Merge pull request #10885 from DefectDojo/release/2.38.1

Release: Merge release into master from: release/2.38.1

Author: Maffooch

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.38.0",
+  "version": "2.38.1",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docs/content/en/integrations/parsers/file/legitify.md

@@ -0,0 +1,9 @@
+---
+title: "Legitify"
+toc_hide: true
+---
+### File Types
+This DefectDojo parser accepts JSON files (in flattened format) from Legitify. For further details regarding the results, please consult the relevant [documentation](https://github.com/Legit-Labs/legitify?tab=readme-ov-file#output-options).
+
+### Sample Scan Data
+Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/legitify).

docs/content/en/integrations/parsers/file/threat_composer.md

@@ -0,0 +1,9 @@
+---
+title: "Threat Composer"
+toc_hide: true
+---
+### File Types
+This DefectDojo parser accepts JSON files from Threat Composer. The tool supports the [export](https://github.com/awslabs/threat-composer/tree/main?#features) of JSON report out of the browser local storage to a local file.
+
+### Sample Scan Data
+Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/threat_composer).

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.38.0"
+__version__ = "2.38.1"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/api_v2/serializers.py

@@ -1411,7 +1411,7 @@ class TestTypeSerializer(TaggitSerializer, serializers.ModelSerializer):
 
     class Meta:
         model = Test_Type
-        fields = "__all__"
+        exclude = ("dynamically_generated",)
 
 
 class TestToNotesSerializer(serializers.Serializer):

dojo/db_migrations/0214_test_type_dynamically_generated.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.8 on 2024-09-04 19:23
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0213_system_settings_enable_ui_table_based_searching'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='test_type',
+            name='dynamically_generated',
+            field=models.BooleanField(default=False, help_text='Set to True for test types that are created at import time'),
+        ),
+    ]

dojo/forms.py

@@ -285,7 +285,7 @@ def __init__(self, *args, **kwargs):
 class Test_TypeForm(forms.ModelForm):
     class Meta:
         model = Test_Type
-        exclude = [""]
+        exclude = ["dynamically_generated"]
 
 
 class Development_EnvironmentForm(forms.ModelForm):
@@ -321,6 +321,8 @@ class ProductForm(forms.ModelForm):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields["prod_type"].queryset = get_authorized_product_types(Permissions.Product_Type_Add_Product)
+        if prod_type_id := getattr(kwargs.get("instance", Product()), "prod_type_id"):  # we are editing existing instance
+            self.fields["prod_type"].queryset |= Product_Type.objects.filter(pk=prod_type_id)  # even if user does not have permission for any other ProdType we need to add at least assign ProdType to make form submittable (otherwise empty list was here which generated invalid form)
 
         # if this product has findings being asynchronously updated, disable the sla config field
         if self.instance.async_updating:

dojo/importers/base_importer.py

@@ -491,6 +491,8 @@ def get_or_create_test_type(
         test_type, created = Test_Type.objects.get_or_create(name=test_type_name)
         if created:
             logger.info(f"Created new Test_Type with name {test_type.name} because a report is being imported")
+            test_type.dynamically_generated = True
+            test_type.save()
         return test_type
 
     def verify_tool_configuration_from_test(self):

dojo/importers/default_reimporter.py

@@ -704,6 +704,8 @@ def finding_post_processing(
             finding.unsaved_files = finding_from_report.unsaved_files
         self.process_files(finding)
         # Process vulnerability IDs
+        if finding_from_report.unsaved_vulnerability_ids:
+            finding.unsaved_vulnerability_ids = finding_from_report.unsaved_vulnerability_ids
         finding = self.process_vulnerability_ids(finding)
 
         return finding

dojo/models.py

@@ -817,6 +817,9 @@ class Test_Type(models.Model):
     static_tool = models.BooleanField(default=False)
     dynamic_tool = models.BooleanField(default=False)
     active = models.BooleanField(default=True)
+    dynamically_generated = models.BooleanField(
+        default=False,
+        help_text=_("Set to True for test types that are created at import time"))
 
     class Meta:
         ordering = ("name",)