Merge pull request #2704 from DefectDojo/release/1.7.0

Release/1.7.0

.github/ISSUE_TEMPLATE/bug_report.md

@@ -27,7 +27,7 @@ A clear and concise description of what you expected to happen.
 
 **Environment information**
  - Operating System: [e.g. Ubuntu 18.04]
- - DefectDojo Commit Message: [use `git show -s --format="%h: %s [%ci]"`]
+ - DefectDojo Commit Message: [use `git show -s --format="[%ci] %h: %s [%d]"`]
 
 **Sample scan files** (optional)
 If applicable, add sample scan files to help reproduce your problem.

.travis.yml

@@ -10,8 +10,7 @@ env:
     - CHANGE_MINIKUBE_NONE_USER=true
   matrix:
     - TEST=flake8
-    - TEST=integration_tests
-    - TEST=docker
+    - TEST=docker_integration_tests
     - BROKER=rabbitmq DATABASE=mysql
     - BROKER=rabbitmq DATABASE=postgresql
     - BROKER=redis DATABASE=mysql

BRANCHING-MODEL.md

@@ -3,24 +3,20 @@ This section describes
 - how branches are handled
 - defectdojo release cycle
 
-Please be careful to submit your pull requests to the correct branch: 
-- bugfix: latest release branch
-- evolutions: dev branch
-
-If in doubt please use dev branch.
-
 # Release and hotfix model
 ![Schemas](doc/branching_model.png)
 ## Releasing
-- Start an x.y.0 release branch off dev branch
-- Commit only bug fixes onto this branch (and merge those fixes back to dev)
+- Start a release/x.y.0 release branch off dev branch
+- Commit only bug fixes from `dev` branch onto this branch
 - Dev branch keeps living with further evolutions
-- Every 4-8 weeks, merge the release branch to master and tag: this is when the new release is out: x.(y+1).z
+- Every 4-8 weeks, merge the release branch to master and tag x.y.0: this is when the new release is out: x.(y+1).0
 
 # Issuing a hotfix
-- In case of major issue found after releasing, issue a hotfix branch (first is x.y.1) which is merged to master, dev, and the next release branch
+- In case of major issue found after releasing, and fixed in `dev`:
+  - Issue a hotfix branch (first is x.y.1) holding this fix
+  - Merge to `master` and the next release branch
 
 
-(Schemes created with https://www.planttext.com/)
+Diagrams created with https://www.planttext.com
 
-(This model is inspired by https://nvie.com/posts/a-successful-git-branching-model/ but without feature branches.)
+This model is close to gitflow https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow, https://nvie.com/posts/a-successful-git-branching-model/ with the feature branch being made in each contributor repository.

CONTRIBUTING.md

@@ -60,3 +60,5 @@ DefectDojo.
 [setup_bash]: /setup.bash "Bash setup script"
 [pep8]: https://www.python.org/dev/peps/pep-0008/ "PEP8"
 [flake8 built-in commit hooks]: https://flake8.pycqa.org/en/latest/user/using-hooks.html#built-in-hook-integration
+
+

DOCKER.md

@@ -10,8 +10,7 @@ It is one of the supported [Default installation](setup/README.md) methods.
 *  Proxies
     *  If you're behind a corporate proxy check https://docs.docker.com/network/proxy/ . 
 *  Known issues
-    * finding images do not work with docker-compose yet. Making them work in release mode requires additional configuration, some of which will arrive in 1.7.0
-
+    * finding images only work in `dev` and `ptvsd` mode. Making them work in `release` mode requires modifications to the docker-compose configuration.
 
 # Setup via Docker Compose - introduction
 
@@ -71,6 +70,7 @@ For development, use:
 ```zsh
 cp dojo/settings/settings.dist.py dojo/settings/settings.py
 docker/setEnv.sh dev
+docker-compose build
 docker-compose up
 ```
 
@@ -155,6 +155,15 @@ docker-compose logs initializer | grep "Admin password:"
 
 Make sure you write down the first password generated as you'll need it when re-starting the application.
 
+# Option to change the password 
+* If you dont have admin password use the below command to change the password. 
+* After starting the container and open another tab in the same folder.  
+* django-defectdojo_uwsgi_1 -- name obtained from running containers using ```zsh docker ps ``` command
+
+```zsh
+docker exec -it django-defectdojo_uwsgi_1 ./manage.py changepassword admin
+```
+
 # Exploitation, versioning
 ## Disable the database initialization
 The initializer container can be disabled by exporting: `export DD_INITIALIZE=false`. 

