Release: Merge release into master from: release/2.54.3

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.54.2",
+  "version": "2.54.3",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docs/content/en/changelog/changelog.md

@@ -10,6 +10,15 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Jan 2025: v2.54
 
+### Jan 20, 2025: v2.54.2
+
+* **(Pro UI)** corrected a bug where unordered lists would display as ordered lists in editor forms.
+* **(Smart Upload)** introduced severity filtering to the Smart Importer to skip findings below a specified severity level. Added detailed logging throughout the findings processing to improve traceability and debugging.
+
+### Jan 12, 2025: v2.54.1
+
+* **(AI Tools)** added Risk Scores to schema for MCP processing.
+
 ### Jan 5, 2025: v2.54.0
 
 No significant UX changes.

docs/content/en/open_source/upgrading/2.54.3.md

@@ -0,0 +1,9 @@
+---
+title: 'Upgrading to DefectDojo Version 2.54.3'
+toc_hide: true
+weight: -20250602
+description: Trivy parser deduplication
+---
+
+## Trivy parser deduplication
+Deduplication of Trivy misconfiguration findings is improved for newly imported findings, but existing findings may no longer match because they don’t contain the new vulnerability_id or file_path fields.

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.54.2"
+__version__ = "2.54.3"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"  # noqa: RUF067
 __docs__ = "https://documentation.defectdojo.com"  # noqa: RUF067

dojo/forms.py

@@ -891,7 +891,7 @@ class EditRiskAcceptanceForm(forms.ModelForm):
     recommendation = forms.ChoiceField(choices=Risk_Acceptance.TREATMENT_CHOICES, initial=Risk_Acceptance.TREATMENT_ACCEPT, widget=forms.RadioSelect, label="Security Recommendation")
     decision = forms.ChoiceField(choices=Risk_Acceptance.TREATMENT_CHOICES, initial=Risk_Acceptance.TREATMENT_ACCEPT, widget=forms.RadioSelect)
 
-    path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ".jpg,.png,.pdf"}))
+    path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ", ".join(settings.FILE_IMPORT_TYPES)}))
     expiration_date = forms.DateTimeField(required=False, widget=forms.TextInput(attrs={"class": "datepicker"}))
 
     class Meta:
@@ -904,10 +904,20 @@ def __init__(self, *args, **kwargs):
         self.fields["expiration_date_warned"].disabled = True
         self.fields["expiration_date_handled"].disabled = True
 
+    def clean_path(self):
+        if (data := self.cleaned_data.get("path")) is not None:
+            ext = Path(data.name).suffix  # [0] returns path+filename
+            valid_extensions = settings.FILE_UPLOAD_TYPES
+            if ext.lower() not in valid_extensions:
+                if accepted_extensions := f"{', '.join(valid_extensions)}":
+                    msg = f"Unsupported extension. Supported extensions are as follows: {accepted_extensions}"
+                else:
+                    msg = "File uploads are prohibited due to the list of acceptable file extensions being empty"
+                raise ValidationError(msg)
+        return data
+
 
 class RiskAcceptanceForm(EditRiskAcceptanceForm):
-    # path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ".jpg,.png,.pdf"}))
-    # expiration_date = forms.DateTimeField(required=False, widget=forms.TextInput(attrs={'class': 'datepicker'}))
     accepted_findings = forms.ModelMultipleChoiceField(
         queryset=Finding.objects.none(), required=True,
         widget=forms.widgets.SelectMultiple(attrs={"size": 10}),

dojo/settings/settings.dist.py

@@ -817,6 +817,25 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 SESSION_EXPIRE_AT_BROWSER_CLOSE = env("DD_SESSION_EXPIRE_AT_BROWSER_CLOSE")
 SESSION_EXPIRE_WARNING = env("DD_SESSION_EXPIRE_WARNING")
 SESSION_COOKIE_AGE = env("DD_SESSION_COOKIE_AGE")
+# Permission-Policy header settings
+# See docs at https://pypi.org/project/django-permissions-policy/
+PERMISSIONS_POLICY = {
+    "accelerometer": [],
+    "ambient-light-sensor": [],
+    "autoplay": [],
+    "camera": [],
+    "display-capture": [],
+    "encrypted-media": [],
+    "fullscreen": [],
+    "geolocation": [],
+    "gyroscope": [],
+    "interest-cohort": [],
+    "magnetometer": [],
+    "microphone": [],
+    "midi": [],
+    "payment": [],
+    "usb": [],
+}
 
