Merge branch 'dev' into master-into-dev/2.45.1-2.46.0-dev

Author: rossops

docs/content/en/open_source/upgrading/2.46.md

@@ -0,0 +1,42 @@
+---
+title: 'Upgrading to DefectDojo Version 2.46.x'
+toc_hide: true
+weight: -20250407
+description: Import Payload Changes
+---
+
+### Import / Reimport Statistics Delta
+
+Following a successful import or reimport, a JSON blob for `statistics` is generated to provide the differential of finding activity.
+There was a section in the `delta` JSON blob that referred to a key labeled `left untouched`. This value does not comply with REST
+norms, and has been renamed to `untouched`. Here is a before and after to make it clear:
+
+Before:
+
+    "statistics": {
+        "before": {},
+        "delta": {
+        "created": {},
+        "closed": {},
+        "reactivated": {},
+        "left untouched": {}
+        },
+        "after": {}
+    }
+
+After:
+
+    "statistics": {
+        "before": {},
+        "delta": {
+        "created": {},
+        "closed": {},
+        "reactivated": {},
+        "untouched": {}
+        },
+        "after": {}
+    }
+
+---
+
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.46.0) for the contents of the release.

docs/package-lock.json

@@ -21,7 +21,7 @@
   },
   "devDependencies": {
     "prettier": "3.5.3",
-    "vite": "6.2.5"
+    "vite": "6.2.6"
   },
   "engines": {
     "node": "22.14.0"

docs/package.json

@@ -0,0 +1,42 @@
+# Generated by Django 5.0.8 on 2024-09-12 18:22
+
+from django.db import migrations, models
+
+
+original_untouched_value = "left untouched"
+updated_untouched_value = "untouched"
+
+
+def convert_space_to_underscore(apps, schema_editor):
+    test_import_finding_action = apps.get_model("dojo", "Test_Import_Finding_Action")
+    for test_import_action in test_import_finding_action.objects.filter(
+        action=original_untouched_value
+    ):
+        test_import_action.action = updated_untouched_value
+        test_import_action.save()
+
+
+def convert_underscore_to_space(apps, schema_editor):
+    test_import_finding_action = apps.get_model("dojo", "Test_Import_Finding_Action")
+    for test_import_action in test_import_finding_action.objects.filter(
+        action=updated_untouched_value
+    ):
+        test_import_action.action = original_untouched_value
+        test_import_action.save()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("dojo", "0225_alter_product_revenue"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='test_import_finding_action',
+            name='action',
+            field=models.CharField(blank=True, choices=[('N', 'created'), ('C', 'closed'), ('R', 'reactivated'), ('U', 'untouched')], max_length=100, null=True),
+        ),
+        migrations.RunPython(
+            convert_space_to_underscore, reverse_code=convert_underscore_to_space
+        ),
+    ]

dojo/db_migrations/0226_import_history_left_untouched_rename.py

@@ -67,7 +67,7 @@
     (IMPORT_CREATED_FINDING, "created"),
     (IMPORT_CLOSED_FINDING, "closed"),
     (IMPORT_REACTIVATED_FINDING, "reactivated"),
-    (IMPORT_UNTOUCHED_FINDING, "left untouched"),
+    (IMPORT_UNTOUCHED_FINDING, "untouched"),
 ]
 
 
@@ -1053,7 +1053,7 @@ def save(self, *args, **kwargs):
                     super(Product, product).save()
                 # launch the async task to update all finding sla expiration dates
                 from dojo.sla_config.helpers import update_sla_expiration_dates_sla_config_async
-                update_sla_expiration_dates_sla_config_async(self, tuple(severities), products)
+                update_sla_expiration_dates_sla_config_async(self, products, tuple(severities))
 
