable_debug` is changed to `django.uwsgi.enableDebug`
+
+There are no other special instructions for upgrading to 2.38.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.38.0) for the contents of the release.

docs/content/en/integrations/parsers/file/blackduck_binary_analysis.md

@@ -6,12 +6,12 @@ toc_hide: true
 #### **What** ####
 Black Duck Binary Analysis gives you visibility into open source and third-party dependencies that have been compiled into executables, libraries, containers, and firmware. You can analyze individual files using an intuitive user interface or Black Duck multifactor open source detection, which automates the scanning of binary artifacts.
 
-Using a combination of static and string analysis techniques coupled with fuzzy matching against the Black Duck KnowledgeBase, Black Duck Binary Analysis quickly and reliably identifies components, even if they’ve been modified.
+Using a combination of static and string analysis techniques coupled with fuzzy matching against the Black Duck KnowledgeBase, Black Duck Binary Analysis quickly and reliably identifies components, even if they've been modified.
 
 For more info, check out Black Duck Binary Analysis [here](https://www.synopsys.com/software-integrity/software-composition-analysis-tools/binary-analysis.html).
 
 #### **Why** ####
-Open source vulnerabilities aren’t the only security issues that might be lurking in application binaries.
+Open source vulnerabilities aren't the only security issues that might be lurking in application binaries.
 
 Black Duck Binary Analysis can also detect if sensitive information like email addresses, authorization tokens, compiler switches, and passwords are exposed, and it identifies when mobile applications request excessive permissions—all of which puts your organization and users' personal data at risk.
 

docs/package.json

@@ -1,6 +1,6 @@
 {
   "devDependencies": {
-    "postcss": "8.4.40",
+    "postcss": "8.4.41",
     "autoprefixer": "10.4.20",
     "postcss-cli": "11.0.0"
   }

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.37.3"
+__version__ = "2.38.0"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/api_v2/serializers.py

@@ -1247,7 +1247,7 @@ def validate(self, data):
                 )
             )
         ) or (
-            self.context["request"].method in ["POST"] and endpoint.count() > 0
+            self.context["request"].method == "POST" and endpoint.count() > 0
         ):
             msg = (
                 "It appears as though an endpoint with this data already "
@@ -1734,7 +1734,7 @@ def update(self, instance, validated_data):
 
         # If we need to push to JIRA, an extra save call is needed.
         # Also if we need to update the mitigation date of the finding.
-        # TODO try to combine create and save, but for now I'm just fixing a
+        # TODO: try to combine create and save, but for now I'm just fixing a
         # bug and don't want to change to much
         if push_to_jira:
             instance.save(push_to_jira=push_to_jira)
@@ -1871,7 +1871,7 @@ def create(self, validated_data):
         )
 
         # If we need to push to JIRA, an extra save call is needed.
-        # TODO try to combine create and save, but for now I'm just fixing a
+        # TODO: try to combine create and save, but for now I'm just fixing a
         # bug and don't want to change to much
         if push_to_jira or new_finding:
             new_finding.save(push_to_jira=push_to_jira)
@@ -2046,7 +2046,7 @@ def validate(self, data):
     def get_findings_count(self, obj) -> int:
         return obj.findings_count
 
-    # TODO, maybe extend_schema_field is needed here?
+    # TODO: maybe extend_schema_field is needed here?
     def get_findings_list(self, obj) -> List[int]:
         return obj.open_findings_list
 
@@ -2069,7 +2069,7 @@ class ImportScanSerializer(serializers.Serializer):
         help_text="Override the verified setting from the tool.",
     )
     scan_type = serializers.ChoiceField(choices=get_choices_sorted())
-    # TODO why do we allow only existing endpoints?
+    # TODO: why do we allow only existing endpoints?
     endpoint_to_add = serializers.PrimaryKeyRelatedField(
         queryset=Endpoint.objects.all(),
         required=False,