Merge branch 'bugfix' into implement_oidc_groups

Author: manuel-sommer

docs/content/en/connecting_your_tools/import_intro.md

@@ -4,18 +4,16 @@ description: "Learn how to import data manually, through the API, or via a conne
 weight: 1
 ---
 
-One of the things we understand at DefectDojo is that every company’s security needs are completely different. There is no ‘one\-size\-fits\-all’ approach. As your organization changes, having a flexible approach is key.
-
-DefectDojo allows you to connect your security tools in a flexible way to match those changes.
+One of the things we understand at DefectDojo is that every company’s security needs are completely different. There is no one-size-fits-all approach. As your organization changes, having a flexible approach is key, and DefectDojo allows you to connect your security tools in a flexible way to match those changes.
 
 ## Scan Upload Methods
 
-When DefectDojo receives a vulnerability report from a security tool, it will create Findings based on the vulnerabilities contained within that report. DefectDojo acts as the central repository for these Findings where they can be triaged, remediated or otherwise addressed by you and your team.
+When DefectDojo receives a vulnerability report from a security tool, it will create Findings based on the vulnerabilities contained within that report. DefectDojo acts as the central repository for these Findings where they can be triaged, remediated, or otherwise addressed by you and your team.
 
 There are two main ways that DefectDojo can upload Finding reports.
 
 * Via direct **import** through the UI: [Import Scan Form](../import_scan_files/import_scan_ui)
-* Via **API** endpoint (allowing for automated data ingest): See [API Docs](https://docs.defectdojo.com/en/api/api-v2-docs/)
+* Via **API** endpoint (allowing for automated data ingestion): See [API Docs](https://docs.defectdojo.com/en/api/api-v2-docs/)
 
 #### DefectDojo Pro Methods
 
@@ -29,8 +27,8 @@ There are two main ways that DefectDojo can upload Finding reports.
 
 |  | **UI Import** | **API** | **Connectors** <span style="background-color:rgba(242, 86, 29, 0.3)">(Pro)</span> | **Smart Upload**  <span style="background-color:rgba(242, 86, 29, 0.3)">(Pro)</span>|
 | --- | --- | --- | --- | --- |
-| **Supported Scan Types** | All: see [Supported Tools](/supported_tools/) | All: see [Supported Tools](/supported_tools/) | Snyk, Semgrep, Burp Suite, AWS Security Hub, Probely, Checkmarx, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable |
-| **Automation?** | Available via API: `/reimport` `/import` endpoints | Triggered from [CLI Importer](../external_tools) or external code | Connectors is inherently automated | Available via API: `/smart_upload_import` endpoint |
+| **Supported Scan Types** | All: see [Supported Tools](/supported_tools/) | All: see [Supported Tools](/supported_tools/) | Anchore, AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, Tenable, Wiz | Nexpose, NMap, OpenVas, Qualys, Tenable |
+| **Automation?** | Available via API: `/reimport` `/import` endpoints | Triggered from [CLI Importer](../external_tools) or external code | Connectors is an inherently automated feature | Available via API: `/smart_upload_import` endpoint |
 
 ### Product Hierarchy and organization
 

docs/content/en/working_with_findings/organizing_engagements_tests/product_hierarchy.md

@@ -116,16 +116,17 @@ Tests always have:
 * an associated test **Environment**
 * an associated **Engagement**
 
-Tests can be created in different ways.  Tests can be automatically created when scan data is imported directly into to an Engagement, resulting in a new Test containing the scan data. Tests can also be created in anticipation of planning future engagements, or for manually entered security findings requiring tracking and remediation.
+Tests can be created in different ways.  Tests can be automatically created when scan data is imported directly into an Engagement, resulting in a new Test containing the scan data. Tests can also be created in anticipation of planning future engagements, or for manually entered security findings requiring tracking and remediation.
 
 ### **Test Types**
 
 DefectDojo supports two categories of Test Types:
 
 1. **Parser-based Test Types**: These correspond to specific security scanners that produce output in formats like XML, JSON, or CSV. When importing scan results, DefectDojo uses specialized parsers to convert the scanner output into Findings.
 
