Merge branch 'bugfix' into fix_questionnaireg

Author: manuel-sommer

.github/workflows/test-helm-chart.yml

@@ -125,27 +125,25 @@ jobs:
           chart-search-root: "helm/defectdojo"
           git-push: true
 
-      # Documentation provided in the README file needs to contain the latest information from `values.yaml` and all other related assets.
-      # If this step fails, install https://github.com/norwoodj/helm-docs and run locally `helm-docs --chart-search-root helm/defectdojo` before committing your changes.
-      # The helm-docs documentation will be generated for you.
       - name: Run helm-docs (check)
         uses: losisin/helm-docs-github-action@a57fae5676e4c55a228ea654a1bcaec8dd3cf5b5 # v1.6.2
         if: ${{ !(startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')) }}
         with:
           fail-on-diff: true
           chart-search-root: "helm/defectdojo"
 
+      - name: Failed Information
+        if: failure()
+        run: |-
+          echo "Your HELM chart changed but you haven't adjusted documentation. Check https://github.com/defectdojo/django-DefectDojo/tree/master/helm/defectdojo#helm-docs-update for more information."
+
   generate_schema:
     name: Update schema
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      # The HELM structure supports the existence of a `values.schema.json` file. This file is used to validate all values provided by the user before Helm starts rendering templates.
-      # The chart needs to have a `values.schema.json` file that is compatible with the default `values.yaml` file.
-      # If this step fails, install https://github.com/losisin/helm-values-schema-json and run locally `helm schema --use-helm-docs` in `helm/defectdojo` before committing your changes.
-      # The helm schema will be generated for you.
       - name: Generate values schema json
         uses: losisin/helm-values-schema-json-action@660c441a4a507436a294fc55227e1df54aca5407 # v2.3.1
         with:
@@ -154,6 +152,11 @@ jobs:
           useHelmDocs: true
           values: values.yaml
 
+      - name: Failed Information
+        if: failure()
+        run: |-
+          echo "Your HELM chart changed but you haven't adjusted schema. Check https://github.com/defectdojo/django-DefectDojo/tree/master/helm/defectdojo#helm-schema-update for more information."
+
   lint_format:
     name: Lint chart (format)
     runs-on: ubuntu-latest

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.52.1"
+__version__ = "2.52.2"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/tools/qualys/parser.py

@@ -311,22 +311,16 @@ def parse_finding(host, tree):
                         split_cvss(cvss2, temp)
                         # DefectDojo does not support cvssv2
                         temp["CVSS_vector"] = None
-
             # CVE and LINKS
-            temp_cve_details = vuln_item.iterfind("CVE_ID_LIST/CVE_ID")
-            if temp_cve_details:
-                cl = {
-                    cve_detail.findtext("ID"): cve_detail.findtext("URL")
-                    for cve_detail in temp_cve_details
-                }
-                temp["cve"] = "\n".join(list(cl.keys()))
-                temp["links"] = "\n".join(list(cl.values()))
+            temp_cve_details = [(cve.findtext("ID"), cve.findtext("URL")) for cve in vuln_item.iterfind("CVE_ID_LIST/CVE_ID")]
+            temp["cve_list"] = [cve_id for cve_id, _ in temp_cve_details if cve_id]
+            temp["links"] = [url for _, url in temp_cve_details if url]
 
         # Generate severity from number in XML's 'SEVERITY' field, if not present default to 'Informational'
         sev = get_severity(vuln_item.findtext("SEVERITY"))
         finding = None
         if temp_cve_details:
-            refs = "\n".join(list(cl.values()))
+            refs = temp.get("links", "")
             finding = Finding(
                 title="QID-" + gid[4:] + " | " + temp["vuln_name"],
                 mitigation=temp["solution"],
@@ -363,6 +357,7 @@ def parse_finding(host, tree):
         finding.verified = True
         finding.unsaved_endpoints = []
         finding.unsaved_endpoints.append(ep)
+        finding.unsaved_vulnerability_ids = temp.get("cve_list", [])
         ret_rows.append(finding)
     return ret_rows
 

helm/defectdojo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.53.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.8.2-dev
+version: 1.8.3-dev
 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png
 maintainers:
   - name: madchap

