Merge branch 'bugfix' into fix_13628

manuel-sommer · web-flow · commit bd7462a0e418 · 2025-11-10T10:00:30.000+01:00
diff --git a/.github/workflows/test-helm-chart.yml b/.github/workflows/test-helm-chart.yml
@@ -107,6 +107,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
   
       - name: Update values in HELM chart
         if: startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')
diff --git a/docs/content/supported_tools/parsers/file/nancy.md b/docs/content/supported_tools/parsers/file/nancy.md
@@ -16,7 +16,7 @@ This parser expects a JSON file.
 Sample Nancy scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/nancy).
 
 ### Link To Tool
-See Nancy on GitHub: https://github.com/sonatype-nexus-community/nancy
+See Nancy on [Github](https://github.com/sonatype-nexus-community/nancy)
 
 ### Default Deduplication Hashcode Fields
 By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
diff --git a/dojo/forms.py b/dojo/forms.py
@@ -1131,6 +1131,18 @@ def __init__(self, *args, **kwargs):
         else:
             self.fields["lead"].queryset = get_authorized_users(Permissions.Test_View).filter(is_active=True)
 
+    def is_valid(self):
+        valid = super().is_valid()
+
+        # we're done now if not valid
+        if not valid:
+            return valid
+        if self.cleaned_data["target_start"] > self.cleaned_data["target_end"]:
+            self.add_error("target_start", "Your target start date exceeds your target end date")
+            self.add_error("target_end", "Your target start date exceeds your target end date")
+            return False
+        return True
+
     class Meta:
         model = Test
         fields = ["title", "test_type", "target_start", "target_end", "description",
diff --git a/dojo/middleware.py b/dojo/middleware.py
@@ -83,23 +83,23 @@ def __call__(self, request):
 class CustomSocialAuthExceptionMiddleware(SocialAuthExceptionMiddleware):
     def process_exception(self, request, exception):
         if isinstance(exception, requests.exceptions.RequestException):
-            messages.error(request, "Please use the standard login below.")
+            messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_REQUEST_EXCEPTION)
             return redirect("/login?force_login_form")
         if isinstance(exception, AuthCanceled):
-            messages.warning(request, "Social login was canceled. Please try again or use the standard login.")
+            messages.warning(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_CANCELED)
             return redirect("/login?force_login_form")
         if isinstance(exception, AuthFailed):
-            messages.error(request, "Social login failed. Please try again or use the standard login.")
+            messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FAILED)
             return redirect("/login?force_login_form")
         if isinstance(exception, AuthForbidden):
-            messages.error(request, "You are not authorized to log in via this method. Please contact support or use the standard login.")
+            messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FORBIDDEN)
             return redirect("/login?force_login_form")
         if isinstance(exception, AuthTokenError):
-            messages.error(request, "Social login failed due to an invalid or expired token. Please try again or use the standard login.")
+            messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_TOKEN_ERROR)
             return redirect("/login?force_login_form")
         if isinstance(exception, TypeError) and "'NoneType' object is not iterable" in str(exception):
             logger.warning("OIDC login error: NoneType is not iterable")
-            messages.error(request, "An unexpected error occurred during social login. Please use the standard login.")
+            messages.error(request, settings.SOCIAL_AUTH_EXCEPTION_MESSAGE_NONE_TYPE)
             return redirect("/login?force_login_form")
         logger.error(f"Unhandled exception during social login: {exception}")
         return super().process_exception(request, exception)
diff --git a/dojo/models.py b/dojo/models.py
@@ -1093,8 +1093,8 @@ def save(self, *args, **kwargs):
                     product.async_updating = True
                     super(Product, product).save()
                 # launch the async task to update all finding sla expiration dates
-                from dojo.sla_config.helpers import update_sla_expiration_dates_sla_config_async  # noqa: I001, PLC0415 circular import
-                update_sla_expiration_dates_sla_config_async(self, products, tuple(severities))
+                from dojo.sla_config.helpers import async_update_sla_expiration_dates_sla_config_sync  # noqa: I001, PLC0415 circular import
+                async_update_sla_expiration_dates_sla_config_sync(self, products, severities=severities)
 
