Merge remote-tracking branch 'upstream/dev' into perf4-chord-grade

Author: valentijnscholten

.github/workflows/gh-pages.yml

@@ -21,10 +21,10 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: '22.19.0'
+          node-version: '22.20.0'
 
       - name: Cache dependencies
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

.github/workflows/validate_docs_build.yml

@@ -18,10 +18,10 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: '22.19.0'
+          node-version: '22.20.0'
 
       - name: Cache dependencies
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

docker-compose.yml

@@ -120,7 +120,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   postgres:
-    image: postgres:17.6-alpine@sha256:d5f196a551b5cef1c70853c6dd588f456d16ca4ea733e3f31c75bc1ae2f65f3f
+    image: postgres:17.6-alpine@sha256:855021a5b10954343902a8c22a15f8464233126c1d12d9ad84d4a14c5af07a80
     environment:
       POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
       POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}

docs/content/en/connecting_your_tools/parsers/file/openvas.md

@@ -2,16 +2,39 @@
 title: "OpenVAS Parser"
 toc_hide: true
 ---
-You can either upload the exported results of an OpenVAS Scan in a .csv or .xml format.
+You can upload the results of an OpenVAS/Greenbone report in either .csv or .xml format.
 
 ### Sample Scan Data
 Sample OpenVAS scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/openvas).
 
-### Default Deduplication Hashcode Fields
-By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
+### Parser versions
+The OpenVAS parser has two versions: Version 2 and the legacy version. Only version 2 should be used going forward. This documentation assumes Version 2 going forward.
+
+Version 2 comes with a number of improvements:
+- Use of a hash code algorithm for deduplication
+- Increased consistency in parsing between the XML and CSV parsers.
+- Combined findings where the only differences are in fields that cannot be rehashed due to inconsistent values between scans (e.g. fields containing timestamps or packet IDs). This prevents duplicates if the vulnerability is found multiple times on the same endpoint.
+- Increased parser value coverage
+- Heuristic for fix_available detection
+- Updated mapping to DefectDojo fields compared to version 1.
+
+### Deduplication Algorithm
+Default Deduplication Hashcode Fields:
+By default, DefectDojo Parser V2 identifies duplicate findings using the following [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
 
 - title
-- cwe
-- line
-- file path
-- description
+- severity
+- vuln_id_from_tool
+- endpoints
+
+The legacy version (version 1) uses the legacy deduplication algorithm.
+
+### CSV and XML differences and similarityies
+The parser attempts to parse XML and CSV files in a similar way. However, this is not always possible. The following lists the differences between the parsers:
+
+- EPSS scores and percentiles are only available in CSV format.
+- CVSS vectors are only available in the XML format.
+- The CVSS score will always be reported as CVSS v3 in the CSV parser 
+- The references in the CSV parser will never contain URLs.
+
+If no supported CVSS version is detected, the score (if present) is registered as a CVSS v3 score, even if this is incorrect.

docs/package-lock.json

@@ -26,6 +26,6 @@
     "vite": "7.1.7"
   },
   "engines": {
-    "node": "22.19.0"
+    "node": "22.20.0"
   }
 }

docs/package.json

@@ -84,7 +84,7 @@ def reactivate_endpoint_status(
         for endpoint_status in endpoint_status_list:
             # Only reactivate endpoints that are actually mitigated
             if endpoint_status.mitigated:
-                logger.debug("Re-import: reactivating endpoint %s that is present in this scan", str(endpoint_status.endpoint))
+                logger.debug("Re-import: reactivating endpoint %s that is present in this scan", endpoint_status.endpoint)
                 endpoint_status.mitigated_by = None
                 endpoint_status.mitigated_time = None
                 endpoint_status.mitigated = False

dojo/importers/endpoint_manager.py

@@ -1649,7 +1649,7 @@ def process_jira_project_form(request, instance=None, target=None, product=None,
     # jform = JIRAProjectForm(request.POST, instance=instance if instance else JIRA_Project(), product=product)
     jform = JIRAProjectForm(request.POST, instance=instance, target=target, product=product, engagement=engagement)
     # logging has_changed because it sometimes doesn't do what we expect
-    logger.debug("jform has changed: %s", str(jform.has_changed()))
+    logger.debug("jform has changed: %s", jform.has_changed())
 
     if jform.has_changed():  # if no data was changed, no need to do anything!
         logger.debug("jform changed_data: %s", jform.changed_data)

dojo/jira_link/helper.py

@@ -62,7 +62,7 @@ def __call__(self, request):
                 return HttpResponseRedirect(fullURL)
 
         if request.user.is_authenticated:
-            logger.debug("Authenticated user: %s", str(request.user))
+            logger.debug("Authenticated user: %s", request.user)
             with suppress(ModuleNotFoundError):  # to avoid unittests to fail
                 uwsgi = __import__("uwsgi", globals(), locals(), ["set_logvar"], 0)
                 # this populates dd_user log var, so can appear in the uwsgi logs

dojo/middleware.py

@@ -114,18 +114,18 @@ def assign_user_to_groups(user, group_names, social_provider):
     for group_name in group_names:
         group, created_group = Dojo_Group.objects.get_or_create(name=group_name, social_provider=social_provider)
         if created_group:
-            logger.debug("Group %s for social provider %s was created", str(group), social_provider)
+            logger.debug("Group %s for social provider %s was created", group, social_provider)
         _group_member, is_member_created = Dojo_Group_Member.objects.get_or_create(group=group, user=user, defaults={
             "role": Role.objects.get(id=Roles.Maintainer)})
         if is_member_created:
-            logger.debug("User %s become member of group %s (social provider: %s)", user, str(group), social_provider)
+            logger.debug("User %s become member of group %s (social provider: %s)", user, group, social_provider)
 
 
 def cleanup_old_groups_for_user(user, group_names):
     for group_member in Dojo_Group_Member.objects.select_related("group").filter(user=user):
         group = group_member.group
         if str(group) not in group_names:
-            logger.debug("Deleting membership of user %s from %s group %s", user, group.social_provider, str(group))
+            logger.debug("Deleting membership of user %s from %s group %s", user, group.social_provider, group)
             group_member.delete()