Merge pull request DefectDojo#7806 from DefectDojo/release/2.20.1

Maffooch · web-flow · commit 5966c13d02dd · 2023-03-13T12:12:23.000-05:00
Release: Merge release into master from: release/2.20.1
diff --git a/components/package.json b/components/package.json
@@ -1,19 +1,18 @@
 {
   "name": "defectdojo",
-  "version": "2.20.0",
+  "version": "2.20.1",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
     "JUMFlot": "jumjum123/JUMFlot#*",
-    "bootstrap": "^3.4.0",
+    "bootstrap": "^3.4.1",
     "bootstrap-select": "^1.13.18",
     "bootstrap-social": "^4.0.0",
     "bootstrap-wysiwyg": "^2.0.0",
-    "bootswatch": "3.4.1",
+    "bootswatch": "5.2.3",
     "chosen-bootstrap": "https://github.com/dbtek/chosen-bootstrap",
     "chosen-js": "^1.8.7",
     "clipboard": "^2.0.11",
-    "components-jqueryui": "^1.0.0",
     "datatables.net": "^1.13.3",
     "datatables.net-buttons-bs": "^2.3.5",    
     "datatables.net-buttons-dt": "^2.3.5",
@@ -29,6 +28,7 @@
     "google-code-prettify": "^1.0.0",
     "jquery": "^3.6.3",
     "jquery-highlight": "3.5.0",
+    "jquery-ui": "1.13.2",
     "jquery.cookie": "1.4.1",
     "jquery.flot.tooltip": "^0.9.0",
     "jquery.hotkeys": "jeresig/jquery.hotkeys#master",
diff --git a/components/yarn.lock b/components/yarn.lock
diff --git a/dc-unittest.sh b/dc-unittest.sh
@@ -73,4 +73,4 @@ then
 fi
 
 echo "Running docker compose unit tests with profile $PROFILE and test case $TEST_CASE ..."
-docker-compose --profile $PROFILE --env-file ./docker/environments/$PROFILE.env exec uwsgi bash -c "python manage.py test $TEST_CASE -v2"
+docker-compose --profile $PROFILE --env-file ./docker/environments/$PROFILE.env exec uwsgi bash -c "python manage.py test $TEST_CASE -v2 --keepdb"
diff --git a/dojo/__init__.py b/dojo/__init__.py
@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa
 
-__version__ = '2.20.0'
+__version__ = '2.20.1'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'https://documentation.defectdojo.com'
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -24,7 +24,7 @@
     Network_Locations, UserContactInfo, Product_API_Scan_Configuration, DEFAULT_NOTIFICATION, \
     Vulnerability_Id, Vulnerability_Id_Template, get_current_date, \
     Question, TextQuestion, ChoiceQuestion, Answer, TextAnswer, ChoiceAnswer, \
-    Engagement_Survey, Answered_Survey, General_Survey
+    Engagement_Survey, Answered_Survey, General_Survey, Check_List
 
 from dojo.tools.factory import requires_file, get_choices_sorted, requires_tool_type
 from dojo.utils import is_scan_file_too_large
@@ -34,6 +34,7 @@
 from django.contrib.auth.password_validation import validate_password
 from django.contrib.auth.models import Permission
 from django.utils import timezone
+from django.urls import reverse
 from django.db.utils import IntegrityError
 import six
 from django.utils.translation import gettext_lazy as _
@@ -637,6 +638,14 @@ class Meta:
         fields = ['file']
 
 
+class RiskAcceptanceProofSerializer(serializers.ModelSerializer):
+    path = serializers.FileField(required=True)
+
+    class Meta:
+        model = Risk_Acceptance
+        fields = ['path']
+
+
 class ProductMemberSerializer(serializers.ModelSerializer):
 
     class Meta:
@@ -796,6 +805,12 @@ def to_representation(self, data):
         return new_data
 
 
+class EngagementCheckListSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Check_List
+        fields = '__all__'
+
+
 class AppAnalysisSerializer(TaggitSerializer, serializers.ModelSerializer):
     tags = TagListSerializerField(required=False)
 
@@ -1130,6 +1145,7 @@ class Meta:
 class RiskAcceptanceSerializer(serializers.ModelSerializer):
     recommendation = serializers.SerializerMethodField()
     decision = serializers.SerializerMethodField()
+    path = serializers.SerializerMethodField()
 