     def clean(self):
         sla_days = [self.critical, self.high, self.medium, self.low]
@@ -1255,8 +1255,8 @@ def save(self, *args, **kwargs):
                     sla_config.async_updating = True
                     super(SLA_Configuration, sla_config).save()
                 # launch the async task to update all finding sla expiration dates
-                from dojo.sla_config.helpers import update_sla_expiration_dates_product_async  # noqa: I001, PLC0415 circular import
-                update_sla_expiration_dates_product_async(self, sla_config)
+                from dojo.sla_config.helpers import async_update_sla_expiration_dates_sla_config_sync  # noqa: I001, PLC0415 circular import
+                async_update_sla_expiration_dates_sla_config_sync(sla_config, Product.objects.filter(id=self.id))
 
     def get_absolute_url(self):
         return reverse("view_product", args=[str(self.id)])
@@ -3146,16 +3146,25 @@ def get_sla_configuration(self):
         return self.test.engagement.product.sla_configuration
 
     def get_sla_period(self):
+        # Determine which method to use to calculate the SLA
+        from dojo.utils import get_custom_method  # noqa: PLC0415 circular import
+        if method := get_custom_method("FINDING_SLA_PERIOD_METHOD"):
+            return method(self)
+        # Run the default method
         sla_configuration = self.get_sla_configuration()
         sla_period = getattr(sla_configuration, self.severity.lower(), None)
         enforce_period = getattr(sla_configuration, str("enforce_" + self.severity.lower()), None)
         return sla_period, enforce_period
 
     def set_sla_expiration_date(self):
+        # First check if SLA is enabled globally
         system_settings = System_Settings.objects.get()
         if not system_settings.enable_finding_sla:
             return
+        # Call the internal method to set the sla expiration date
+        self._set_sla_expiration_date()
 
+    def _set_sla_expiration_date(self):
         # some parsers provide date as a `str` instead of a `date` in which case we need to parse it #12299 on GitHub
         sla_start_date = self.get_sla_start_date()
         if sla_start_date and isinstance(sla_start_date, str):
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -174,6 +174,12 @@
     DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_KEY=(str, ""),
     DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_SECRET=(str, ""),
     DD_SOCIAL_AUTH_USERNAME_IS_FULL_EMAIL=(bool, True),
+    DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_REQUEST_EXCEPTION=(str, "Please use the standard login below."),
+    DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_CANCELED=(str, "Social login was canceled. Please try again or use the standard login."),
+    DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FAILED=(str, "Social login failed. Please try again or use the standard login."),
+    DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FORBIDDEN=(str, "You are not authorized to log in via this method. Please contact support or use the standard login."),
+    DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_NONE_TYPE=(str, "An unexpected error occurred during social login. Please use the standard login."),
+    DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_TOKEN_ERROR=(str, "Social login failed due to an invalid or expired token. Please try again or use the standard login."),
     DD_SAML2_ENABLED=(bool, False),
     # Allows to override default SAML authentication backend. Check https://djangosaml2.readthedocs.io/contents/setup.html#custom-user-attributes-processing
     DD_SAML2_AUTHENTICATION_BACKENDS=(str, "djangosaml2.backends.Saml2Backend"),
@@ -649,6 +655,13 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 if value := env("DD_SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT"):
     SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT = value
 
+SOCIAL_AUTH_EXCEPTION_MESSAGE_REQUEST_EXCEPTION = env("DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_REQUEST_EXCEPTION")
+SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_CANCELED = env("DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_CANCELED")
+SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FAILED = env("DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FAILED")
+SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FORBIDDEN = env("DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_FORBIDDEN")
+SOCIAL_AUTH_EXCEPTION_MESSAGE_NONE_TYPE = env("DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_NONE_TYPE")
+SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_TOKEN_ERROR = env("DD_SOCIAL_AUTH_EXCEPTION_MESSAGE_AUTH_TOKEN_ERROR")
+
 AUTH0_OAUTH2_ENABLED = env("DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED")
 SOCIAL_AUTH_AUTH0_KEY = env("DD_SOCIAL_AUTH_AUTH0_KEY")
 SOCIAL_AUTH_AUTH0_SECRET = env("DD_SOCIAL_AUTH_AUTH0_SECRET")
diff --git a/dojo/sla_config/helpers.py b/dojo/sla_config/helpers.py
@@ -2,49 +2,50 @@
 
 from dojo.celery import app
 from dojo.decorators import dojo_async_task
-from dojo.models import Finding, Product, SLA_Configuration
-from dojo.utils import calculate_grade, mass_model_updater
+from dojo.models import Finding, Product, SLA_Configuration, System_Settings
+from dojo.utils import get_custom_method, mass_model_updater
 
 logger = logging.getLogger(__name__)
 
