Release: Merge back 2.54.1 into dev from: master-into-dev/2.54.1-2.55.0-dev#14077
Merged
Release: Merge back 2.54.1 into dev from: master-into-dev/2.54.1-2.55.0-dev#14077
Conversation
….55.0-dev Release: Merge back 2.54.0 into bugfix from: master-into-bugfix/2.54.0-2.55.0-dev
Clarify the migration process for django-pghistory tables.
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.2 to 2.6.3. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.2...2.6.3) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.6.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* 🐛 Fix multiple google cloud artifact scan bugs * udpate
* update changelog headings * update changelog --------- Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
* fix: update redis/valkey comment * feat(ci): additional comment updates --------- Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
…errors announcements: catch exceptions
…ghts 🎉 Implement Cloudflare insights parser
🎉 Advance Google Cloud Artifact Scan to parse vulnid
* Remove product grade configuration and related management command * Remove product_grade field from system_settings model * Update expected query counts in performance tests for importer
Release: Merge release into master from: release/2.54.1
github-actions
Bot
requested review from
Maffooch and
mtesauro
as code owners
Contributor
Author
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
github-actions
Bot
added
the
New Migration
github-actions
Bot
added
docs
unittests
parser
helm
and removed
conflicts-detected
labels
Contributor
Author
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
🔴 Risk threshold exceeded.This pull request includes edits to several sensitive files (dojo/jira_link/helper.py, dojo/db_migrations/0255_remove_system_settings_product_grade.py, dojo/forms.py, dojo/models.py, dojo/utils.py) flagged by configured codepath checks and also registers System_Settings in the Django admin—potentially allowing staff with model permissions to access superuser-only secrets (jira_webhook_secret, slack_token, credentials). It also fixes a logic bug in the gcloud artifact severity mapper where uppercase "MINIMAL" is misclassified as Info instead of Low.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/db_migrations/0255_remove_system_settings_product_grade.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/forms.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/jira_link/helper.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Unauthorized Access to System Settings via Admin Site in dojo/models.py
| Vulnerability | Unauthorized Access to System Settings via Admin Site |
|---|---|
| Description | The registration of the System_Settings model in the Django Admin interface using admin.site.register(System_Settings) allows any user with staff access (is_staff=True) and the appropriate model-level permissions to view and modify global system configurations. This includes highly sensitive fields such as jira_webhook_secret, slack_token, and credentials. This registration bypasses the application's intended security model, as both the primary UI (dojo/system_settings/views.py) and the REST API (dojo/api_v2/views.py) explicitly restrict access to these settings to superusers only. Providing an alternative interface with more permissive access controls (Staff vs. Superuser) creates a privilege escalation path for staff users. |
django-DefectDojo/dojo/models.py
Lines 4840 to 4846 in a8a8a1a
Fragile Severity Mapping Logic Error in dojo/tools/gcloud_artifact_scan/parser.py
| Vulnerability | Fragile Severity Mapping Logic Error |
|---|---|
| Description | The severity_mapper function contains a logic error in how it handles the 'Minimal' severity level from Google Cloud Artifact Scan. While it attempts to be case-insensitive for standard severities by using .lower().capitalize(), it checks for 'Minimal' using a case-sensitive equality operator (if severity == "Minimal":) after the first check fails. Since Google Cloud Artifact Scan typically uses uppercase 'MINIMAL' (as seen in the provided sample data), the first check fails because 'Minimal' is not in the set, and the second check fails because 'MINIMAL' != 'Minimal'. This causes 'MINIMAL' findings to fall through to the default 'Info' severity, effectively downgrading them from 'Low'. |
django-DefectDojo/dojo/tools/gcloud_artifact_scan/parser.py
Lines 44 to 68 in a8a8a1a
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Maffooch
pushed a commit
to valentijnscholten/django-DefectDojo
that referenced
this pull request
Feb 16, 2026
….54.1-2.55.0-dev Release: Merge back 2.54.1 into dev from: master-into-dev/2.54.1-2.55.0-dev
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops