Datatables.net package updates

[devospice]

⚠️ Pre-Approval check ⚠️

I have received pre-approval to submit this pull request.

Description

This update brings the database.net libraries up to their current versions, being:
"datatables.net": "^1.13.4",
"datatables.net-buttons-bs": "^2.3.6",
"datatables.net-buttons-dt": "^2.3.6",
"datatables.net-colreorder": "^1.6.1",
"datatables.net-dt": "^1.13.4",

This update also necessitated updating a couple links in the base.html file due to a change within the libraries.

Test results

All the tests within tests/ and dojo/unittests seem to have passed. This was confirmed by members of the Dojo team as well.

Documentation

No documentation updates were necessary.

Checklist

This checklist is for your information.

• [x ] Make sure to rebase your PR against the very latest dev.
• [x ] Features/Changes should be submitted against the dev.
• [x ] Bugfixes should be submitted against the bugfix branch.
• [x ] Give a meaningful name to your PR, as it may end up being used in the release notes.
• [x ] Your code is flake8 compliant.
• [x ] Your code is python 3.11 compliant.
• [x ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• [x ] Model changes must include the necessary migrations in the dojo/db_migrations folder.
• [x ] Add applicable tests to the unit tests.
• [x ] Add the proper label to categorize your PR.

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request contains a sensitive edit to the base.html template and introduces DataTables dependencies with historical vulnerabilities, though neither finding is currently blocking the merge.

🔴 Configured Codepaths Edit in dojo/templates/base.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

Dependency Security Risk in components/package.json

Vulnerability	Dependency Security Risk
Description	The patch introduces DataTables dependencies with known historical vulnerabilities. Specifically, CVE-2020-28458 indicates a prototype pollution vulnerability, and CVE-2021-36713 reveals a potential Cross-Site Scripting (XSS) risk. While the specific versions added might have addressed these issues, the introduction of these libraries increases the application's potential attack surface.

django-DefectDojo/components/package.json

Lines 12 to 20 in cacac95

	"chosen-bootstrap": "https://github.com/dbtek/chosen-bootstrap",
	"chosen-js": "^1.8.7",
	"clipboard": "^2.0.11",
	"datatables.net": "^2.3.1",
	"datatables.net-buttons-bs": "^3.2.3",
	"datatables.net-colreorder": "^2.1.1",
	"drmonty-datatables-plugins": "^1.0.0",
	"drmonty-datatables-responsive": "^1.0.0",
	"easymde": "^2.20.0",

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.

[valentijnscholten]

I was asked to review and fix if possible. I added three commits:

1. The test was failing because it was trying to click on a TD element instead of the A inside it. Used to work, but no longer does.
2. The console was showing javascript errors. I reorganized the imports of datatables. This also removes the -dt part as it should suffice to only have the -bs part?
3. The yarn.lock file is used to pin versions and have predictable/reproducible builds. It needs to remain I believe.

[mtesauro]

Approved