 
 @dojo_async_task
 @app.task
-def update_sla_expiration_dates_sla_config_async(sla_config, products, severities, *args, **kwargs):
-    update_sla_expiration_dates_sla_config_sync(sla_config, products, severities)
+def async_update_sla_expiration_dates_sla_config_sync(sla_config: SLA_Configuration, products: list[Product], *args, severities: list[str] | None = None, **kwargs):
+    if method := get_custom_method("FINDING_SLA_EXPIRATION_CALCULATION_METHOD"):
+        method(sla_config, products, severities=severities)
+    else:
+        update_sla_expiration_dates_sla_config_sync(sla_config, products, severities=severities)
 
 
-@dojo_async_task
-@app.task
-def update_sla_expiration_dates_product_async(product, sla_config, *args, **kwargs):
-    update_sla_expiration_dates_sla_config_sync(sla_config, [product])
-
-
-def update_sla_expiration_dates_sla_config_sync(sla_config, products, severities=None):
+def update_sla_expiration_dates_sla_config_sync(sla_config: SLA_Configuration, products: list[Product], severities: list[str] | None = None):
     logger.info("Updating finding SLA expiration dates within the %s SLA configuration", sla_config)
+    # First check if SLA is enabled globally
+    system_settings = System_Settings.objects.get()
+    if not system_settings.enable_finding_sla:
+        return
     # update each finding that is within the SLA configuration that was saved
     findings = Finding.objects.filter(test__engagement__product__sla_configuration_id=sla_config.id)
     if products:
         findings = findings.filter(test__engagement__product__in=products)
     if severities:
         findings = findings.filter(severity__in=severities)
 
-    findings = findings.prefetch_related(
+    findings = (
+        findings.prefetch_related(
             "test",
             "test__engagement",
             "test__engagement__product",
             "test__engagement__product__sla_configuration",
+        )
+        .order_by("id")
+        .only("id", "sla_start_date", "date", "severity", "test")
     )
-
-    findings = findings.order_by("id").only("id", "sla_start_date", "date", "severity", "test")
-
+    # Call the internal method so that we are not checking system settings for each finding
     mass_model_updater(Finding, findings, lambda f: f.set_sla_expiration_date(), fields=["sla_expiration_date"])
 
     # reset the async updating flag to false for all products using this sla config
-    for product in products:
-        product.async_updating = False
-        super(Product, product).save()
-        calculate_grade(product)
+    # use update as we don't want save() and signals to be triggered
+    products.update(async_updating=False)
 
     # reset the async updating flag to false for this sla config
     sla_config.async_updating = False
diff --git a/dojo/tools/nancy/parser.py b/dojo/tools/nancy/parser.py
@@ -1,6 +1,7 @@
 import json
 
