Release: Merge back 2.35.3 into dev from: master-into-dev/2.35.3-2.36.0-dev

[github-actions]

Release triggered by Maffooch

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

This pull request includes a variety of changes across multiple files in the DefectDojo application, which is an open-source web application for managing software vulnerabilities. The changes cover a range of areas, including updates to issue templates, configuration files, Helm chart dependencies, and test cases.

From an application security perspective, the changes do not appear to introduce any significant security vulnerabilities. The updates are primarily focused on improving the functionality, reliability, and robustness of the application's components. However, there are a few areas that warrant closer review and consideration:

1. Removal of Order Placement Check: The changes in the Gift.php and GiftBlanket.php files remove the check for whether the customer has placed an order before. This could potentially allow the post-checkout ad to be displayed to customers who have not yet placed an order, which may have business and user experience implications that should be carefully evaluated.

2. Potential SQL Injection Vulnerability: The getPastOrderCount() method in the PostCheckoutAd.php file uses a raw SQL query with user-supplied input, which could potentially lead to SQL injection vulnerabilities if the input is not properly sanitized. This should be addressed to ensure the security of the application.

3. Hardcoded Constants and External Libraries: The use of hardcoded constants and dependencies on external libraries, such as in the Gift.php file, should be reviewed to ensure they are properly defined, managed, and up-to-date to prevent potential security vulnerabilities.

4. Tracking Parameters and AB Testing: The changes in the Gift.php file introduce AB testing functionality and send tracking parameters to the FpEventABSKStore::triggerEvent() function. These changes should be carefully reviewed to ensure that user input is properly sanitized and validated to prevent security issues like cross-site scripting (XSS) attacks.

Overall, the changes in this pull request appear to be focused on improving the functionality and reliability of the DefectDojo application, with no immediate security concerns. However, it's essential to thoroughly review the changes, address the potential security implications, and ensure that the application's security posture is maintained throughout the development process.

Files Changed:

1. .github/ISSUE_TEMPLATE/bug_report.md: The changes update the link for the OWASP Slack workspace invitation, which does not introduce any significant security concerns.
2. dojo/settings/.settings.dist.py.sha256sum: The changes update the SHA-256 hash value, which is used for verifying the integrity of a file or configuration. This change should be reviewed in the context of the overall application security practices.
3. dojo/settings/settings.dist.py: The changes add the "description" field to the list of fields extracted from the Trivy Operator Scan report, which is a positive security enhancement.
4. dojo/templates/issue-trackers/jira_full/jira-finding-group-description.tpl: The changes update the URLs used in the Jira finding group description template, which do not introduce any obvious security concerns.
5. dojo/notifications/helper.py: The changes are focused on improving the functionality and reliability of the notification system, which is an important aspect of application security.
6. dojo/tools/acunetix/parse_acunetix360_json.py: The changes improve the robustness and error-handling of the Acunetix JSON parser, which is a positive security enhancement.
7. dojo/templates/issue-trackers/jira_limited/jira-finding-group-description.tpl: The changes update the URLs used in the Jira finding group description template, which do not introduce any obvious security concerns.
8. docs/package-lock.json: The changes update the versions of the braces and fill-range dependencies, which are unlikely to have a significant impact on the application's security.
9. helm/defectdojo/Chart.lock: The changes update the versions of the PostgreSQL, RabbitMQ, and Redis dependencies, which should be reviewed for any potential security implications.
10. helm/defectdojo/Chart.yaml: The changes update the version of the Helm chart, which is a routine maintenance release and does not raise any immediate security concerns.
11. unittests/scans/acunetix/issue_10370.json: The file contains a report generated by the Acunetix360 security scanner, which identifies a vulnerability related to a cookie not being marke

Powered by DryRun Security

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.