-2. **Non-parser Test Types**: These are used for manually created findings not imported from a scan files. 
-The following Test Types appear in the "Scan Type" dropdown when creating a new test, but will not appear when selecting "Import Scan":
+2. **Non-parser Test Types**: These are used for manually created Findings not imported from scan files.  These Test Types use the [Generic Findings Import](/supported_tools/parsers/generic_findings_import/) method to render Findings and metadata.
+
+The following Test Types appear in the "Scan Type" dropdown when creating a new test.
    * API Test
    * Static Check
    * Pen Test

docs/content/supported_tools/_index.md

@@ -26,7 +26,7 @@ DefectDojo can parse data from 200+ security reports and counting.
 
 | [Connectors](/en/connecting_your_tools/connectors/about_connectors/): supported tools | [Smart Upload](/en/connecting_your_tools/import_scan_files/smart_upload/): supported tools |
 | --- | --- |
-| AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable, Wiz | 
+| Anchore, AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable, Wiz | 
 
 # All Supported Tools
 

docs/content/supported_tools/parsers/generic_findings_import.md

@@ -8,11 +8,13 @@ Open-source and Pro users can use Generic Findings Import as a method to ingest
 
 Using Generic Findings Import will create a new Test Type in your DefectDojo instance called "`{The Name Of Your Test}` (Generic Findings Import)".  For example, this JSON content will result in a Test Type called "Example Report (Generic Findings Import)":
 
+```
 {
     "name": "Example Report",
     "findings": []
 }
+```
 
 DefectDojo Pro users can also consider using the [Universal Parser](../universal_parser), a tool which allows for highly customizable JSON, XML and CSV imports.
 
-For more information on supported parameters for Generic Findings Import, see the [Parser Guide](../file/generic)
+For more information on supported parameters for Generic Findings Import, see the related [Parser Guide](../file/generic).

dojo/api_v2/views.py

@@ -14,6 +14,7 @@
 from django.db.models.query import QuerySet as DjangoQuerySet
 from django.http import FileResponse, HttpResponse
 from django.shortcuts import get_object_or_404
+from django.urls import reverse
 from django.utils import timezone
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.renderers import OpenApiJsonRenderer2
@@ -176,6 +177,7 @@
     generate_file_response,
     get_setting,
     get_system_setting,
+    process_tag_notifications,
 )
 
 logger = logging.getLogger(__name__)
@@ -528,6 +530,15 @@ def notes(self, request, pk=None):
             )
             note.save()
             engagement.notes.add(note)
+            # Determine if we need to send any notifications for user mentioned
+            process_tag_notifications(
+                request=request,
+                note=note,
+                parent_url=request.build_absolute_uri(
+                    reverse("view_engagement", args=(engagement.id,)),
+                ),
+                parent_title=f"Engagement: {engagement.name}",
+            )
 
             serialized_note = serializers.NoteSerializer(
                 {"author": author, "entry": entry, "private": private},
@@ -1086,6 +1097,15 @@ def notes(self, request, pk=None):
             )
             note.save()
             finding.notes.add(note)
+            # Determine if we need to send any notifications for user mentioned
+            process_tag_notifications(
+                request=request,
+                note=note,
+                parent_url=request.build_absolute_uri(
+                    reverse("view_finding", args=(finding.id,)),
+                ),
+                parent_title=f"Finding: {finding.title}",
+            )
 
             if finding.has_jira_issue:
                 jira_helper.add_comment(finding, note)
@@ -2135,6 +2155,15 @@ def notes(self, request, pk=None):
             )
             note.save()
             test.notes.add(note)
+            # Determine if we need to send any notifications for user mentioned
+            process_tag_notifications(
+                request=request,
+                note=note,
+                parent_url=request.build_absolute_uri(
+                    reverse("view_test", args=(test.id,)),
+                ),
+                parent_title=f"Test: {test.title}",
+            )
 
             serialized_note = serializers.NoteSerializer(
                 {"author": author, "entry": entry, "private": private},

dojo/finding/helper.py

@@ -1,5 +1,6 @@
 import logging
 from contextlib import suppress
+from datetime import datetime
 from time import strftime
 
 from django.conf import settings
@@ -9,6 +10,7 @@
 from django.dispatch.dispatcher import receiver
 from django.urls import reverse
 from django.utils import timezone
+from django.utils.timezone import is_naive, make_aware, now
 from fieldsignals import pre_save_changed
 
 import dojo.jira_link.helper as jira_helper
@@ -740,6 +742,17 @@ def save_vulnerability_ids_template(finding_template, vulnerability_ids):
         finding_template.cve = None
 
