Merge pull request #10417 from DefectDojo/release/2.35.3

Maffooch · web-flow · commit bfa20c9faa49 · 2024-06-17T12:18:04.000-05:00
Release: Merge release into master from: release/2.35.3
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,7 +7,7 @@ assignees: ''
 
 ---
 **Slack us first!**
-The easiest and fastest way to help you is via Slack. There's a free and easy signup to join our #defectdojo channel in the OWASP Slack workspace: [Get Access.](https://owasp-slack.herokuapp.com/)
+The easiest and fastest way to help you is via Slack. There's a free and easy signup to join our #defectdojo channel in the OWASP Slack workspace: [Get Access.](https://owasp.org/slack/invite)
 If you're confident you've found a bug, or are allergic to Slack, you can submit an issue anyway.
 
 **Be informative**
diff --git a/components/package.json b/components/package.json
@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.35.2",
+  "version": "2.35.3",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
diff --git a/docs/package-lock.json b/docs/package-lock.json
diff --git a/dojo/__init__.py b/dojo/__init__.py
@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = '2.35.2'
+__version__ = '2.35.3'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'https://documentation.defectdojo.com'
diff --git a/dojo/notifications/helper.py b/dojo/notifications/helper.py
@@ -127,11 +127,11 @@ def create_notification(event=None, **kwargs):
 def create_description(event, *args, **kwargs):
     if "description" not in kwargs.keys():
         if event == 'product_added':
-            kwargs["description"] = _('Product {title} has been created successfully.'.format(title=kwargs['title']))
+            kwargs["description"] = _('Product %s has been created successfully.') % kwargs['title']
         elif event == 'product_type_added':
-            kwargs["description"] = _('Product Type {title} has been created successfully.'.format(title=kwargs['title']))
+            kwargs["description"] = _('Product Type %s has been created successfully.') % kwargs['title']
         else:
-            kwargs["description"] = _('Event {event}  has occurred.'.format(event=str(event)))
+            kwargs["description"] = _('Event %s has occurred.') % str(event)
 
     return kwargs["description"]
 
diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum
@@ -1 +1 @@
-c0f6db3774e94fcfd22a5861d47e42cdd52839d01dd99ce361ecfd44f42b221c
+e9aab91c011f6aa1933791c57e7c37b165e5369606c459f772c4269c56212b53
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -1222,7 +1222,7 @@ def saml2_attrib_map_format(dict):
     'DSOP Scan': ['vulnerability_ids'],
     'Acunetix Scan': ['title', 'description'],
     'Terrascan Scan': ['vuln_id_from_tool', 'title', 'severity', 'file_path', 'line', 'component_name'],
-    'Trivy Operator Scan': ['title', 'severity', 'vulnerability_ids'],
+    'Trivy Operator Scan': ['title', 'severity', 'vulnerability_ids', 'description'],
     'Trivy Scan': ['title', 'severity', 'vulnerability_ids', 'cwe', 'description'],
     'TFSec Scan': ['severity', 'vuln_id_from_tool', 'file_path', 'line'],
     'Snyk Scan': ['vuln_id_from_tool', 'file_path', 'component_name', 'component_version'],
diff --git a/dojo/templates/issue-trackers/jira_full/jira-finding-group-description.tpl b/dojo/templates/issue-trackers/jira_full/jira-finding-group-description.tpl
@@ -1,9 +1,9 @@
 {% load navigation_tags %}
 {% load display_tags %}
 {% url 'view_finding_group' finding_group.id as finding_group_url %}
-{% url 'view_product' finding.test.engagement.product.id as product_url %}
-{% url 'view_engagement' finding.test.engagement.id as engagement_url %}
-{% url 'view_test' finding.test.id as test_url %}
+{% url 'view_product' finding_group.test.engagement.product.id as product_url %}
+{% url 'view_engagement' finding_group.test.engagement.id as engagement_url %}
+{% url 'view_test' finding_group.test.id as test_url %}
 
 A group of Findings has been pushed to JIRA to be investigated and fixed:
 
