Skip to content

Release: Merge back 2.52.3 into dev from: master-into-dev/2.52.3-2.53.0-dev#13770

Merged
rossops merged 19 commits intodevfrom
master-into-dev/2.52.3-2.53.0-dev
Nov 24, 2025
Merged

Release: Merge back 2.52.3 into dev from: master-into-dev/2.52.3-2.53.0-dev#13770
rossops merged 19 commits intodevfrom
master-into-dev/2.52.3-2.53.0-dev

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Nov 24, 2025

Release triggered by rossops

DefectDojo release bot and others added 18 commits November 17, 2025 15:43
Update versions in application files
aa5a758
@rossops
Merge pull request #13720 from DefectDojo/master-into-bugfix/2.52.2-2…
5b610e4 
….53.0-dev

Release: Merge back 2.52.2 into bugfix from: master-into-bugfix/2.52.2-2.53.0-dev
@kiblik
feat(renovate): Do not split updates for renovate (#13723)
df5430c
@kiblik
fix(helm): Missing annotation for "master-into-..." (#13722)
b58fc33 
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
@manuel-sommer
🎉 implement certfr vulnid (#13730)
8bee0b6
@paulOsinski
add apollo script (#13734)
a85bbba 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@paulOsinski
[docs] update jira language (#13749)
ccca584 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@manuel-sommer
💄 restructure github vulnerability reports (#13745)
4505bdb
@manuel-sommer
🐛 fix severity order of trivy (#13736)
bd81e6e 
* 🐛 fix severity order of trivy #13647

* udpate, fix unittests

* update

* update
@Maffooch
Add boto3 dependency to dependabot configuration (#13733)
b5569c0 
We are approving a boto3 rev almost every single day at this point. Let's skip the patches and only focus on the minor revs
@valentijnscholten
system settings caching optimization + test cases (#13739)
1e9777b
@Maffooch
Add choice fields for business criticality, platform, lifecycle, and …
7ddbd5f 
…origin (#13740)

* feat(serializers, filters): add choice fields for business criticality, platform, lifecycle, and origin

* feat(serializers): allow null values for choice fields in ProductSerializer

* feat(serializers): make choice fields optional in ProductSerializer
@Maffooch
Change log level from info to debug for Watson indexing (#13748)
3a2f66a 
Now that this feature has been live for a while, I think we can reduce the logging a bit. Noticed a lot of logs for this during #13241
@Maffooch
Add path filter for docs in gh-pages workflow
2655ae4 
Publish documentation on pushes to bugfix in addition to master. This will be useful for fixing urgent documentation issues without waiting for a week for the next bugfix release
@rossops
Merge pull request #13755 from DefectDojo/Maffooch-patch-3
10b2c39 
Add path filter for docs in gh-pages workflow
Update versions in application files
f1e363f
@rossops
Merge pull request #13768 from DefectDojo/release/2.52.3
59841b4 
Release: Merge release into master from: release/2.52.3
Update versions in application files
4aa8010
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Nov 24, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request modifies several sensitive codepaths (serializers, filters, middleware, tasks) and flags those edits for review, fixes a middleware issue that previously served stale System_Settings (which could allow authorization/configuration bypass), changes the Trivy parser to trust report severity over CVSS (risking lower-than-appropriate severity assignment), and adds two externally-hosted JavaScript files to the docs without SRI (introducing a supply-chain/XSS risk).

🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/filters.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/middleware.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/tasks.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Stale System Settings Leading to Authorization/Configuration Bypass in dojo/middleware.py
Vulnerability Stale System Settings Leading to Authorization/Configuration Bypass
Description The System_Settings model contains numerous security-sensitive configurations, including password policies, API error exposure, and integration settings. Prior to this change, modifications to these settings might not have been immediately reflected due to the DojoSytemSettingsMiddleware serving stale data from its thread-local cache. This could lead to the application operating with outdated, less secure configurations, potentially resulting in authorization bypasses, weaker authentication enforcement, or information disclosure.