 
+def normalize_datetime(value):
+    """Ensure value is timezone-aware datetime."""
+    if value:
+        if not isinstance(value, datetime):
+            value = datetime.combine(value, datetime.min.time())
+        # Make timezone-aware if naive
+        if is_naive(value):
+            value = make_aware(value)
+    return value
+
+
 def close_finding(
     *,
     finding,
@@ -761,15 +774,16 @@ def close_finding(
     """
     # Core status updates
     finding.is_mitigated = is_mitigated
-    now = timezone.now()
-    finding.mitigated = mitigated or now
+    current_time = now()
+    mitigated_date = normalize_datetime(mitigated) or current_time
+    finding.mitigated = mitigated_date
     finding.mitigated_by = mitigated_by or user
     finding.active = False
     finding.false_p = bool(false_p)
     finding.out_of_scope = bool(out_of_scope)
     finding.duplicate = bool(duplicate)
     finding.under_review = False
-    finding.last_reviewed = finding.mitigated
+    finding.last_reviewed = mitigated_date
     finding.last_reviewed_by = user
 
     # Create note if provided
@@ -779,16 +793,16 @@ def close_finding(
             entry=note_entry,
             author=user,
             note_type=note_type,
-            date=finding.mitigated,
+            date=mitigated_date,
         )
         finding.notes.add(new_note)
 
     # Endpoint statuses
     for status in finding.status_finding.all():
         status.mitigated_by = finding.mitigated_by
-        status.mitigated_time = finding.mitigated
+        status.mitigated_time = mitigated_date
         status.mitigated = True
-        status.last_modified = timezone.now()
+        status.last_modified = current_time
         status.save()
 
     # Risk acceptance

dojo/finding/views.py

@@ -1145,12 +1145,14 @@ def close_finding(request, fid):
     note_type_activation = Note_Type.objects.filter(is_active=True)
     missing_note_types = get_missing_mandatory_notetypes(finding) if len(note_type_activation) else note_type_activation
     form = CloseFindingForm(
+        instance=finding,
         missing_note_types=missing_note_types,
         can_edit_mitigated_data=finding_helper.can_edit_mitigated_data(request.user),
     )
     if request.method == "POST":
         form = CloseFindingForm(
             request.POST,
+            instance=finding,
             missing_note_types=missing_note_types,
             can_edit_mitigated_data=finding_helper.can_edit_mitigated_data(request.user),
         )

dojo/importers/default_reimporter.py

@@ -772,4 +772,6 @@ def calculate_unsaved_finding_hash_code(
         self,
         unsaved_finding: Finding,
     ) -> str:
+        # this is overridden in Pro, but will still call this via super()
+        deduplicationLogger.debug("Calculating hash code for unsaved finding")
         return unsaved_finding.compute_hash_code()

dojo/models.py

@@ -2910,6 +2910,11 @@ def risk_acceptance(self):
         return None
 
     def compute_hash_code(self):
+        # Allow Pro to overwrite compute hash_code which gets dedupe settings from a database instead of django.settings
+        from dojo.utils import get_custom_method  # noqa: PLC0415 circular import
+        if compute_hash_code_method := get_custom_method("FINDING_COMPUTE_HASH_METHOD"):
+            deduplicationLogger.debug("using custom compute_hash_code method")
+            return compute_hash_code_method(self)
 
         # Check if all needed settings are defined
         if not hasattr(settings, "HASHCODE_FIELDS_PER_SCANNER") or not hasattr(settings, "HASHCODE_ALLOWS_NULL_CWE") or not hasattr(settings, "HASHCODE_ALLOWED_FIELDS"):

dojo/tools/pwn_sast/parser.py

@@ -115,6 +115,10 @@ def get_findings(self, filename, test):
                             file_path=offending_file,
                             unique_id_from_tool=unique_finding_key,
                         )
+                        if mitigation:
+                            finding.fix_available = True
+                        else:
+                            finding.fix_available = False
                         findings[unique_finding_key] = finding
 
             return list(findings.values())