Skip to content

Release: Merge release into master from: release/2.50.2#13173

Merged
rossops merged 21 commits intomasterfrom
release/2.50.2
Sep 15, 2025
Merged

Release: Merge release into master from: release/2.50.2#13173
rossops merged 21 commits intomasterfrom
release/2.50.2

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Sep 15, 2025

Release triggered by rossops

DefectDojo release bot and others added 20 commits September 8, 2025 14:55
Update versions in application files
69e22de
@rossops
Merge pull request #13137 from DefectDojo/master-into-bugfix/2.50.1-2…
6a9bf1a 
….51.0-dev

Release: Merge back 2.50.1 into bugfix from: master-into-bugfix/2.50.1-2.51.0-dev
@manuel-sommer
🎉 Add OXAS-ADV- vulnid (#13129)
40b7418
@valentijnscholten
Allow enabling Django Debug Toolbar via env variable (#12921)
e464cbe 
* Allow enabling Django Debug Toolbar via env variable

* Allow enabling Django Debug Toolbar via env variable

* debugtoolbar: fix collectstatic
@kiblik
fix(helm): uwsgi tuning (#13146)
1336ba5
@valentijnscholten
Update to Django 5.1.12 (#13148)
35bc518
@kiblik
feat(social): Add SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT (#13150)
976f72c
@paulOsinski
add new opensource page (#13151)
00ac181 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@manuel-sommer
🎉 Add fix_available information to mend #12633 (#13142)
2fe00d6 
* 🎉 Add fix_available information to mend #12633

* fix
@fopina
fortify fpr_parser: allow optional fields to be optional (#13160)
8fb9fd7
@manuel-sommer
🎉 Add fix_available information to wpscan #12633 (#13153)
3ab9c06
@manuel-sommer
🎉 Add fix_available information to jfrogondemand #12633 (#13124)
f156277
@mykhailo-sindieiev
Generic parser update (#13139)
a998a9b 
* add new fields to generic parser

* add test file

* fix missing trailing comma

* modify csv parser and add csv test file

* remove spaces from blank lines

* update parser documentation
@Maffooch
Github Vulnerability Parser: Update docs to generate correct schema
9acaab2 
The docs became outdated from the parser
update pro changelog 2.50.1
19d708a
@valentijnscholten
add None check
3ccf079
@rossops
Merge pull request #13168 from valentijnscholten/jira-keep-in-sync-safe
0a2ff28 
bulk edit: add None check on JIRA sync check
@rossops
Merge pull request #13167 from paulOsinski/changelog
676aa93 
[docs] Changelog 2.50.1
@rossops
Merge pull request #13166 from DefectDojo/Maffooch-patch-5
d1592dd 
Github Vulnerability Parser: Update docs to generate correct schema
Update versions in application files
790fdfa
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Sep 15, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request includes a flagged sensitive edit to dojo/jira_link/helper.py. It also introduces a potential denial‑of‑service in dojo/tools/generic/csv_parser.py (lines 81–106) where CVSSV4_score and kev_date are converted without proper error handling, so malformed values can raise ValueError/ParserError and crash the import process.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Denial of Service via Malformed CSV Input in dojo/tools/generic/csv_parser.py
Vulnerability Denial of Service via Malformed CSV Input
Description The CSV parser in dojo/tools/generic/csv_parser.py attempts to convert CVSSV4_score to a float and kev_date to a date object without proper error handling. Malformed input in these fields (e.g., non-numeric string for score, invalid date string for date) will cause unhandled ValueError or ParserError exceptions, leading to a crash of the import process.

django-DefectDojo/dojo/tools/generic/csv_parser.py

Lines 81 to 106 in 8a72a83

if len(cvss_objects) > 0:
finding.cvssv3 = cvss_objects[0].clean_vector()
if "CVSSV4" in row:
cvss4_objects = cvss_parser.parse_cvss_from_text(row["CVSSV4"])
if len(cvss4_objects) > 0:
finding.cvssv4 = cvss4_objects[0].clean_vector()
if "CVSSV4_score" in row:
finding.cvssv4_score = float(row["CVSSV4_score"])
if "kev_date" in row:
finding.kev_date = parse(row["kev_date"])
if "known_exploited" in row:
finding.known_exploited = bool(row["known_exploited"])
if "ransomware_used" in row:
finding.ransomware_used = bool(row["ransomware_used"])
if "fix_available" in row:
finding.fix_available = bool(row["fix_available"])
# manage endpoints
if "Url" in row:
finding.unsaved_endpoints = [

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@rossops rossops closed this Sep 15, 2025
@rossops rossops reopened this Sep 15, 2025
@github-actions github-actions Bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests ui labels Sep 15, 2025
@rossops rossops merged commit 68821a8 into master Sep 15, 2025
86 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

docker docs helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@rossops @manuel-sommer @valentijnscholten @kiblik @paulOsinski @fopina @mykhailo-sindieiev @Maffooch