Skip to content

Release: Merge back 2.52.3 into dev from: master-into-dev/2.52.3-2.53.0-dev #13770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rossops merged 19 commits into from
Nov 24, 2025

Merge branch 'dev' into master-into-dev/2.52.3-2.53.0-dev

c7b813f
Select commit
Loading
Failed to load commit list.
Merged

Release: Merge back 2.52.3 into dev from: master-into-dev/2.52.3-2.53.0-dev #13770

Merge branch 'dev' into master-into-dev/2.52.3-2.53.0-dev
c7b813f
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Nov 24, 2025 in 1m 10s

DryRun Security

Details

General Security Analyzer Findings: 3 detected

⚠️ Stale System Settings Leading to Authorization/Configuration Bypass dojo/middleware.py (click for details)
Type Stale System Settings Leading to Authorization/Configuration Bypass
Description The System_Settings model contains numerous security-sensitive configurations, including password policies, API error exposure, and integration settings. Prior to this change, modifications to these settings might not have been immediately reflected due to the DojoSytemSettingsMiddleware serving stale data from its thread-local cache. This could lead to the application operating with outdated, less secure configurations, potentially resulting in authorization bypasses, weaker authentication enforcement, or information disclosure.
Filename dojo/middleware.py
CodeLink

django-DefectDojo/dojo/middleware.py

Lines 113 to 116 in c7b813f

from dojo.models import System_Settings # noqa: PLC0415 circular import
# Use classmethod directly to avoid keeping reference to middleware instance
models.signals.post_save.connect(DojoSytemSettingsMiddleware.cleanup, sender=System_Settings)
⚠️ Incorrect Severity Assignment dojo/tools/trivy/parser.py (click for details)
Type Incorrect Severity Assignment
Description The Trivy parser now prioritizes the 'Severity' field directly from the Trivy report over any severity derived from CVSS scores. This can lead to an incorrectly low severity being assigned to a vulnerability if Trivy's reported severity is lower than the severity indicated by the CVSS score. This misrepresentation can result in improper risk assessment and delayed remediation of potentially critical issues.
Filename dojo/tools/trivy/parser.py
CodeLink

django-DefectDojo/dojo/tools/trivy/parser.py

Lines 266 to 282 in c7b813f

if cvss_data := parse_cvss_data(cvssclass.get("V3Vector", "")):
cvssv3 = cvss_data.get("cvssv3")
cvssv3_score = cvss_data.get("cvssv3_score")
if severity is None:
severity = cvss_data.get("severity")
elif (cvss_v3_score := cvssclass.get("V3Score")) is not None:
cvssv3_score = cvss_v3_score
if severity is None:
severity = self.convert_cvss_score(cvss_v3_score)
elif (cvss_v2_score := cvssclass.get("V2Score")) is not None:
if severity is None:
severity = self.convert_cvss_score(cvss_v2_score)
if severity is None:
severity = self.convert_cvss_score(None)
if target_class in {"os-pkgs", "lang-pkgs"}:
file_path = vuln.get("PkgPath")
if file_path is None:
⚠️ Third-Party Script Inclusion / Supply Chain Risk docs/layouts/_partials/head/script-header.html (click for details)
Type Third-Party Script Inclusion / Supply Chain Risk
Description The code introduces two dynamically loaded third-party JavaScript files from static.reo.dev and assets.apollo.io into the docs section of the application. These scripts are loaded without Subresource Integrity (SRI) hashes. This creates a supply chain risk: if either of these external domains were compromised, an attacker could inject malicious JavaScript into the application, potentially leading to Cross-Site Scripting (XSS), data exfiltration, or session hijacking for users viewing the documentation.
Filename docs/layouts/_partials/head/script-header.html
CodeLink

django-DefectDojo/docs/layouts/_partials/head/script-header.html

Lines 1 to 12 in c7b813f

<!-- Insert scripts NOT needed by stylesheets here -->
<!-- Start of Reo Javascript -->
<script type="text/javascript">
!function () { var e, t, n; e = "a92cfcfa51eca96", t = function () { Reo.init({ clientID: "a92cfcfa51eca96" }) }, (n = document.createElement("script")).src = "https://static.reo.dev/" + e + "/reo.js", n.async = !0, n.onload = t, document.head.appendChild(n) }();
</script>
<!-- End of Reo Javascript -->
<script>function initApollo() {
var n = Math.random().toString(36).substring(7), o = document.createElement("script");
o.src = "https://assets.apollo.io/micro/website-tracker/tracker.iife.js?nocache=" + n, o.async = !0, o.defer = !0,
o.onload = function () { window.trackingFunctions.onLoad({ appId: "68ffca00b8c4dc001de5fec3" }) },
document.head.appendChild(o)
} initApollo();</script>
View more details on DryRunSecurity