     @extend_schema_field(serializers.CharField())
     @swagger_serializer_method(serializers.CharField())
@@ -1141,6 +1157,23 @@ def get_recommendation(self, obj):
     def get_decision(self, obj):
         return Risk_Acceptance.TREATMENT_TRANSLATIONS.get(obj.decision)
 
+    @extend_schema_field(serializers.CharField())
+    @swagger_serializer_method(serializers.CharField())
+    def get_path(self, obj):
+        risk_acceptance_id = obj.id
+        engagement_id = Engagement.objects.filter(risk_acceptance__id__in=[obj.id]).first().id
+        path = reverse('download_risk_acceptance', args=(engagement_id, risk_acceptance_id))
+        request = self.context.get("request")
+        if request:
+            path = request.build_absolute_uri(path)
+        return path
+
+    @extend_schema_field(serializers.IntegerField())
+    @swagger_serializer_method(serializers.IntegerField())
+    def get_engagement(self, obj):
+        engagement = Engagement.objects.filter(risk_acceptance__id__in=[obj.id]).first()
+        return EngagementSerializer(read_only=True).to_representation(engagement)
+
     class Meta:
         model = Risk_Acceptance
         fields = '__all__'
diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py
@@ -32,7 +32,7 @@
     BurpRawRequestResponse, FileUpload, Product_Type_Member, Product_Member, Dojo_Group, \
     Product_Group, Product_Type_Group, Role, Global_Role, Dojo_Group_Member, Engagement_Presets, Network_Locations, \
     UserContactInfo, Product_API_Scan_Configuration, Cred_Mapping, Cred_User, Question, Answer, \
-    Engagement_Survey, Answered_Survey, General_Survey
+    Engagement_Survey, Answered_Survey, General_Survey, Check_List
 from dojo.endpoint.views import get_endpoint_ids
 from dojo.reports.views import report_url_resolver, prefetch_related_findings_for_report
 from dojo.finding.views import set_finding_as_original_internal, reset_finding_duplicate_status_internal, \
@@ -258,7 +258,9 @@ class EngagementViewSet(prefetch.PrefetchListMixin,
     queryset = Engagement.objects.none()
     filter_backends = (DjangoFilterBackend,)
     filterset_class = ApiEngagementFilter
-    swagger_schema = prefetch.get_prefetch_schema(["engagements_list", "engagements_read"], serializers.EngagementSerializer).to_schema()
+    swagger_schema = prefetch.get_prefetch_schema(["engagements_list", "engagements_read"], serializers.EngagementSerializer).composeWith(
+        prefetch.get_prefetch_schema(["engagements_complete_checklist_read"], serializers.EngagementCheckListSerializer)
+    ).to_schema()
     permission_classes = (IsAuthenticated, permissions.UserHasEngagementPermission)
 
     @property
@@ -429,6 +431,41 @@ def files(self, request, pk=None):
         })
         return Response(serialized_files.data, status=status.HTTP_200_OK)
 
+    @extend_schema(
+        methods=['POST'],
+        request=serializers.EngagementCheckListSerializer,
+        responses={status.HTTP_201_CREATED: serializers.EngagementCheckListSerializer}
+    )
+    @swagger_auto_schema(
+        method='post',
+        request_body=serializers.EngagementCheckListSerializer,
+        responses={status.HTTP_201_CREATED: serializers.EngagementCheckListSerializer}
+    )
+    @action(detail=True, methods=["get", "post"])
+    def complete_checklist(self, request, pk=None):
+        from dojo.api_v2.prefetch.prefetcher import _Prefetcher
+        engagement = self.get_object()
+        check_lists = Check_List.objects.filter(engagement=engagement)
+        if request.method == 'POST':
+            if check_lists.count() > 0:
+                return Response({"message": "A completed checklist for this engagement already exists."}, status=status.HTTP_400_BAD_REQUEST)
+            check_list = serializers.EngagementCheckListSerializer(data=request.data)
+            if not check_list.is_valid():
+                return Response(check_list.errors, status=status.HTTP_400_BAD_REQUEST)
+            check_list = Check_List(**check_list.data)
+            check_list.engagement = engagement
+            check_list.save()
+            serialized_check_list = serializers.EngagementCheckListSerializer(check_list)
+            return Response(serialized_check_list.data, status=status.HTTP_201_CREATED)
+        prefetch_params = request.GET.get("prefetch", "").split(",")
+        prefetcher = _Prefetcher()
+        entry = check_lists.first()
+        # Get the queried object representation
+        result = serializers.EngagementCheckListSerializer(entry).data
+        prefetcher._prefetch(entry, prefetch_params)
+        result["prefetch"] = prefetcher.prefetched_data
+        return Response(result, status=status.HTTP_200_OK)
+
     @extend_schema(
         methods=['GET'],
         responses={
@@ -482,6 +519,35 @@ def get_queryset(self):
                 'owner',
                 'accepted_findings').distinct()
 