     def clean(self):
         sla_days = [self.critical, self.high, self.medium, self.low]
@@ -1214,7 +1214,7 @@ def save(self, *args, **kwargs):
                     sla_config.async_updating = True
                     super(SLA_Configuration, sla_config).save()
                 # launch the async task to update all finding sla expiration dates
-                from dojo.product.helpers import update_sla_expiration_dates_product_async
+                from dojo.sla_config.helpers import update_sla_expiration_dates_product_async
                 update_sla_expiration_dates_product_async(self, sla_config)
 
     def get_absolute_url(self):
@@ -2679,6 +2679,7 @@ def __str__(self):
 
     def save(self, dedupe_option=True, rules_option=True, product_grading_option=True,  # noqa: FBT002
              issue_updater_option=True, push_to_jira=False, user=None, *args, **kwargs):  # noqa: FBT002 - this is bit hard to fix nice have this universally fixed
+        logger.debug("Start saving finding of id " + str(self.id) + " dedupe_option:" + str(dedupe_option) + " (self.pk is %s)", "None" if self.pk is None else "not None")
 
         from dojo.finding import helper as finding_helper
 
@@ -3043,7 +3044,7 @@ def get_sla_start_date(self):
         return self.date
 
     def get_sla_period(self):
-        sla_configuration = SLA_Configuration.objects.filter(id=self.test.engagement.product.sla_configuration_id).first()
+        sla_configuration = self.test.engagement.product.sla_configuration
         sla_period = getattr(sla_configuration, self.severity.lower(), None)
         enforce_period = getattr(sla_configuration, str("enforce_" + self.severity.lower()), None)
         return sla_period, enforce_period
@@ -3140,6 +3141,7 @@ def has_finding_group(self):
         return self.finding_group is not None
 
     def save_no_options(self, *args, **kwargs):
+        logger.debug("save_no_options")
         return self.save(dedupe_option=False, rules_option=False, product_grading_option=False,
              issue_updater_option=False, push_to_jira=False, user=None, *args, **kwargs)
 

dojo/models.py

@@ -3,31 +3,11 @@
 
 from dojo.celery import app
 from dojo.decorators import dojo_async_task
-from dojo.models import Endpoint, Engagement, Finding, Product, SLA_Configuration, Test
+from dojo.models import Endpoint, Engagement, Finding, Product, Test
 
 logger = logging.getLogger(__name__)
 
 
-@dojo_async_task
-@app.task
-def update_sla_expiration_dates_product_async(product, sla_config, *args, **kwargs):
-    update_sla_expiration_dates_product_sync(product, sla_config)
-
-
-def update_sla_expiration_dates_product_sync(product, sla_config):
-    logger.info(f"Updating finding SLA expiration dates within product {product}")
-    # update each finding that is within the SLA configuration that was saved
-    for f in Finding.objects.filter(test__engagement__product=product):
-        f.save()
-    # reset the async updating flag to false for the sla config assigned to this product
-    if sla_config:
-        sla_config.async_updating = False
-        super(SLA_Configuration, sla_config).save()
-    # set the async updating flag to false for the sla config assigned to this product
-    product.async_updating = False
-    super(Product, product).save()
-
-
 @dojo_async_task
 @app.task
 def propagate_tags_on_product(product_id, *args, **kwargs):

dojo/product/helpers.py

@@ -3,25 +3,50 @@
 from dojo.celery import app
 from dojo.decorators import dojo_async_task
 from dojo.models import Finding, Product, SLA_Configuration
+from dojo.utils import calculate_grade, mass_model_updater
 
 logger = logging.getLogger(__name__)
 
 
 @dojo_async_task
 @app.task
-def update_sla_expiration_dates_sla_config_async(sla_config, severities, products, *args, **kwargs):
-    update_sla_expiration_dates_sla_config_sync(sla_config, severities, products)
+def update_sla_expiration_dates_sla_config_async(sla_config, products, severities, *args, **kwargs):
+    update_sla_expiration_dates_sla_config_sync(sla_config, products, severities)
 
