Skip to content

Release: Merge back 2.53.2 into dev from: master-into-dev/2.53.2-2.54.0-dev#13904

Merged
rossops merged 24 commits intodevfrom
master-into-dev/2.53.2-2.54.0-dev
Dec 15, 2025
Merged

Release: Merge back 2.53.2 into dev from: master-into-dev/2.53.2-2.54.0-dev#13904
rossops merged 24 commits intodevfrom
master-into-dev/2.53.2-2.54.0-dev

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Dec 15, 2025

Release triggered by rossops

DefectDojo release bot and others added 23 commits December 8, 2025 17:28
Update versions in application files
9fc3d88
@rossops
Merge pull request #13845 from DefectDojo/master-into-bugfix/2.53.1-2…
75d18e5 
….54.0-dev

Release: Merge back 2.53.1 into bugfix from: master-into-bugfix/2.53.1-2.54.0-dev
@paulOsinski @Maffooch
[docs] asset/organization in Pro (#13848)
3b1b5da 
* add asset/org info

* remove ref to P/PT nestability

* change screenshot

* add contact email

* Update docs/content/en/working_with_findings/organizing_engagements_tests/pro_assets_organizations.md

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

* Update docs/content/en/working_with_findings/organizing_engagements_tests/pro_assets_organizations.md

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

---------

Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
@paulOsinski @Maffooch
[docs] Pro changelog updates (#13855)
1fb8dcf 
* update changelog

* update pro_features.md

* Update docs/content/en/changelog/changelog.md

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

* Update docs/content/en/changelog/changelog.md

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

---------

Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
@paulOsinski
update sso docs for group read all permission (#13850)
ee9ee74 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@kiblik
fix(GHA): Failed in all dependences had not been in latest version (#…
764f071 
…13865)

Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
@kiblik
fix(HELM): Use renovate-compatible format (#13866)
1d4d0db 
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
@manuel-sommer
💄 Beautify Rubocop json (#13894)
6aa64b9
@manuel-sommer
🎉 Add ICSA vulnid (#13895)
b4771c0
@valentijnscholten
async delete: retry on deadlock (#13863)
efe0f5d 
* delete_chunk: ensure ordering

* delete_chunk: wait for chunk_deletion to complete

* delete_chunk: retry on deadlock

* ruff

---------

Co-authored-by: Valentijn Scholten <valentijn.scholten@iodigital.com>
@kiblik
feat(releases): Add section for GHA (#13867)
c8cf437
@kiblik
fix(HELM): Improve autogeneration of annotation (#13879)
01b2a16
@valentijnscholten
fix logger NoneType (#13880)
fb35166
@valentijnscholten
Update RELEASING.md with release type clarifications (#13881)
fa8b8a6 
Clarified release types and added details on dependency updates.
@valentijnscholten
jira: add none checks in a few places (#13886)
05138f3
@valentijnscholten
foundy_by: optimize for dedupe (#13888)
0f4aad7 
* dedupe: optimize found_by

* fix: update expected query counts in performance tests

* fix: update expected query counts in performance tests
@valentijnscholten
importers: log time spent on parsing (#13892)
f4f0b36
@valentijnscholten
reimport: add management command to reimport sample scans (#13893)
ca91c99
@valentijnscholten
reimport: add test for internal duplicates during matching (#13890)
a15332e
Update versions in application files
da66f9e
@rossops
Updating helm deps
7e4585d
@rossops
Merge pull request #13903 from DefectDojo/release/2.53.2
f21b1ff 
Release: Merge release into master from: release/2.53.2
Update versions in application files
33a25c8
@github-actions github-actions Bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests helm labels Dec 15, 2025
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Dec 15, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request includes sensitive edits to multiple core files (dojo/finding/*, dojo/finding_group/views.py, dojo/importers/base_importer.py, dojo/jira_link/helper.py, dojo/models.py, dojo/utils.py) and introduces two security issues: a dynamic module import in reimport_unittest_scan.py that uses unvalidated user-controlled input (risk of arbitrary code execution) and a GitHub Actions workflow that injects an unsafely-escaped pull request title into a shell command allowing command injection via crafted titles.

🔴 Configured Codepaths Edit in dojo/finding/deduplication.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/finding/helper.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/finding/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/finding_group/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/importers/base_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/jira_link/helper.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/models.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Arbitrary Module Import in dojo/management/commands/reimport_unittest_scan.py
Vulnerability Arbitrary Module Import
Description The reimport_unittest_scan management command dynamically imports a Python module based on user input. The module_name is extracted from the scan_file argument without validation or sanitization before being used in import_module(f"dojo.tools.{module_name}.parser"). An attacker who can execute this command and control the scan_file argument could specify a path that resolves to a malicious Python file, leading to arbitrary code execution.

django-DefectDojo/dojo/management/commands/reimport_unittest_scan.py

Lines 112 to 115 in 7b73a29

module = import_module(f"dojo.tools.{module_name}.parser")
# Find the parser class
parser_class = None

Command Injection in GitHub Action in .github/workflows/test-helm-chart.yml
Vulnerability Command Injection in GitHub Action
Description The GitHub Action workflow uses a pull request title (github.event.pull_request.title), which is user-controlled input, and embeds it into a shell command executed by yq. The sanitization logic is an incomplete blacklist that fails to escape shell metacharacters like single quotes ('). An attacker could craft a pull request title containing a single quote to break out of the string and inject arbitrary shell commands, which would be executed on the GitHub runner.

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 127 to 130 in 7b73a29

yq -i '.annotations."artifacthub.io/changes" += "- kind: changed\n description: '$title'\n"' helm/defectdojo/Chart.yaml
git add helm/defectdojo/Chart.yaml
git commit -m "ci: update Chart annotations from PR #${{ github.event.pull_request.number }}" || echo "No changes to commit"

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@rossops rossops merged commit a4ed58f into dev Dec 15, 2025
92 checks passed
@rossops rossops deleted the master-into-dev/2.53.2-2.54.0-dev branch December 15, 2025 17:18
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@rossops
Merge pull request DefectDojo#13904 from DefectDojo/master-into-dev/2…
ae3dda8 
….53.2-2.54.0-dev

Release: Merge back 2.53.2 into dev from: master-into-dev/2.53.2-2.54.0-dev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

docs helm settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rossops @paulOsinski @kiblik @manuel-sommer @valentijnscholten @Maffooch