@@ -12,7 +12,7 @@ h2. Group
 
 
 || Severity || CVE || CWE || Component || Version || Title || Status ||{% for finding in finding_group.findings.all %}
-| {{finding.severity}} | {% if finding.cve %}[{{finding.cve}}|{{finding.cve|vulnerability_url}}]{% else %}None{% endif %} | [{{finding.cwe}}|{{finding.cwe|cwe_url}}] | {{finding.component_name|jiraencode_component}} | {{finding.component_version}} | [{{ finding.title|jiraencode}}|{{ finding_url|full_url }}] | {{ finding.status }} |{% endfor %}
+| {{finding.severity}} | {% if finding.cve %}[{{finding.cve}}|{{finding.cve|vulnerability_url}}]{% else %}None{% endif %} | [{{finding.cwe}}|{{finding.cwe|cwe_url}}] | {{finding.component_name|jiraencode_component}} | {{finding.component_version}} | {% url 'view_finding' finding.id as finding_url %}[{{ finding.title|jiraencode}}|{{ finding_url|full_url }}] | {{ finding.status }} |{% endfor %}
 
 *Severity:* {{ finding_group.severity }}
 
diff --git a/dojo/templates/issue-trackers/jira_limited/jira-finding-group-description.tpl b/dojo/templates/issue-trackers/jira_limited/jira-finding-group-description.tpl
@@ -1,16 +1,17 @@
 {% load navigation_tags %}
 {% load display_tags %}
 {% url 'view_finding_group' finding_group.id as finding_group_url %}
-{% url 'view_product' finding.test.engagement.product.id as product_url %}
-{% url 'view_engagement' finding.test.engagement.id as engagement_url %}
-{% url 'view_test' finding.test.id as test_url %}
+{% url 'view_product' finding_group.test.engagement.product.id as product_url %}
+{% url 'view_engagement' finding_group.test.engagement.id as engagement_url %}
+{% url 'view_test' finding_group.test.id as test_url %}
 
 A group of Findings has been pushed to JIRA to be investigated and fixed:
 
 *Group*: [{{ finding_group.name|jiraencode}}|{{ finding_group_url|full_url }}] in [{{ finding_group.test.engagement.product.name|jiraencode }}|{{ product_url|full_url }}] / [{{ finding_group.test.engagement.name|jiraencode }}|{{ engagement_url|full_url }}] / [{{ finding_group.test|stringformat:'s'|jiraencode }}|{{ test_url|full_url }}]
 
 Findings:
 {% for finding in finding_group.findings.all %}
+{% url 'view_finding' finding.id as finding_url %}
 - [{{ finding.title|jiraencode}}|{{ finding_url|full_url }}]{% endfor %}
 