 # ------------------------------------------------------------------------------
 # DEFECTDOJO SPECIFIC
@@ -966,6 +985,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.middleware.security.SecurityMiddleware",
+    "django_permissions_policy.PermissionsPolicyMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",

dojo/tools/trivy/parser.py

@@ -335,52 +335,53 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
 
             misconfigurations = target_data.get("Misconfigurations", [])
             for misconfiguration in misconfigurations:
+                misc_id = misconfiguration.get("ID", None)
+                misc_avdid = misconfiguration.get("AVDID", misc_id)
+                misc_title = misconfiguration.get("Title", "Unknown Misconfiguration")
                 misc_type = misconfiguration.get("Type")
-                misc_id = misconfiguration.get("ID")
-                misc_title = misconfiguration.get("Title")
-                misc_description = misconfiguration.get("Description")
-                misc_message = misconfiguration.get("Message")
+                misc_description = misconfiguration.get("Description", "")
+                misc_message = misconfiguration.get("Message", "")
                 misc_resolution = misconfiguration.get("Resolution")
-                misc_severity = misconfiguration.get("Severity")
+                misc_severity = misconfiguration.get("Severity", "Low")
                 misc_primary_url = misconfiguration.get("PrimaryURL")
                 misc_references = misconfiguration.get("References", [])
-                misc_causemetadata = misconfiguration.get("CauseMetadata", {})
-                misc_cause_code = misc_causemetadata.get("Code", {})
-                misc_cause_lines = misc_cause_code.get("Lines", [])
-                string_lines_table = self.get_lines_as_string_table(misc_cause_lines)
+                causemeta = misconfiguration.get("CauseMetadata", {})
+                cause_code = causemeta.get("Code", {})
+                cause_lines = cause_code.get("Lines", [])
+                string_lines_table = self.get_lines_as_string_table(cause_lines)
                 if string_lines_table:
-                    misc_message += ("\n" + string_lines_table)
-
-                title = f"{misc_id} - {misc_title}"
+                    misc_message += "\n" + string_lines_table
                 description = MISC_DESCRIPTION_TEMPLATE.format(
                     target=target_target,
                     type=misc_type,
                     description=misc_description,
                     message=misc_message,
                 )
-                severity = TRIVY_SEVERITIES[misc_severity]
-                references = None
+                refs = []
                 if misc_primary_url:
-                    references = f"{misc_primary_url}\n"
-                if misc_primary_url in misc_references:
-                    misc_references.remove(misc_primary_url)
-                if references:
-                    references += "\n".join(misc_references)
-                else:
-                    references = "\n".join(misc_references)
-
+                    refs.append(misc_primary_url)
+                refs.extend(r for r in misc_references if r != misc_primary_url)
+                references = "\n".join(refs) if refs else None
+                severity = TRIVY_SEVERITIES.get(misc_severity, "Info")
+                file_path = target_target
                 finding = Finding(
                     test=test,
-                    title=title,
+                    title=f"{misc_id} - {misc_title}",
                     severity=severity,
-                    references=references,
                     description=description,
                     mitigation=misc_resolution,
+                    references=references,
+                    url=misc_primary_url,
+                    file_path=file_path,
+                    impact=misc_description,
                     fix_available=True,
                     static_finding=True,
                     dynamic_finding=False,
                     service=service_name,
                 )
+                if misc_avdid:
+                    finding.unsaved_vulnerability_ids = []
+                    finding.unsaved_vulnerability_ids.append(misc_avdid)
                 finding.unsaved_tags = [target_type, target_class]
                 items.append(finding)
 

helm/defectdojo/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.54.2"
+appVersion: "2.54.3"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.9.8
+version: 1.9.9
 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png
 maintainers:
   - name: madchap
@@ -34,4 +34,4 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "false"
-  artifacthub.io/changes: "- kind: changed\n  description: Bump DefectDojo to 2.54.2\n"
+  artifacthub.io/changes: "- kind: changed\n  description: Bump DefectDojo to 2.54.3\n"

helm/defectdojo/README.md

@@ -511,7 +511,7 @@ The HELM schema will be generated for you.
 
 # General information about chart values
 
-![Version: 1.9.8](https://img.shields.io/badge/Version-1.9.8-informational?style=flat-square) ![AppVersion: 2.54.2](https://img.shields.io/badge/AppVersion-2.54.2-informational?style=flat-square)
+![Version: 1.9.9](https://img.shields.io/badge/Version-1.9.9-informational?style=flat-square) ![AppVersion: 2.54.3](https://img.shields.io/badge/AppVersion-2.54.3-informational?style=flat-square)
 