django-DefectDojo/dojo/middleware.py

Lines 113 to 116 in c7b813f

from dojo.models import System_Settings # noqa: PLC0415 circular import
# Use classmethod directly to avoid keeping reference to middleware instance
models.signals.post_save.connect(DojoSytemSettingsMiddleware.cleanup, sender=System_Settings)

Incorrect Severity Assignment in dojo/tools/trivy/parser.py
Vulnerability Incorrect Severity Assignment
Description The Trivy parser now prioritizes the 'Severity' field directly from the Trivy report over any severity derived from CVSS scores. This can lead to an incorrectly low severity being assigned to a vulnerability if Trivy's reported severity is lower than the severity indicated by the CVSS score. This misrepresentation can result in improper risk assessment and delayed remediation of potentially critical issues.

django-DefectDojo/dojo/tools/trivy/parser.py

Lines 266 to 282 in c7b813f

if cvss_data := parse_cvss_data(cvssclass.get("V3Vector", "")):
cvssv3 = cvss_data.get("cvssv3")
cvssv3_score = cvss_data.get("cvssv3_score")
if severity is None:
severity = cvss_data.get("severity")
elif (cvss_v3_score := cvssclass.get("V3Score")) is not None:
cvssv3_score = cvss_v3_score
if severity is None:
severity = self.convert_cvss_score(cvss_v3_score)
elif (cvss_v2_score := cvssclass.get("V2Score")) is not None:
if severity is None:
severity = self.convert_cvss_score(cvss_v2_score)
if severity is None:
severity = self.convert_cvss_score(None)
if target_class in {"os-pkgs", "lang-pkgs"}:
file_path = vuln.get("PkgPath")
if file_path is None:

Third-Party Script Inclusion / Supply Chain Risk in docs/layouts/_partials/head/script-header.html
Vulnerability Third-Party Script Inclusion / Supply Chain Risk
Description The code introduces two dynamically loaded third-party JavaScript files from static.reo.dev and assets.apollo.io into the docs section of the application. These scripts are loaded without Subresource Integrity (SRI) hashes. This creates a supply chain risk: if either of these external domains were compromised, an attacker could inject malicious JavaScript into the application, potentially leading to Cross-Site Scripting (XSS), data exfiltration, or session hijacking for users viewing the documentation.

django-DefectDojo/docs/layouts/_partials/head/script-header.html

Lines 1 to 12 in c7b813f

<!-- Insert scripts NOT needed by stylesheets here -->
<!-- Start of Reo Javascript -->
<script type="text/javascript">
!function () { var e, t, n; e = "a92cfcfa51eca96", t = function () { Reo.init({ clientID: "a92cfcfa51eca96" }) }, (n = document.createElement("script")).src = "https://static.reo.dev/" + e + "/reo.js", n.async = !0, n.onload = t, document.head.appendChild(n) }();
</script>
<!-- End of Reo Javascript -->
<script>function initApollo() {
var n = Math.random().toString(36).substring(7), o = document.createElement("script");
o.src = "https://assets.apollo.io/micro/website-tracker/tracker.iife.js?nocache=" + n, o.async = !0, o.defer = !0,
o.onload = function () { window.trackingFunctions.onLoad({ appId: "68ffca00b8c4dc001de5fec3" }) },
document.head.appendChild(o)
} initApollo();</script>

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Nov 24, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@rossops rossops closed this Nov 24, 2025
@rossops rossops reopened this Nov 24, 2025
@github-actions github-actions Bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests parser labels Nov 24, 2025
@github-actions github-actions Bot added the helm label Nov 24, 2025
@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Nov 24, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Nov 24, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@rossops rossops merged commit b994e48 into dev Nov 24, 2025
152 checks passed
@rossops rossops deleted the master-into-dev/2.52.3-2.53.0-dev branch November 24, 2025 17:55
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@rossops
Merge pull request DefectDojo#13770 from DefectDojo/master-into-dev/2…
714ea2b 
….52.3-2.53.0-dev

Release: Merge back 2.52.3 into dev from: master-into-dev/2.52.3-2.53.0-dev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

apiv2 docs parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rossops @kiblik @manuel-sommer @paulOsinski @Maffooch @valentijnscholten