+    @extend_schema(
+        methods=['GET'],
+        responses={
+            status.HTTP_200_OK: serializers.RiskAcceptanceProofSerializer,
+        }
+    )
+    @swagger_auto_schema(
+        method='get',
+        responses={
+            status.HTTP_200_OK: serializers.RiskAcceptanceProofSerializer,
+        }
+    )
+    @action(detail=True, methods=["get"])
+    def download_proof(self, request, pk=None):
+        risk_acceptance = self.get_object()
+        # Get the file object
+        file_object = risk_acceptance.path
+        if file_object is None:
+            return Response({"error": "Proof has not provided to this risk acceptance..."}, status=status.HTTP_404_NOT_FOUND)
+        # Get the path of the file in media root
+        file_path = f'{settings.MEDIA_ROOT}/{file_object.name}'
+        file_handle = open(file_path, "rb")
+        # send file
+        response = FileResponse(file_handle, content_type=f'{mimetypes.guess_type(file_path)}', status=status.HTTP_200_OK)
+        response['Content-Length'] = file_object.size
+        response['Content-Disposition'] = f'attachment; filename="{risk_acceptance.filename()}"'
+
+        return response
+
 
 # These are technologies in the UI and the API!
 # Authorization: object-based
@@ -2770,6 +2836,25 @@ def get_queryset(self):
         return get_authorized_engagement_presets(Permissions.Product_View)
 
 
+class EngagementCheckListViewset(prefetch.PrefetchListMixin,
+                               prefetch.PrefetchRetrieveMixin,
+                               mixins.ListModelMixin,
+                               mixins.RetrieveModelMixin,
+                               mixins.UpdateModelMixin,
+                               mixins.DestroyModelMixin,
+                               mixins.CreateModelMixin,
+                               viewsets.GenericViewSet,
+                               dojo_mixins.DeletePreviewModelMixin):
+    serializer_class = serializers.EngagementCheckListSerializer
+    queryset = Check_List.objects.none()
+    filter_backends = (DjangoFilterBackend,)
+    swagger_schema = prefetch.get_prefetch_schema(["engagement_checklists_list", "engagement_checklists_read"], serializers.EngagementCheckListSerializer).to_schema()
+    permission_classes = (IsAuthenticated, permissions.UserHasEngagementPermission)
+
+    def get_queryset(self):
+        return get_authorized_engagement_checklists(Permissions.Product_View)
+
+
 class NetworkLocationsViewset(mixins.ListModelMixin,
                               mixins.RetrieveModelMixin,
                               mixins.UpdateModelMixin,
@@ -2811,7 +2896,7 @@ class QuestionnaireQuestionViewSet(mixins.ListModelMixin,
                                    mixins.RetrieveModelMixin,
                                    viewsets.GenericViewSet,
                                    dojo_mixins.QuestionSubClassFieldsMixin):
-    serializer_class = serializers.QuestionSerializer
+    serializer_class = serializers.QuestionnaireQuestionSerializer
     queryset = Question.objects.all()
     filter_backends = (DjangoFilterBackend,)
     permission_classes = (permissions.UserHasEngagementPermission, DjangoModelPermissions)
diff --git a/dojo/forms.py b/dojo/forms.py
@@ -3037,8 +3037,7 @@ def __init__(self, *args, **kwargs):
         # we have ChoiceAnswer instance
         if choice_answer:
             choice_answer = choice_answer[0]
-            initial_choices = choice_answer.answer.all().values_list('id',
-                                                                     flat=True)
+            initial_choices = list(choice_answer.answer.all().values_list('id', flat=True))
             if self.question.multichoice is False:
                 initial_choices = initial_choices[0]
 