 A Helm chart for Kubernetes to install DefectDojo
 

requirements.txt

@@ -16,6 +16,7 @@ django-crispy-forms==2.5
 django_extensions==4.1
 django-slack==5.19.0
 django-watson==1.6.3
+django-permissions-policy==4.28.0
 django-prometheus==2.4.1
 Django==5.2.9
 django-single-session==0.2.0

unittests/scans/trivy/issue_14136.json

@@ -0,0 +1,108 @@
+{
+  "SchemaVersion": 2,
+  "ReportID": "019bdfd9-f774-7da7-917a-6b15e3b0b2a0",
+  "CreatedAt": "2026-01-21T10:19:22.484900675+01:00",
+  "ArtifactName": "tofu/clusters/sandbox",
+  "ArtifactType": "filesystem",
+  "Results": [
+    {
+      "Target": "../../aws-credentials/main.tf",
+      "Class": "config",
+      "Type": "terraform",
+      "MisconfSummary": {
+        "Successes": 0,
+        "Failures": 1
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Terraform Security Check",
+          "ID": "AVD-AWS-0143",
+          "AVDID": "AVD-AWS-0143",
+          "Title": "IAM policies should not be granted directly to users.",
+          "Description": "CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\n",
+          "Message": "One or more policies are attached directly to a user",
+          "Namespace": "builtin.aws.iam.aws0143",
+          "Query": "data.builtin.aws.iam.aws0143.deny",
+          "Resolution": "Grant policies at the group level instead.",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0143",
+          "References": [
+            "https://console.aws.amazon.com/iam/",
+            "https://avd.aquasec.com/misconfig/avd-aws-0143"
+          ],
+          "Status": "FAIL",
+          "CauseMetadata": {
+            "Resource": "module.aws_credentials",
+            "Provider": "AWS",
+            "Service": "iam",
+            "StartLine": 20,
+            "EndLine": 24,
+            "Code": {
+              "Lines": [
+                {
+                  "Number": 20,
+                  "Content": "resource \"aws_iam_user\" \"this\" {",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_iam_user\"\u001b[0m \u001b[38;5;37m\"this\"\u001b[0m {",
+                  "FirstCause": true,
+                  "LastCause": false
+                },
+                {
+                  "Number": 21,
+                  "Content": "  for_each = var.users",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "  \u001b[38;5;245mfor_each\u001b[0m = \u001b[38;5;33mvar\u001b[0m.users",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 22,
+                  "Content": "",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 23,
+                  "Content": "  name = \"cluster-${var.cluster_name}-${each.key}\"",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "  \u001b[38;5;245mname\u001b[0m = \u001b[38;5;37m\"cluster-\u001b[0m\u001b[38;5;37m${\u001b[0m\u001b[38;5;33mvar\u001b[0m.cluster_name\u001b[38;5;37m}\u001b[0m\u001b[38;5;37m-\u001b[0m\u001b[38;5;37m${\u001b[0m\u001b[38;5;33meach\u001b[0m.key\u001b[38;5;37m}\u001b[0m\u001b[38;5;37m\"",
+                  "FirstCause": false,
+                  "LastCause": false
+                },
+                {
+                  "Number": 24,
+                  "Content": "}",
+                  "IsCause": true,
+                  "Annotation": "",
+                  "Truncated": false,
+                  "Highlighted": "\u001b[0m}",
+                  "FirstCause": false,
+                  "LastCause": true
+                }
+              ]
+            },
+            "Occurrences": [
+              {
+                "Resource": "module.aws_credentials",
+                "Filename": "main.tf",
+                "Location": {
+                  "StartLine": 183,
+                  "EndLine": 248
+                }
+              }
+            ]
+          }
+        }
+      ]
+    }
+  ]
+}

unittests/test_permission_policy_headers.py

@@ -0,0 +1,11 @@
+from django.test import TestCase
+from django.urls import reverse
+
+
+class EmptyPermissionsPolicyTests(TestCase):
+    def test_empty_policy_still_sets_header(self):
+        response = self.client.get(reverse("login"))
+        self.assertIn("Permissions-Policy", response.headers)
+        # Header may be empty or minimal, but must exist
+        self.assertIsNotNone(response["Permissions-Policy"])
+        self.assertGreaterEqual(len(response["Permissions-Policy"]), 2)

unittests/tools/test_trivy_parser.py

@@ -170,7 +170,7 @@ def test_kubernetes(self):
             re_finding_description = re.sub(r"\s+", " ", finding.description)
             self.assertEqual(re_description.strip(), re_finding_description.strip())
             self.assertEqual("Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", finding.mitigation)
-            self.assertIsNone(finding.unsaved_vulnerability_ids)
+            self.assertEqual(finding.unsaved_vulnerability_ids, ["KSV001"])
             self.assertEqual(["kubernetes", "config"], finding.unsaved_tags)
             self.assertIsNone(finding.component_name)
             self.assertIsNone(finding.component_version)
@@ -337,3 +337,11 @@ def test_severity_prio(self):
                 self.assertEqual("Critical", finding.severity)
                 self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", finding.cvssv3)
                 self.assertEqual(7.5, finding.cvssv3_score)
+
+    def test_misconfig_fields(self):
+        # this tests issue #14136. The unittest file is just a copy of cvss_severity_source.json with edited severities
+        with sample_path("issue_14136.json").open(encoding="utf-8") as test_file:
+            parser = TrivyParser()
+            findings = parser.get_findings(test_file, Test())
+            self.assertEqual(len(findings), 1)
+            self.assertEqual("Low", findings[0].severity)