helm/defectdojo/README.md

@@ -493,9 +493,26 @@ kubectl delete serviceAccount defectdojo
 kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0
 ```
 
+## Development/contribution
+
+In case you decide to help with the improvement of the HELM chart, keep in mind that values/descriptions might need to be adjusted in multiple places (see below).
+
+### HELM Docs update
+
+Documentation provided in the README file needs to contain the latest information from `values.yaml` and all other related assets.
+If GitHub Action _Lint Helm chart / Update documentation_ step fails, install https://github.com/norwoodj/helm-docs and run locally `helm-docs --chart-search-root helm/deeefectdojo` before committing your changes.
+The helm-docs documentation will be generated for you.
+     
+### HELM Schema update
+
+The HELM structure supports the existence of a `values.schema.json` file. This file is used to validate all values provided by the user before Helm starts rendering templates.
+The chart needs to have a `values.schema.json` file that is compatible with the default `values.yaml` file.
+If GitHub Action _Lint Helm chart / Update schema_ step fails, install https://github.com/losisin/helm-values-schema-json and run locally `helm schema --use-helm-docs` in `helm/defectdojo` before committing your changes.
+The HELM schema will be generated for you.
+
 # General information about chart values
 
-![Version: 1.8.2-dev](https://img.shields.io/badge/Version-1.8.2--dev-informational?style=flat-square) ![AppVersion: 2.53.0-dev](https://img.shields.io/badge/AppVersion-2.53.0--dev-informational?style=flat-square)
+![Version: 1.8.3-dev](https://img.shields.io/badge/Version-1.8.3--dev-informational?style=flat-square) ![AppVersion: 2.53.0-dev](https://img.shields.io/badge/AppVersion-2.53.0--dev-informational?style=flat-square)
 
 A Helm chart for Kubernetes to install DefectDojo
 

helm/defectdojo/README.md.gotmpl

@@ -495,6 +495,22 @@ kubectl delete serviceAccount defectdojo
 kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0
 ```
 
+## Development/contribution
+
+In case you decide to help with the improvement of the HELM chart, keep in mind that values/descriptions might need to be adjusted in multiple places (see below).
+
+### HELM Docs update
+
+Documentation provided in the README file needs to contain the latest information from `values.yaml` and all other related assets.
+If GitHub Action _Lint Helm chart / Update documentation_ step fails, install https://github.com/norwoodj/helm-docs and run locally `helm-docs --chart-search-root helm/deeefectdojo` before committing your changes.
+The helm-docs documentation will be generated for you.
+      
+### HELM Schema update
+
+The HELM structure supports the existence of a `values.schema.json` file. This file is used to validate all values provided by the user before Helm starts rendering templates.
+The chart needs to have a `values.schema.json` file that is compatible with the default `values.yaml` file.
+If GitHub Action _Lint Helm chart / Update schema_ step fails, install https://github.com/losisin/helm-values-schema-json and run locally `helm schema --use-helm-docs` in `helm/defectdojo` before committing your changes.
+The HELM schema will be generated for you.
 
 # General information about chart values
 

unittests/tools/test_qualys_parser.py

@@ -151,10 +151,38 @@ def test_parse_file_with_cvss_values_and_scores(self):
             for finding in findings:
                 if finding.unsaved_endpoints[0].host == "demo14.s02.sjc01.qualys.com" and finding.title == "QID-370876 | AMD Processors Multiple Security Vulnerabilities (RYZENFALL/MASTERKEY/CHIMERA-FW/FALLOUT)":
                     finding_cvssv3_score = finding
+                    self.assertEqual(
+                        finding.unsaved_vulnerability_ids,
+                        [
+                            "CVE-2018-8930",
+                            "CVE-2018-8931",
+                            "CVE-2018-8932",
+                            "CVE-2018-8933",
+                            "CVE-2018-8934",
+                            "CVE-2018-8935",
+                            "CVE-2018-8936",
+                        ],
+                    )
                 if finding.unsaved_endpoints[0].host == "demo13.s02.sjc01.qualys.com" and finding.title == "QID-370876 | AMD Processors Multiple Security Vulnerabilities (RYZENFALL/MASTERKEY/CHIMERA-FW/FALLOUT)":
                     finding_no_cvssv3_at_detection = finding
+                    self.assertEqual(
+                        finding.unsaved_vulnerability_ids,
+                        [
+                            "CVE-2018-8930",
+                            "CVE-2018-8931",
+                            "CVE-2018-8932",
+                            "CVE-2018-8933",
+                            "CVE-2018-8934",
+                            "CVE-2018-8935",
+                            "CVE-2018-8936",
+                        ],
+                    )
                 if finding.unsaved_endpoints[0].host == "demo14.s02.sjc01.qualys.com" and finding.title == 'QID-121695 | NTP "monlist"  Feature Denial of Service Vulnerability':
                     finding_no_cvssv3 = finding
+                    self.assertEqual(
+                        finding.unsaved_vulnerability_ids,
+                        ["CVE-2013-5211"],
+                    )
             # The CVSS Vector is not used from the Knowledgebase
             self.assertEqual(
                 # CVSS_FINAL is defined without a cvssv3 vector