Skip to content

Release: Merge release into master from: release/2.52.3#13768

Merged
rossops merged 16 commits intomasterfrom
release/2.52.3
Nov 24, 2025
Merged

Release: Merge release into master from: release/2.52.3#13768
rossops merged 16 commits intomasterfrom
release/2.52.3

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Nov 24, 2025

Release triggered by rossops

DefectDojo release bot and others added 16 commits November 17, 2025 15:43
Update versions in application files
aa5a758
@rossops
Merge pull request #13720 from DefectDojo/master-into-bugfix/2.52.2-2…
5b610e4 
….53.0-dev

Release: Merge back 2.52.2 into bugfix from: master-into-bugfix/2.52.2-2.53.0-dev
@kiblik
feat(renovate): Do not split updates for renovate (#13723)
df5430c
@kiblik
fix(helm): Missing annotation for "master-into-..." (#13722)
b58fc33 
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
@manuel-sommer
🎉 implement certfr vulnid (#13730)
8bee0b6
@paulOsinski
add apollo script (#13734)
a85bbba 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@paulOsinski
[docs] update jira language (#13749)
ccca584 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@manuel-sommer
💄 restructure github vulnerability reports (#13745)
4505bdb
@manuel-sommer
🐛 fix severity order of trivy (#13736)
bd81e6e 
* 🐛 fix severity order of trivy #13647

* udpate, fix unittests

* update

* update
@Maffooch
Add boto3 dependency to dependabot configuration (#13733)
b5569c0 
We are approving a boto3 rev almost every single day at this point. Let's skip the patches and only focus on the minor revs
@valentijnscholten
system settings caching optimization + test cases (#13739)
1e9777b
@Maffooch
Add choice fields for business criticality, platform, lifecycle, and …
7ddbd5f 
…origin (#13740)

* feat(serializers, filters): add choice fields for business criticality, platform, lifecycle, and origin

* feat(serializers): allow null values for choice fields in ProductSerializer

* feat(serializers): make choice fields optional in ProductSerializer
@Maffooch
Change log level from info to debug for Watson indexing (#13748)
3a2f66a 
Now that this feature has been live for a while, I think we can reduce the logging a bit. Noticed a lot of logs for this during #13241
@Maffooch
Add path filter for docs in gh-pages workflow
2655ae4 
Publish documentation on pushes to bugfix in addition to master. This will be useful for fixing urgent documentation issues without waiting for a week for the next bugfix release
@rossops
Merge pull request #13755 from DefectDojo/Maffooch-patch-3
10b2c39 
Add path filter for docs in gh-pages workflow
Update versions in application files
f1e363f
@rossops rossops closed this Nov 24, 2025
@rossops rossops reopened this Nov 24, 2025
@github-actions github-actions Bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests parser helm labels Nov 24, 2025
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Nov 24, 2025
edited
Loading

DryRun Security

This pull request fixes a stale thread-local cache for System_Settings, changes Trivy severity selection to prefer the top-level Severity field over CVSS-derived severities, and adds external third-party scripts from static.reo.dev and assets.apollo.io in the docs; together these changes introduce risks that configuration changes may not take effect until cache invalidation is addressed, may understate vulnerability risk by preferring possibly lower top-level severities over CVSS, and expose the docs to supply-chain/client-side script risks due to unpinned third‑party scripts.

Stale Cache / Configuration Bypass in dojo/middleware.py
Vulnerability Stale Cache / Configuration Bypass
Description Before this patch, System_Settings were cached in a thread-local variable without a mechanism to invalidate the cache upon database updates. This meant that if security-critical settings within System_Settings were changed (e.g., JIRA webhook secrets, password policies, API error exposure), the application could continue to operate with the old, stale settings until the application was restarted or the thread-local cache was manually cleared. This could lead to security vulnerabilities such as authentication bypasses for JIRA webhooks or weaker password policy enforcement.

django-DefectDojo/dojo/middleware.py

Lines 115 to 118 in f1e363f

models.signals.post_save.connect(DojoSytemSettingsMiddleware.cleanup, sender=System_Settings)
def __call__(self, request):
self.load()

Incorrect Severity Assignment in dojo/tools/trivy/parser.py
Vulnerability Incorrect Severity Assignment
Description The updated logic in dojo/tools/trivy/parser.py prioritizes the top-level Severity field from Trivy scan results over severities derived from CVSS scores. While the intent might be to use a readily available severity, this can lead to a downgrade of the actual risk. For instance, a vulnerability might have a top-level Severity of 'LOW' but a CVSSv3 score that translates to 'CRITICAL'. By taking the 'LOW' severity first, the system would misrepresent the true risk, potentially causing high-risk vulnerabilities to be overlooked or deprioritized in DefectDojo.

django-DefectDojo/dojo/tools/trivy/parser.py

Lines 266 to 282 in f1e363f

if cvss_data := parse_cvss_data(cvssclass.get("V3Vector", "")):
cvssv3 = cvss_data.get("cvssv3")
cvssv3_score = cvss_data.get("cvssv3_score")
if severity is None:
severity = cvss_data.get("severity")
elif (cvss_v3_score := cvssclass.get("V3Score")) is not None:
cvssv3_score = cvss_v3_score
if severity is None:
severity = self.convert_cvss_score(cvss_v3_score)
elif (cvss_v2_score := cvssclass.get("V2Score")) is not None:
if severity is None:
severity = self.convert_cvss_score(cvss_v2_score)
if severity is None:
severity = self.convert_cvss_score(None)
if target_class in {"os-pkgs", "lang-pkgs"}:
file_path = vuln.get("PkgPath")
if file_path is None:

Third-Party Script Inclusion in docs/layouts/_partials/head/script-header.html
Vulnerability Third-Party Script Inclusion
Description The documentation site includes two external JavaScript files from static.reo.dev and assets.apollo.io. These scripts are likely used for marketing, analytics, or customer engagement. The dynamic nature of their URLs prevents the effective use of Subresource Integrity (SRI). If these third-party domains are compromised, an attacker could inject malicious JavaScript into the documentation site, leading to defacement, phishing, or other client-side attacks.

django-DefectDojo/docs/layouts/_partials/head/script-header.html

Lines 1 to 12 in f1e363f

<!-- Insert scripts NOT needed by stylesheets here -->
<!-- Start of Reo Javascript -->
<script type="text/javascript">
!function () { var e, t, n; e = "a92cfcfa51eca96", t = function () { Reo.init({ clientID: "a92cfcfa51eca96" }) }, (n = document.createElement("script")).src = "https://static.reo.dev/" + e + "/reo.js", n.async = !0, n.onload = t, document.head.appendChild(n) }();
</script>
<!-- End of Reo Javascript -->
<script>function initApollo() {
var n = Math.random().toString(36).substring(7), o = document.createElement("script");
o.src = "https://assets.apollo.io/micro/website-tracker/tracker.iife.js?nocache=" + n, o.async = !0, o.defer = !0,
o.onload = function () { window.trackingFunctions.onLoad({ appId: "68ffca00b8c4dc001de5fec3" }) },
document.head.appendChild(o)
} initApollo();</script>

All finding details can be found in the DryRun Security Dashboard.

@rossops rossops merged commit 59841b4 into master Nov 24, 2025
148 of 149 checks passed
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@rossops
Merge pull request DefectDojo#13768 from DefectDojo/release/2.52.3
d81ed01 
Release: Merge release into master from: release/2.52.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

apiv2 docs helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rossops @kiblik @manuel-sommer @paulOsinski @Maffooch @valentijnscholten