diff --git a/dojo/reports/views.py b/dojo/reports/views.py
@@ -564,9 +564,8 @@ def generate_report(request, obj, host_view=False):
                    'title': report_title,
                    'host': report_url_resolver(request),
                    'user_id': request.user.id}
-    elif type(obj).__name__ == "QuerySet" or type(obj).__name__ == "CastTaggedQuerySet":
-        findings = ReportFindingFilter(request.GET,
-                                             queryset=prefetch_related_findings_for_report(obj).distinct())
+    elif type(obj).__name__ in ["QuerySet", "CastTaggedQuerySet", "TagulousCastTaggedQuerySet"]:
+        findings = ReportFindingFilter(request.GET, queryset=prefetch_related_findings_for_report(obj).distinct())
         report_name = 'Finding'
         report_type = 'Finding'
         template = 'dojo/finding_pdf_report.html'
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -251,7 +251,7 @@
     DD_DELETE_PREVIEW=(bool, True),
     # List of acceptable file types that can be uploaded to a given object via arbitrary file upload
     DD_FILE_UPLOAD_TYPES=(list, ['.txt', '.pdf', '.json', '.xml', '.csv', '.yml', '.png', '.jpeg',
-                                 '.html', '.sarif', '.xslx', '.doc', '.html', '.js', '.nessus', '.zip']),
+                                 '.sarif', '.xslx', '.doc', '.html', '.js', '.nessus', '.zip']),
     # Max file size for scan added via API in MB
     DD_SCAN_FILE_MAX_SIZE=(int, 100),
     # When disabled, existing user tokens will not be removed but it will not be
@@ -1450,9 +1450,9 @@ def saml2_attrib_map_format(dict):
 if env('DD_JIRA_EXTRA_ISSUE_TYPES') != '':
     if env('DD_JIRA_EXTRA_ISSUE_TYPES').count(',') > 0:
         for extra_type in env('DD_JIRA_EXTRA_ISSUE_TYPES').split(','):
-            JIRA_ISSUE_TYPE_CHOICES_CONFIG += (extra_type, extra_type)
+            JIRA_ISSUE_TYPE_CHOICES_CONFIG += (extra_type, extra_type),
     else:
-        JIRA_ISSUE_TYPE_CHOICES_CONFIG += (env('DD_JIRA_EXTRA_ISSUE_TYPES'), env('DD_JIRA_EXTRA_ISSUE_TYPES'))
+        JIRA_ISSUE_TYPE_CHOICES_CONFIG += (env('DD_JIRA_EXTRA_ISSUE_TYPES'), env('DD_JIRA_EXTRA_ISSUE_TYPES')),
 
 JIRA_SSL_VERIFY = env('DD_JIRA_SSL_VERIFY')
 
diff --git a/dojo/templates/base.html b/dojo/templates/base.html
@@ -27,7 +27,7 @@
         <!-- jQuery -->
         <script src="{% static "jquery/dist/jquery.js" %}"></script>
         <!--  jQuery UI -->
-        <script src="{% static "components-jqueryui/jquery-ui.min.js" %}"></script>
+        <script src="{% static "jquery-ui/dist/jquery-ui.min.js" %}"></script>
         <!-- Bootstrap Core JavaScript -->
         <script src="{% static "bootstrap/dist/js/bootstrap.min.js" %}"></script>
         <!-- Bootstrap Select -->
@@ -80,7 +80,7 @@
 
