Release 2.46.0: Merge Bugfix into Dev #12385
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
….46.0-dev Release: Merge back 2.45.3 into bugfix from: master-into-bugfix/2.45.3-2.46.0-dev
* most recent note: show date/author * most recent note: show date/author
* Jira Webhooks: Prevent duplicate comments from dojo * Remove excessive logging * Fix ruff
* add tags article * Update docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md Co-authored-by: Cody Maffucci <[email protected]> * fix failing build * Update docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md Co-authored-by: Harold Blankenship <[email protected]> * Update docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md Co-authored-by: Harold Blankenship <[email protected]> * Update docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md Co-authored-by: Harold Blankenship <[email protected]> * Update docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md Co-authored-by: Harold Blankenship <[email protected]> * Update docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md Co-authored-by: Harold Blankenship <[email protected]> * Update docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md Co-authored-by: Harold Blankenship <[email protected]> --------- Co-authored-by: Paul Osinski <[email protected]> Co-authored-by: Cody Maffucci <[email protected]> Co-authored-by: Harold Blankenship <[email protected]>
* Generic Parser: Support Test Type Meta * Recover from a ruff bite * Do not update test name
* view_endpoint fix error * ui tests: add view_endpoint test * ui tests: add view_endpoint test * ui tests: add view_endpoint test * ui tests: add view_endpoint test * ui tests: add view_endpoint test
) * Add input validation (branch to release num) for the release gha * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Resolving merge conflict --------- Co-authored-by: valentijnscholten <[email protected]>
Co-authored-by: Paul Osinski <[email protected]>
* Update configure_sso.md * Update configure_sso.md
🔴 Risk threshold exceeded.This pull request introduces several potential risks, including sensitive file edits, dynamic code execution vulnerabilities, potential information disclosure through expanded metadata, and workflow configuration changes that could impact contributor processes, with a notable urllib3 version upgrade and modifications to parsing and comment deduplication logic.
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
💭 Unconfirmed Findings (7)
| Vulnerability | Potential Dynamic Code Execution Risk |
|---|---|
| Description | Risk in dojo/tools/parser_test.py involving dynamic module loading via importlib.import_module(), which could allow loading arbitrary modules if settings are compromised |
| Vulnerability | Potential Information Disclosure through Expanded Metadata |
|---|---|
| Description | Multiple files with new metadata fields that could expose internal assessment information, tool details, and vulnerability context |
| Vulnerability | Potential Workflow Misconfiguration |
|---|---|
| Description | GitHub workflow configurations that might prevent workflows from running in forked repositories, potentially impacting contributor processes |
| Vulnerability | Potential Dependency Version Change Risk |
|---|---|
| Description | urllib3 major version upgrade from 1.26.20 to 2.4.0 that could introduce compatibility issues or new security considerations |
| Vulnerability | Potential Status Override Risk |
|---|---|
| Description | New reimport functionality in changelog that could allow automatic finding status changes without human verification |
| Vulnerability | Potential Parsing Flexibility Loss |
|---|---|
| Description | Removal of parsing methods in default_reimporter.py that could reduce flexibility in handling different parser types |
| Vulnerability | Potential Duplicate Comment Bypass |
|---|---|
| Description | Modified note deduplication logic in Jira link views that might allow similar comments to be created |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
rossops
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release 2.46.0: Merge Bugfix into Dev