Release: Merge release into master from: release/2.36.1

[github-actions]

Release triggered by blakeaowens

[dryrunsecurity]

DryRun Security Summary

The pull request covers a wide range of updates to the DefectDojo application, with a focus on improving the security and access control mechanisms, including enhancements to the GitHub Actions workflow, dependency updates, improvements to the unit test execution, integration of LDAP authentication, and numerous changes to the application's API and authorization mechanisms.

Expand for full summary

Summary:

The changes in this pull request cover a wide range of updates to the DefectDojo application, with a focus on improving the security and access control mechanisms. The key changes include:

1. Enhancements to the GitHub Actions workflow, such as removing the pull_request_target trigger and simplifying the Checkout step, which improves the overall security posture of the application.
2. Dependency updates, including version bumps and specific version pinning, which help maintain the application's security and functionality.
3. Improvements to the unit test execution, including the addition of options like --failfast, --shuffle, and --parallel, which can help identify and fix issues more efficiently.
4. Integration of LDAP authentication, which can provide centralized user management and improved access control capabilities.
5. Numerous changes to the application's API, including the introduction of fine-grained permissions, prefetching, and metadata management, which enhance the overall security and functionality of the API.
6. Optimizations and enhancements to various queries and authorization mechanisms throughout the codebase, ensuring that users can only access the data and functionality they are authorized to use.

Overall, the changes in this pull request appear to be focused on improving the security, maintainability, and performance of the DefectDojo application, which is a positive step from an application security perspective.

Files Changed:

• .github/workflows/ruff.yml: The changes remove the pull_request_target trigger and simplify the Checkout step, improving the overall security of the GitHub Actions workflow.
• components/package.json: The dependency updates, including version bumps and specific version pinning, help maintain the application's security and functionality.
• .github/renovate.json: The changes to the Renovate configuration, such as expanding the ignorePaths and adding ignoreDeps, help manage dependencies in a secure manner.
• docker/entrypoint-unit-tests-devDocker.sh and docker/entrypoint-unit-tests.sh: The changes to the unit test execution, including the addition of options like --failfast, --shuffle, and --parallel, can help improve the efficiency and reliability of the test suite.
• docker-compose.override.unit_tests_cicd.yml and docker-compose.override.unit_tests.yml: The changes to the Docker Compose configurations ensure that the test environment is properly secured and configured.
• docs/config.dev.toml and docs/config.master.toml: The changes disable the automatic language guessing for syntax highlighting, which helps prevent potential code injection vulnerabilities.
• docs/content/en/getting_started/upgrading/2.36.md: The changes provide guidance on upgrading the underlying database to a compatible version, ensuring that the application can be securely deployed.
• docs/content/en/integrations/parsers/file/veracode.md and docs/content/en/integrations/parsers/file/fortify.md: The documentation updates improve the handling and parsing of security scan data from third-party tools.
• docs/content/en/integrations/ldap-authentication.md and docs/content/en/integrations/social-authentication.md: The changes related to LDAP and social authentication integration enhance the application's security and access control capabilities.
• dojo/__init__.py: The version update is a routine change and does not introduce any significant security concerns.
• docs/content/en/usage/productgrading.md: The changes to the product health grading system documentation do not introduce any security risks, but the implementation of the grading system should be reviewed periodically.
• Various files in the dojo/ directory: The changes to the authorization and access control mechanisms throughout the codebase, including the handling of findings, engagements, groups, product types, and other entities, are focused on improving the overall security and maintainability of the application.

Code Analysis

We ran 7 analyzers against 30 files and 3 analyzers had findings. 4 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	1 finding
Sensitive Files Analyzer	1 finding
Authn/Authz Analyzer	52 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[sonarcloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud