Skip to content

Feature/asvs 5.0 benchmark#12669

Merged
valentijnscholten merged 4 commits intoDefectDojo:devfrom
ivhorodko:feature/asvs-5.0-benchmark
Jun 25, 2025
Merged

Feature/asvs 5.0 benchmark#12669
valentijnscholten merged 4 commits intoDefectDojo:devfrom
ivhorodko:feature/asvs-5.0-benchmark

Conversation

@ivhorodko
Copy link
Copy Markdown
Contributor

@ivhorodko ivhorodko commented Jun 21, 2025

Description 📋

🐞 Bug fix

  • Symptom: The Benchmark-Type dropdown on the product page always showed a single entry, “OWASP ASVS v3.1”, even though v4.0.1 (and other types) were already loaded in the DB.
  • Root cause: The view didn’t pass the full list of enabled Benchmark_Type records to the template.
  • Fix: dojo/product/views.py now fetches Benchmark_Type.objects.filter(enabled=True) and exposes it in the context → the dropdown lists all enabled benchmarks.

✨ Feature / Enhancement

  • Added OWASP ASVS 5.0:
    Includes the latest ASVS 5.0 as a selectable benchmark, with new categories and initial requirements.
  • Why:
    Previously, only the old ASVS 3.1 was visible in the dropdown, even though 4.0.1 was already in the database. ASVS 3.1 is quite outdated, so it’s nice to have more up-to-date standards available.
  • What changed:
    The dropdown now shows all available ASVS versions (including 5.0), so you can map findings to the most current requirements.

Screenshots 🖼️

Before After
image image

Additional screenshots of the new ASVS 5.0 benchmark page:
image

References 🔗

Place any external links here (PDF, CSV, official page, etc.):

Test results

  1. Loaded fixtures on a fresh database (manage.py loaddata …).
  2. Verified the dropdown now lists ASVS 3.1, ASVS 4.0.1, ASVS 5.0.
  3. Created a dummy product → mapped findings to new v5.0 requirements without issues.

I added 2 commits June 21, 2025 15:07
fix: show all enabled Benchmark Types (ASVS, etc.) in dropdown on pro…
56a1ede 
…duct view

Previously, only one Benchmark Type (e.g., ASVS) appeared in the product view dropdown, even if more were in the database.
Now, the view passes all enabled Benchmark Types to the template, so the dropdown correctly lists every available type.
No template changes were needed; just the view logic was updated.
add full OWASP ASVS 5.0 support (Benchmark Type, categories, requirem…
05338f5 
…ents)

- Added OWASP ASVS 5.0 as a new Benchmark Type to fixtures.
- Added all categories and requirements from ASVS 5.0.
- All ASVS 5.0 controls are now available for selection and mapping in DefectDojo.

No code changes, only updated fixture data.
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Jun 21, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request contains multiple sensitive edits to critical files in the dojo/product directory, including views.py and product.html, which may require additional review and configuration in the .dryrunsecurity.yaml file to manage access and changes.

🔴 Configured Codepaths Edit in dojo/product/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/product/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/product/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/templates/dojo/product.html
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

valentijnscholten
valentijnscholten reviewed Jun 22, 2025
View reviewed changes
Comment thread dojo/product/views.py Outdated
rename variable to benchmark_types for clarity
cdc7c0e 
product(): use plural `benchmark_types` to reflect that we pass a list
product.html: iterate over `benchmark_types`
@github-actions github-actions Bot added the ui label Jun 22, 2025
@Maffooch Maffooch changed the base branch from master to dev June 23, 2025 15:20
@Maffooch Maffooch requested a review from hblankenship June 23, 2025 15:38
mtesauro
mtesauro approved these changes Jun 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten merged commit e1335eb into DefectDojo:dev Jun 25, 2025
77 of 79 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

+1 more reviewer

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ivhorodko @mtesauro @valentijnscholten @hblankenship @Maffooch