Merge pull request DefectDojo#10647 from DefectDojo/release/2.36.6

Release: Merge release into master from: release/2.36.6

Author: Maffooch

.github/workflows/refresh_helm_lock_file.yaml

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.36.5",
+  "version": "2.36.6",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

components/package.json

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = '2.36.5'
+__version__ = '2.36.6'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'https://documentation.defectdojo.com'

dojo/__init__.py

@@ -164,6 +164,7 @@
 from dojo.user.utils import get_configuration_permissions_codenames
 from dojo.utils import (
     async_delete,
+    generate_file_response,
     get_setting,
     get_system_setting,
 )
@@ -646,21 +647,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Engagement"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
 
 class RiskAcceptanceViewSet(
@@ -1156,21 +1144,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Finding"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
     @extend_schema(
         request=serializers.FindingNoteSerializer,
@@ -2320,21 +2295,8 @@ def download_file(self, request, file_id, pk=None):
                 {"error": "File ID not associated with Test"},
                 status=status.HTTP_404_NOT_FOUND,
             )
-        # Get the path of the file in media root
-        file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}"
-        file_handle = open(file_path, "rb")
         # send file
-        response = FileResponse(
-            file_handle,
-            content_type=f"{mimetypes.guess_type(file_path)}",
-            status=status.HTTP_200_OK,
-        )
-        response["Content-Length"] = file_object.file.size
-        response[
-            "Content-Disposition"
-        ] = f'attachment; filename="{file_object.file.name}"'
-
-        return response
+        return generate_file_response(file_object)
 
 
 # Authorization: authenticated, configuration

dojo/api_v2/views.py

@@ -72,14 +72,19 @@ def ready(self):
         # Load any signals here that will be ready for runtime
         # Importing the signals file is good enough if using the reciever decorator
         import dojo.announcement.signals  # noqa: F401
+        import dojo.benchmark.signals  # noqa: F401
+        import dojo.cred.signals  # noqa: F401
         import dojo.endpoint.signals  # noqa: F401
         import dojo.engagement.signals  # noqa: F401
         import dojo.finding_group.signals  # noqa: F401
+        import dojo.notes.signals  # noqa: F401
         import dojo.product.signals  # noqa: F401
         import dojo.product_type.signals  # noqa: F401
+        import dojo.risk_acceptance.signals  # noqa: F401
         import dojo.sla_config.helpers  # noqa: F401
         import dojo.tags_signals  # noqa: F401
         import dojo.test.signals  # noqa: F401
+        import dojo.tool_product.signals  # noqa: F401
 
 
 def get_model_fields_with_extra(model, extra_fields=()):

dojo/apps.py

@@ -0,0 +1,14 @@
+import logging
+
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+
+from dojo.models import Benchmark_Product
+from dojo.notes.helper import delete_related_notes
+
+logger = logging.getLogger(__name__)
+
+
+@receiver(pre_delete, sender=Benchmark_Product)
+def benchmark_product_pre_delete(sender, instance, **kwargs):
+    delete_related_notes(instance)

dojo/benchmark/signals.py

@@ -43,6 +43,7 @@ def add_benchmark(queryset, product):
         pass
 
 
+@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
 def update_benchmark(request, pid, _type):
     if request.method == "POST":
         bench_id = request.POST.get("bench_id")
@@ -90,6 +91,7 @@ def update_benchmark(request, pid, _type):
     )
 
 
+@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid")
 def update_benchmark_summary(request, pid, _type, summary):
     if request.method == "POST":
         field = request.POST.get("field")

dojo/benchmark/views.py

@@ -70,5 +70,6 @@ def components(request):
             "filter": comp_filter,
             "result": result,
             "component_words": sorted(set(component_words)),
+            "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
         },
     )

dojo/components/views.py

@@ -0,0 +1,14 @@
+import logging
+
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+
+from dojo.models import Cred_User
+from dojo.notes.helper import delete_related_notes
+
+logger = logging.getLogger(__name__)
+
+
+@receiver(pre_delete, sender=Cred_User)
+def cred_user_pre_delete(sender, instance, **kwargs):
+    delete_related_notes(instance)

dojo/cred/signals.py

@@ -112,7 +112,8 @@ def view_cred_details(request, ttid):
         'cred': cred,
         'form': form,
         'notes': notes,
-        'cred_products': cred_products
+        'cred_products': cred_products,
+        'person': request.user.username,
     })
 
 
@@ -650,7 +651,7 @@ def delete_cred_controller(request, destination_url, id, ttid):
     if id:
         product = None
         if destination_url == "all_cred_product":
-            product = get_object_or_404(Product, id)
+            product = get_object_or_404(Product, id=id)
         elif destination_url == "view_engagement":
             engagement = get_object_or_404(Engagement, id=id)
             product = engagement.product
@@ -669,7 +670,7 @@ def delete_cred_controller(request, destination_url, id, ttid):
 
 @user_is_authorized(Cred_User, Permissions.Credential_Delete, 'ttid')
 def delete_cred(request, ttid):
-    return delete_cred_controller(request, "cred", 0, ttid)
+    return delete_cred_controller(request, "cred", 0, ttid=ttid)
 
 
 @user_is_authorized(Product, Permissions.Product_Edit, 'pid')

dojo/cred/views.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.13 on 2024-07-23 19:53
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0212_sla_configuration_enforce_critical_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='system_settings',
+            name='enable_ui_table_based_searching',
+            field=models.BooleanField(default=True, help_text='With this setting enabled, table headings will contain sort buttons for the current page of data in addition to sorting buttons that consider data from all pages.', verbose_name='Enable UI Table Based Filtering/Sorting'),
+        ),
+    ]

dojo/db_migrations/0213_system_settings_enable_ui_table_based_searching.py

@@ -1,12 +1,13 @@
 from auditlog.models import LogEntry
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
-from django.db.models.signals import post_delete, post_save, pre_save
+from django.db.models.signals import post_delete, post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.urls import reverse
 from django.utils.translation import gettext as _
 
 from dojo.models import Engagement
+from dojo.notes.helper import delete_related_notes
 from dojo.notifications.helper import create_notification
 