         {% block add_css %}
         {% endblock %}
-        <link rel="stylesheet" href="{% static "components-jqueryui/themes/flick/jquery-ui.min.css" %}">
+        <link rel="stylesheet" href="{% static "jquery-ui/dist/themes/flick/jquery-ui.min.css" %}">
         <link rel="shortcut icon" href="{% static "dojo/img/favicon.ico" %}"/>
         <link rel="stylesheet" href="{% static "chosen-bootstrap/chosen.bootstrap.min.css" %}">
         <link rel="stylesheet" href="{% static "fullcalendar/dist/fullcalendar.min.css" %}">
diff --git a/dojo/templates/defectDojo-engagement-survey/create_related_question.html b/dojo/templates/defectDojo-engagement-survey/create_related_question.html
@@ -28,7 +28,7 @@
         <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
         <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
     <![endif]-->
-    <link rel="stylesheet" href="{{ STATIC_URL }}jquery-ui/themes/base/jquery-ui.min.css">
+    <link rel="stylesheet" href="{{ STATIC_URL }}jquery-ui/dist/themes/base/jquery-ui.min.css">
     <link rel="shortcut icon" href="{{ STATIC_URL }}dojo/img/favicon.ico"/>
     <link rel="stylesheet" href="{{ STATIC_URL }}fullcalendar/dist/fullcalendar.min.css">
     <link rel="stylesheet" href="{{ STATIC_URL }}dojo/css/dojo.css">
diff --git a/dojo/templates/dojo/add_related.html b/dojo/templates/dojo/add_related.html
@@ -28,7 +28,7 @@
         <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
         <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
     <![endif]-->
-    <link rel="stylesheet" href="{% static "components-jqueryui/themes/base/jquery-ui.min.css" %}">
+    <link rel="stylesheet" href="{% static "jquery-ui/dist/themes/base/jquery-ui.min.css" %}">
     <link rel="shortcut icon" href="{% static "dojo/img/favicon.ico" %}"/>
     <link rel="stylesheet" href="{% static "fullcalendar/dist/fullcalendar.min.css" %}">
     <link rel="stylesheet" href="{% static "chosen-bootstrap/chosen.bootstrap.min.css" %}">
@@ -64,7 +64,7 @@
 <!-- jQuery -->
 <script src="{% static "jquery/dist/jquery.min.js" %}"></script>
 <!--  jQuery UI -->
-<script src="{% static "components-jqueryui/jquery-ui.min.js" %}"></script>
+<script src="{% static "jquery-ui/dist/jquery-ui.min.js" %}"></script>
 <!-- Bootstrap Core JavaScript -->
 <script src="{% static "bootstrap/dist/js/bootstrap.min.js" %}"></script>
 
diff --git a/dojo/templates/dojo/custom_html_report.html b/dojo/templates/dojo/custom_html_report.html
@@ -4,7 +4,7 @@
 <html lang="en">
     <meta charset="UTF-8">
     <title>{{ report_name }}</title>
-    <link href="{% static "bootswatch/readable/bootstrap.min.css" %}" rel="stylesheet">
+    <link href="{% static "bootswatch/dist/yeti/bootstrap.min.css" %}" rel="stylesheet">
     <style type="text/css">
         @import url(https://fonts.googleapis.com/css?family=Roboto+Slab:400,700);
 
diff --git a/dojo/templates/dojo/view_finding.html b/dojo/templates/dojo/view_finding.html
@@ -617,7 +617,7 @@ <h3 class="pull-left finding-title">
                 {% endif %}
                 {% if 'is_finding_groups_enabled'|system_setting_enabled and finding.finding_group %}
                     <td>
-                        {{ finding.finding_group.name }}
+                        <a href="{% url 'view_finding_group' finding.finding_group.id %}" title="{{ finding.finding_group.name }}">{{ finding.finding_group.name }}</a>
                         <i id="push_group_to_jira_{{ finding.finding_group.group.id }}" data-group-id="{{ finding.finding_group.id }}" class="fa-solid fa-share-from-square push_group_to_jira" title="Update JIRA issue with current data from this group of findings."></i>
                     </td>
                 {% endif %}
diff --git a/dojo/templates/report_base.html b/dojo/templates/report_base.html
@@ -4,7 +4,7 @@
 <head>
     <meta charset="UTF-8">
     <title>{{ report_name }}</title>
-    <link href="{% static "bootswatch/readable/bootstrap.min.css" %}" rel="stylesheet">
+    <link href="{% static "bootswatch/dist/yeti/bootstrap.min.css" %}" rel="stylesheet">
 
     <!-- Custom Fonts -->
     <link href="{% static "font-awesome/css/font-awesome.min.css" %}" rel="stylesheet" type="text/css">
diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.20.0"
+appVersion: "2.20.1"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.58
+version: 1.6.59
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap
diff --git a/requirements.txt b/requirements.txt
@@ -29,7 +29,7 @@ djangorestframework==3.14.0
 gunicorn==20.1.0
 html2text==2020.1.16
 humanize==4.6.0
-jira==3.4.1
+jira==3.5.0
 PyGithub==1.58.0
 lxml==4.9.2
 Markdown==3.4.1