 from cvss.cvss3 import CVSS3
+from cvss.cvss4 import CVSS4
 
 from dojo.models import Finding
 
@@ -64,17 +65,18 @@ def get_items(self, vulnerable, test):
                         out_of_scope=False,
                         static_finding=True,
                         dynamic_finding=False,
-                        vuln_id_from_tool=associated_vuln["Id"],
+                        vuln_id_from_tool=associated_vuln.get("Id", associated_vuln.get("ID")),
                         references="\n".join(references),
                     )
-
                     finding.unsaved_vulnerability_ids = vulnerability_ids
-
+                    cvss_vector = associated_vuln["CvssVector"]
                     # CVSSv3 vector
-                    if associated_vuln["CvssVector"]:
+                    if cvss_vector and cvss_vector.startswith("CVSS:3."):
                         finding.cvssv3 = CVSS3(
                             associated_vuln["CvssVector"]).clean_vector()
-
+                    elif cvss_vector and cvss_vector.startswith("CVSS:4."):
+                        finding.cvssv4 = CVSS4(
+                            associated_vuln["CvssVector"]).clean_vector()
                     # do we have a CWE?
                     if associated_vuln["Title"].startswith("CWE-"):
                         cwe = (associated_vuln["Title"]
diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml
@@ -34,4 +34,8 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "true"
-  artifacthub.io/changes: ""
+  artifacthub.io/changes: |
+    - kind: fixed
+      description: Broken rendering of media PVC
+    - kind: fixed
+      description: Typo in description of digests
diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md
@@ -674,11 +674,11 @@ A Helm chart for Kubernetes to install DefectDojo
 | host | string | `"defectdojo.default.minikube.local"` | Primary hostname of instance |
 | imagePullPolicy | string | `"Always"` |  |
 | imagePullSecrets | string | `nil` | When using a private registry, name of the secret that holds the registry secret (eg deploy token from gitlab-ci project) Create secrets as: kubectl create secret docker-registry defectdojoregistrykey --docker-username=registry_username --docker-password=registry_password --docker-server='https://index.docker.io/v1/' |
-| images.django.image.digest | string | `""` | Prefix "sha@" is expected in this place |
+| images.django.image.digest | string | `""` | Prefix "sha256:" is expected in this place |
 | images.django.image.registry | string | `""` |  |
 | images.django.image.repository | string | `"defectdojo/defectdojo-django"` |  |
 | images.django.image.tag | string | `""` | If empty, use appVersion. Another possible values are: latest, X.X.X, X.X.X-debian, X.X.X-alpine (where X.X.X is version of DD). For dev builds (only for testing purposes): nightly-dev, nightly-dev-debian, nightly-dev-alpine. To see all, check https://hub.docker.com/r/defectdojo/defectdojo-django/tags. |
-| images.nginx.image.digest | string | `""` | Prefix "sha@" is expected in this place |
+| images.nginx.image.digest | string | `""` | Prefix "sha256:" is expected in this place |
 | images.nginx.image.registry | string | `""` |  |
 | images.nginx.image.repository | string | `"defectdojo/defectdojo-nginx"` |  |
 | images.nginx.image.tag | string | `""` | If empty, use appVersion. Another possible values are: latest, X.X.X, X.X.X-alpine (where X.X.X is version of DD). For dev builds (only for testing purposes): nightly-dev, nightly-dev-alpine. To see all, check https://hub.docker.com/r/defectdojo/defectdojo-nginx/tags. |
diff --git a/helm/defectdojo/templates/media-pvc.yaml b/helm/defectdojo/templates/media-pvc.yaml
@@ -4,7 +4,7 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  {{- with .Values.extraAnnotations }}
+  {{- with $.Values.extraAnnotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ quote $value }}
@@ -16,19 +16,19 @@ metadata:
     app.kubernetes.io/instance: {{ $.Release.Name }}
     app.kubernetes.io/managed-by: {{ $.Release.Service }}
     helm.sh/chart: {{ include "defectdojo.chart" $ }}
-    {{- range $key, $value := .Values.extraLabels }}
+    {{- range $key, $value := $.Values.extraLabels }}
     {{ $key }}: {{ quote $value }}
     {{- end }}
   name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
 spec:
   accessModes: 
   {{- toYaml .persistentVolumeClaim.accessModes | nindent 4 }}
   resources:
     requests:
       storage: {{ .persistentVolumeClaim.size }}
-  {{- if .persistentVolumeClaim.storageClassName }}
-  storageClassName: {{ .persistentVolumeClaim.storageClassName }}
+  {{- with .persistentVolumeClaim.storageClassName }}
+  storageClassName: {{ . }}
   {{- end }}
 {{- end }}
 {{- end }}
diff --git a/helm/defectdojo/values.schema.json b/helm/defectdojo/values.schema.json
@@ -865,7 +865,7 @@
                             "type": "object",
                             "properties": {
                                 "digest": {
-                                    "description": "Prefix \"sha@\" is expected in this place",
+                                    "description": "Prefix \"sha256:\" is expected in this place",
                                     "type": "string"
                                 },
                                 "registry": {
@@ -889,7 +889,7 @@
                             "type": "object",
                             "properties": {
                                 "digest": {
-                                    "description": "Prefix \"sha@\" is expected in this place",
+                                    "description": "Prefix \"sha256:\" is expected in this place",
                                     "type": "string"
                                 },
                                 "registry": {
diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml
@@ -37,7 +37,7 @@ images:
       # For dev builds (only for testing purposes): nightly-dev, nightly-dev-debian, nightly-dev-alpine.
       # To see all, check https://hub.docker.com/r/defectdojo/defectdojo-django/tags.
       tag: ""
-      # -- Prefix "sha@" is expected in this place
+      # -- Prefix "sha256:" is expected in this place
       digest: ""
   nginx:
     image:
@@ -48,7 +48,7 @@ images:
       # For dev builds (only for testing purposes): nightly-dev, nightly-dev-alpine.
       # To see all, check https://hub.docker.com/r/defectdojo/defectdojo-nginx/tags.
       tag: ""
-      # -- Prefix "sha@" is expected in this place
+      # -- Prefix "sha256:" is expected in this place
       digest: ""
 
 # -- Enables application network policy
diff --git a/unittests/scans/nancy/issue_12860.json b/unittests/scans/nancy/issue_12860.json
diff --git a/unittests/tools/test_nancy_parser.py b/unittests/tools/test_nancy_parser.py