 
@@ -55,3 +56,8 @@ def engagement_post_delete(sender, instance, using, origin, **kwargs):
                             url=reverse('view_product', args=(instance.product.id, )),
                             recipients=[instance.lead],
                             icon="exclamation-triangle")
+
+
+@receiver(pre_delete, sender=Engagement)
+def engagement_pre_delete(sender, instance, **kwargs):
+    delete_related_notes(instance)

dojo/engagement/signals.py

@@ -1,5 +1,6 @@
 import csv
 import logging
+import mimetypes
 import operator
 import re
 from datetime import datetime
@@ -257,6 +258,7 @@ def engagements_all(request):
             'filter_form': filtered.form,
             'name_words': sorted(set(name_words)),
             'eng_words': sorted(set(eng_words)),
+            "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
         })
 
 
@@ -438,6 +440,8 @@ def get_filtered_tests(
 
     def get(self, request, eid, *args, **kwargs):
         eng = get_object_or_404(Engagement, id=eid)
+        # Make sure the user is authorized
+        user_has_permission_or_403(request.user, eng, Permissions.Engagement_View)
         tests = eng.test_set.all().order_by('test_type__name', '-updated')
         default_page_num = 10
         tests_filter = self.get_filtered_tests(request, tests, eng)
@@ -506,6 +510,8 @@ def get(self, request, eid, *args, **kwargs):
 
     def post(self, request, eid, *args, **kwargs):
         eng = get_object_or_404(Engagement, id=eid)
+        # Make sure the user is authorized
+        user_has_permission_or_403(request.user, eng, Permissions.Engagement_View)
         tests = eng.test_set.all().order_by('test_type__name', '-updated')
 
         default_page_num = 10
@@ -1435,6 +1441,7 @@ def view_edit_risk_acceptance(request, eid, raid, edit_mode=False):
             'request': request,
             'add_findings': add_fpage,
             'return_url': get_return_url(request),
+            "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
         })
 
 
@@ -1479,12 +1486,11 @@ def delete_risk_acceptance(request, eid, raid):
 
 @user_is_authorized(Engagement, Permissions.Engagement_View, 'eid')
 def download_risk_acceptance(request, eid, raid):
-    import mimetypes
-
     mimetypes.init()
-
     risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid)
-
+    # Ensure the risk acceptance is under the supplied engagement
+    if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists():
+        raise PermissionDenied
     response = StreamingHttpResponse(
         FileIterWrapper(
             open(settings.MEDIA_ROOT + "/" + risk_acceptance.path.name, mode='rb')))

dojo/engagement/views.py

@@ -23,6 +23,7 @@
     Vulnerability_Id,
     Vulnerability_Id_Template,
 )
+from dojo.notes.helper import delete_related_notes
 from dojo.utils import get_current_user, mass_model_updater, to_str_typed
 
 logger = logging.getLogger(__name__)
@@ -402,8 +403,8 @@ def finding_pre_delete(sender, instance, **kwargs):
     logger.debug('finding pre_delete: %d', instance.id)
     # this shouldn't be necessary as Django should remove any Many-To-Many entries automatically, might be a bug in Django?
     # https://code.djangoproject.com/ticket/154
-
     instance.found_by.clear()
+    delete_related_notes(instance)
 
 
 def finding_delete(instance, **kwargs):

dojo/finding/helper.py

@@ -376,6 +376,7 @@ def get_initial_context(self, request: HttpRequest):
             "jira_project": None,
             "github_config": None,
             "bulk_edit_form": FindingBulkUpdateForm(request.GET),
+            "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
             "title_words": get_words_for_field(Finding, "title"),
             "component_words": get_words_for_field(Finding, "component_name"),
         }
@@ -742,6 +743,7 @@ def get_initial_context(self, request: HttpRequest, finding: Finding, user: Dojo
             "files": finding.files.all(),
             "note_type_activation": note_type_activation,
             "available_note_types": available_note_types,
+            "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
             "product_tab": Product_Tab(
                 finding.test.engagement.product, title="View Finding", tab="findings"
             )
@@ -1736,7 +1738,7 @@ def request_finding_review(request, fid):
     return render(
         request,
         "dojo/review_finding.html",
-        {"finding": finding, "product_tab": product_tab, "user": user, "form": form},
+        {"finding": finding, "product_tab": product_tab, "user": user, "form": form, "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), },
     )
 
 

dojo/finding/views.py

@@ -212,15 +212,12 @@ def parse_findings(
         """
         Determine how to parse the findings based on the presence of the
         `get_tests` function on the parser object
+
+        This function will vary by importer, so it is marked as
+        abstract with a prohibitive exception raised if the
+        method is attempted to to be used by the BaseImporter class
         """
-        # Attempt any preprocessing before generating findings
-        if len(self.parsed_findings) == 0 or self.test is None:
-            scan = self.process_scan_file(scan)
-            if hasattr(parser, 'get_tests'):
-                self.parsed_findings = self.parse_findings_dynamic_test_type(scan, parser)
-            else:
-                self.parsed_findings = self.parse_findings_static_test_type(scan, parser)
-        return self.parsed_findings
+        self.check_child_implementation_exception()
 
     def sync_process_findings(
         self,