 
-def update_sla_expiration_dates_sla_config_sync(sla_config, severities, products):
+@dojo_async_task
+@app.task
+def update_sla_expiration_dates_product_async(product, sla_config, *args, **kwargs):
+    update_sla_expiration_dates_sla_config_sync(sla_config, [product])
+
+
+def update_sla_expiration_dates_sla_config_sync(sla_config, products, severities=None):
     logger.info(f"Updating finding SLA expiration dates within the {sla_config} SLA configuration")
     # update each finding that is within the SLA configuration that was saved
-    for f in Finding.objects.filter(test__engagement__product__sla_configuration_id=sla_config.id, severity__in=severities):
-        f.save()
+    findings = Finding.objects.filter(test__engagement__product__sla_configuration_id=sla_config.id)
+    if products:
+        findings = findings.filter(test__engagement__product__in=products)
+    if severities:
+        findings = findings.filter(severity__in=severities)
+
+    findings = findings.prefetch_related(
+            "test",
+            "test__engagement",
+            "test__engagement__product",
+            "test__engagement__product__sla_configuration",
+    )
+
+    findings = findings.order_by("id").only("id", "sla_start_date", "date", "severity", "test")
+
+    mass_model_updater(Finding, findings, lambda f: f.set_sla_expiration_date(), fields=["sla_expiration_date"])
+
     # reset the async updating flag to false for all products using this sla config
     for product in products:
         product.async_updating = False
         super(Product, product).save()
+        calculate_grade(product)
+
     # reset the async updating flag to false for this sla config
     sla_config.async_updating = False
     super(SLA_Configuration, sla_config).save()
+    logger.info(f"DONE Updating finding SLA expiration dates within the {sla_config} SLA configuration")

dojo/sla_config/helpers.py

@@ -25,7 +25,7 @@
         {% endblock %}
 
         <!-- jQuery -->
-        <script src="{% static "jquery/dist/jquery.js" %}"></script>
+        <script src="{% static "jquery/dist/jquery.min.js" %}"></script>
         <!--  jQuery UI -->
         <script src="{% static "jquery-ui/dist/jquery-ui.min.js" %}"></script>
         <!-- Bootstrap Core JavaScript -->
@@ -74,9 +74,9 @@
         <link href="{% static "startbootstrap-sb-admin-2/dist/css/sb-admin-2.css" %}" rel="stylesheet">
 
         <!-- Custom Fonts -->
-        <link href="{% static 'fontawesomefree/css/fontawesome.css' %}" rel="stylesheet" type="text/css">
-        <link href="{% static 'fontawesomefree/css/brands.css' %}" rel="stylesheet" type="text/css">
-        <link href="{% static 'fontawesomefree/css/solid.css' %}" rel="stylesheet" type="text/css">
+        <link href="{% static 'fontawesomefree/css/fontawesome.min.css' %}" rel="stylesheet" type="text/css">
+        <link href="{% static 'fontawesomefree/css/brands.min.css' %}" rel="stylesheet" type="text/css">
+        <link href="{% static 'fontawesomefree/css/solid.min.css' %}" rel="stylesheet" type="text/css">
 
         {% block add_css %}
         {% endblock %}

dojo/templates/base.html

@@ -46,7 +46,7 @@ def ingest_findings(self, normalized_findings, test):
             references = self.format_reference(i)
 
             dupe_key = hashlib.md5(
-                f"{title} | {i.vuln_source}".encode(),
+                f"{title} | {i.vuln_source}".encode(), usedforsecurity=False,
             ).hexdigest()
 
             if dupe_key in dupes:

dojo/tools/blackduck/parser.py

@@ -139,7 +139,7 @@ def get_findings(self, filename, test):
                     finding.description = ""
 
                 key = hashlib.md5(
-                    (finding.title + "|" + finding.description).encode("utf-8"),
+                    (finding.title + "|" + finding.description).encode("utf-8"), usedforsecurity=False,
                 ).hexdigest()
 
                 if key not in dupes: