Skip to content

Release: Merge release into master from: release/2.51.2#13474

Merged
rossops merged 29 commits intomasterfrom
release/2.51.2
Oct 20, 2025
Merged

Release: Merge release into master from: release/2.51.2#13474
rossops merged 29 commits intomasterfrom
release/2.51.2

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Oct 20, 2025

Release triggered by rossops

DefectDojo release bot and others added 29 commits October 14, 2025 16:30
Update versions in application files
76620f1
@kiblik @rossops
fix(helm): Drop initialDelaySeconds if empty (#13398)
c3eae34 
Co-authored-by: Ross E Esposito <ross@defectdojo.com>
@rossops
Merge branch 'bugfix' into master-into-bugfix/2.51.1-2.52.0-dev
66ed83a
@rossops
Merge pull request #13423 from DefectDojo/master-into-bugfix/2.51.1-2…
3e6cf94 
….52.0-dev

Release: Merge back 2.51.1 into bugfix from: master-into-bugfix/2.51.1-2.52.0-dev
@kiblik
fix(helm): re-add annotation helper
e634776
@kiblik
feat(renovate): Add support for versioning less standard value locations
380ae36
@rossops
Merge pull request #13424 from kiblik/helm_add_helper
7fae6b3 
fix(helm): re-add annotation hint
@rossops
Merge pull request #13406 from kiblik/renovate_workflows_versions
211a54f 
feat(renovate): Add support for versioning less standard value locations
@kiblik
fix(renovate): Drop Bitnami (#13403)
d9b408d
@valentijnscholten
Downgrade django-tagulous to 2.1.0 (#13440)
a09cfc6 
Downgrade django-tagulous to version 2.1.0 to avoid issues.
@valentijnscholten
tag based filtering: avoid duplicate rows in results (#13442)
6661035 
* tag based filtering: avoid duplicate rows in results

* tag based filtering: avoid duplicate rows in results

* improvements
@valentijnscholten
report builder: ensure at least one section is present (#13443)
86a8744 
* report builder: ensure at least one section is present

* report builder: ensure at least one section is present
@kiblik
fix(helm): Fix renovate/dependabot helper (#13438)
479ce38
@Maffooch
Fix DojoGroupSerializer to handle empty permissions list (#13447)
9c35b78 
* fix(serializers): Update DojoGroupSerializer to handle empty permissions list

* Accommodate the UserSerializer as well
@valentijnscholten
findings-report-api: fix 404 errors (#13446)
4f634c4 
* findings-report-api: fix 404 errors

* findings-report-api: fix 404 errors
@valentijnscholten
fix-loop-duplicates: optimize query (#13445)
e31214a
@valentijnscholten
top 10 metrics fix
8278a52
@valentijnscholten
fix all top_ten queries
fd45a50
@valentijnscholten
update tests
1c36918
@Maffooch
Replace webhook state transition diagram with PNG instead of renderin…
7eb1168 
…g with kroki (#13456)

* Replace webhook state transition diagram with PNG instead of rendering with kroki

* Apply suggestion from @Maffooch
@paulOsinski @mtesauro
Pro changelog: 2.51.0/1 and minor docs maintenance (#13454)
126a43d 
* Update wiz.md

* update changelog

* update wiz parser

* correct changelog entry

---------

Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
Co-authored-by: Matt Tesauro <mtesauro@gmail.com>
@paulOsinski
Add Anchore Connector documentation (#13455)
80236f6 
* Update wiz.md

* add Anchore Connector documentation

---------

Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@rossops
Merge pull request #13453 from valentijnscholten/top-10-metrics
9975ac5 
Fix incorrect (inflated) numbers in top 10 metrics
@valentijnscholten
deduplication: log hash_code_fields_always (#13462)
1fa9c7c
@valentijnscholten
Add more deduplication unit tests for importers (#13463)
032d779 
* deduplication: add more importer unit tests

* deduplication: add more importer unit tests

* uncomment tests

* add more assessments
@valentijnscholten
Show unique id from tool together with hash_code in title elements (#…
e172143 
…13460)

* view_finding: show unique_id_from_tool with hash_code

* view_finding: show unique_id_from_tool with hash_code
@valentijnscholten
Add tests and documentation for deduplication algorithms (#13464)
8a9a3da 
* deduplication logic: add missing tests

* deduplication logic: add docs

* deduplication logic: add docs
@valentijnscholten
github action: allow detect merge conflicts to fail (#13465)
ffe5167
Update versions in application files
969cb64
@github-actions github-actions Bot requested a review from Maffooch as a code owner October 20, 2025 14:55
@github-actions github-actions Bot requested a review from mtesauro as a code owner October 20, 2025 14:55
@rossops rossops closed this Oct 20, 2025
@rossops rossops reopened this Oct 20, 2025
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Oct 20, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request modifies sensitive codepaths (dojo/metrics/utils.py and dojo/metrics/views.py) and also includes workflow/config changes: an insecure pattern in shellcheck.yml that relies on a hardcoded checksum for a downloaded binary, and a Renovate config (.github/renovate.json) that disables automated updates for key dependency files (requirements, package.json, Dockerfiles).

🔴 Configured Codepaths Edit in dojo/metrics/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/metrics/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Insecure Dependency Check in docs/content/en/about_defectdojo/pro_features.md
Vulnerability Insecure Dependency Check
Description The shellcheck.yml workflow downloads a binary without verifying its integrity against a known good source. While it does check the SHA1 checksum, the checksum itself is hardcoded in the workflow file. If an attacker were to compromise the repository and modify the shellcheck binary and update the SHELLCHECK_SHA variable to match the malicious binary's checksum, the workflow would pass the integrity check and execute the compromised binary.

django-DefectDojo/docs/content/en/about_defectdojo/pro_features.md

Lines 54 to 60 in 969cb64

Supported tools for Connectors include:
* Anchore
* AWS Security Hub
* BurpSuite
* Checkmarx ONE

Automated Dependency Updates Disabled in .github/renovate.json
Vulnerability Automated Dependency Updates Disabled
Description The Renovate configuration explicitly ignores critical dependency files such as Python requirements (requirements.txt, requirements-lint.txt), Node.js packages (components/package.json), and Dockerfiles (Dockerfile**). This prevents automated scanning and updating of these dependencies, leading to a high risk of using outdated components with known vulnerabilities. No alternative automated process for managing these dependencies was identified.

django-DefectDojo/.github/renovate.json

Lines 10 to 18 in 969cb64

"ignorePaths": [
"requirements.txt",
"requirements-lint.txt",
"components/package.json",
"components/package-lock.json",
"dojo/components/yarn.lock",
"dojo/components/package.json",
"Dockerfile**"
],

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@rossops rossops merged commit 7c0d92a into master Oct 20, 2025
149 checks passed
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@rossops
Merge pull request DefectDojo#13474 from DefectDojo/release/2.51.2
08aa042 
Release: Merge release into master from: release/2.51.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

apiv2 docs helm ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rossops @kiblik @valentijnscholten @Maffooch @paulOsinski