 {% if finding_group.test.engagement.branch_tag %}
diff --git a/dojo/tools/acunetix/parse_acunetix360_json.py b/dojo/tools/acunetix/parse_acunetix360_json.py
@@ -19,7 +19,7 @@ def get_findings(self, filename, test):
         for item in data["Vulnerabilities"]:
             title = item["Name"]
             findingdetail = text_maker.handle(item.get("Description", ""))
-            if "Cwe" in item["Classification"]:
+            if item["Classification"] is not None and "Cwe" in item["Classification"]:
                 try:
                     cwe = int(item["Classification"]["Cwe"].split(",")[0])
                 except BaseException:
diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.35.2"
+appVersion: "2.35.3"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.134
+version: 1.6.135
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap
diff --git a/unittests/scans/acunetix/issue_10370.json b/unittests/scans/acunetix/issue_10370.json
@@ -0,0 +1,57 @@
+{
+  "Generated": "25/06/2021 09:59 AM",
+  "Target": {
+    "Duration": "00:00:41.3968969",
+    "Initiated": "25/06/2021 09:53 AM",
+    "ScanId": "663eb6e88d9e4f4d9e00ad52017aa66d",
+    "Url": "http://php.testsparker.com/"
+  },
+  "Vulnerabilities": [
+    {
+      "Certainty": 100,
+      "Classification": null,
+      "Confirmed": true,
+      "Description": "<p>Acunetix360 identified a cookie not marked as HTTPOnly.</p>\n<p>HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.</p>",
+      "ExploitationSkills": "",
+      "ExternalReferences": "<div><ul><li><a target='_blank' href='https://www.acunetix.com/security-cookies-whitepaper/#httpOnlyFlag'><i class='icon-external-link'></i>Acunetix - Security Cookies - HTTPOnly Flag</a></li><li><a target='_blank' href='https://wiki.owasp.org/index.php/HttpOnly'><i class='icon-external-link'></i>OWASP HTTPOnly Cookies</a></li><li><a target='_blank' href='https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly%28VS.80%29.aspx'><i class='icon-external-link'></i>MSDN - ASP.NET HTTPOnly Cookies</a></li></ul></div>",
+      "ExtraInformation": [
+        {
+          "Name": "Identified Cookie(s)",
+          "Value": "PHPSESSID"
+        },
+        {
+          "Name": "Cookie Source",
+          "Value": "HTTP Header"
+        },
+        {
+          "Name": "Page Type",
+          "Value": "Login"
+        }
+      ],
+      "FirstSeenDate": "16/06/2021 12:30 PM",
+      "HttpRequest": {
+        "Content": "GET /auth/login.php HTTP/1.1\r\nHost: php.testsparker.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nCache-Control: no-cache\r\nReferer: http://php.testsparker.com/auth/\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36\r\nX-Scanner: Acunetix360\r\n\r\n",
+        "Method": "GET",
+        "Parameters": []
+      },
+      "HttpResponse": {
+        "Content": "HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=e52a07f0fe53c0294ae211bc4481332d; path=/\r\nServer: Apache/2.2.8 (Win32) PHP/5.2.6\r\nContent-Length: 3061\r\nX-Powered-By: PHP/5.2.6\r\nPragma: no-cache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT<!-- end #footer -->\n</body>\n</html>\n",
+        "Duration": 41.4849,
+        "StatusCode": 200
+      },
+      "LookupId": "735f4503-e9eb-4b4c-4306-ad49020a4c4b",
+      "Impact": "<div>During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.</div>",
+      "KnownVulnerabilities": [],
+      "LastSeenDate": "25/06/2021 01:52 AM",
+      "Name": "Cookie Not Marked as HttpOnly",
+      "ProofOfConcept": "",
+      "RemedialActions": "<div>\n<ol>\n<li>See the remedy for solution.</li>\n<li>Consider marking all of the cookies used by the application as HTTPOnly. (<em>After these changes javascript code will not be able to read cookies.</em>)</li>\n</ol>\n</div>",
+      "RemedialProcedure": "<div>Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as <a href=\"https://labs.portcullis.co.uk/tools/xss-tunnel/\">XSS Tunnel</a> to bypass HTTPOnly protection.</div>",
+      "RemedyReferences": "",
+      "Severity": "Medium",
+      "State": "Present",
+      "Type": "CookieNotMarkedAsHttpOnly",
+      "Url": "http://php.testsparker.com/auth/login.php"
+    }
+  ]
+}
diff --git a/unittests/tools/test_acunetix_parser.py b/unittests/tools/test_acunetix_parser.py
@@ -324,3 +324,9 @@ def test_parse_file_with_mulitple_cwe(self):
                 self.assertEqual(1, len(finding.unsaved_endpoints))
                 endpoint = finding.unsaved_endpoints[0]
                 self.assertEqual(str(endpoint), "http://php.testsparker.com/auth/login.php")
+
+    def test_parse_file_issue_10370(self):
+        with open("unittests/scans/acunetix/issue_10370.json") as testfile:
+            parser = AcunetixParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(1, len(findings))

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "defectdojo",`
`3`		`- "version": "2.35.2",`
	`3`	`+ "version": "2.35.3",`
`4`	`4`	`"license" : "BSD-3-Clause",`
`5`	`5`	`"private": true,`
`6`	`6`	`"dependencies": {`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-c0f6db3774e94fcfd22a5861d47e42cdd52839d01dd99ce361ecfd44f42b221c`
	`1`	`+e9aab91c011f6aa1933791c57e7c37b165e5369606c459f772c4269c56212b53`