Dockerfile.django

@@ -4,16 +4,16 @@
 # The code for the build image should be idendical with the code in
 # Dockerfile.nginx to use the caching mechanism of Docker.
 
-# Using 3.5.7 to avoid compatibility issues that may be introduced by python 3.6 and 3.7.
-# Please upgrade before end-of-life in september 2020!
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.5.9-buster@sha256:1baef6be00b82fbd77f1b60ab227a1dbede6f23825ce1b7f1e9c6f7d1469a45c as build
+FROM python:3.6.11-slim-buster@sha256:9111ff37d96bdcd84bcac261951ac410ee276144eb8a02f06e5907ff4ff2ffea as build
 WORKDIR /app
 RUN \
   apt-get -y update && \
   apt-get -y install \
+    build-essential \
     dnsutils \
     default-mysql-client \
+    libmariadb-dev-compat \
     postgresql-client \
     xmlsec1 \
     git \
@@ -24,7 +24,7 @@ RUN \
 COPY requirements.txt ./
 RUN pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
 
-FROM python:3.5.9-slim-buster@sha256:dfb042910e4ef352b5c6aa223031ce768f53f4f1aacf95936152e5508162bcb0
+FROM python:3.6.11-slim-buster@sha256:9111ff37d96bdcd84bcac261951ac410ee276144eb8a02f06e5907ff4ff2ffea
 WORKDIR /app
 RUN \
   apt-get -y update && \
@@ -72,7 +72,7 @@ RUN \
   cp dojo/settings/settings.dist.py dojo/settings/settings.py
 COPY tests/ ./tests/
 RUN \
-  mkdir dojo/migrations && \
+  mkdir -p dojo/migrations && \
   chmod g=u dojo/migrations && \
   chmod g=u /var/run && \
   true

Dockerfile.integration-tests

@@ -1,7 +1,7 @@
 
 # code: language=Dockerfile
 
-FROM python:3.5.9-slim-buster@sha256:8068eec6231ae9b097b296068ba4ed0da08eff5f8a4b44c585d25afaea9e8b33 as build
+FROM python:3.6.11-slim-buster@sha256:9111ff37d96bdcd84bcac261951ac410ee276144eb8a02f06e5907ff4ff2ffea as build
 WORKDIR /app
 RUN \
   apt-get -y update && \

Dockerfile.nginx

@@ -3,13 +3,15 @@
 # The code for the build image should be idendical with the code in
 # Dockerfile.django to use the caching mechanism of Docker.
 
-FROM python:3.5.9-buster@sha256:1baef6be00b82fbd77f1b60ab227a1dbede6f23825ce1b7f1e9c6f7d1469a45c as build
+FROM python:3.6.11-slim-buster@sha256:9111ff37d96bdcd84bcac261951ac410ee276144eb8a02f06e5907ff4ff2ffea as build
 WORKDIR /app
 RUN \
   apt-get -y update && \
   apt-get -y install \
+    build-essential \
     dnsutils \
     default-mysql-client \
+    libmariadb-dev-compat \
     postgresql-client \
     xmlsec1 \
     git \
@@ -29,7 +31,7 @@ ENV \
   node="nodejs"
 RUN \
   apt-get -y update && \
-  apt-get -y install apt-transport-https ca-certificates && \
+  apt-get -y install apt-transport-https ca-certificates curl wget && \
   curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add --no-tty - && \
   curl -sL https://deb.nodesource.com/setup_12.x | bash - && \
   curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
@@ -62,14 +64,12 @@ RUN \
   python3 manage.py collectstatic --noinput && \
   true
 
-FROM nginx:1.17.9@sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266
+FROM nginx:1.19.1-alpine@sha256:966f134cf5ddeb12a56ede0f40fff754c0c0a749182295125f01a83957391d84
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/
 COPY wsgi_params nginx/nginx.conf nginx/nginx_TLS.conf /etc/nginx/
 COPY docker/entrypoint-nginx.sh /
 RUN \
-  apt-get -y update && \
-  apt-get -y install openssl && \
-  apt-get clean && \
+  apk add --no-cache openssl && \
   chmod -R g=u /var/cache/nginx && \
   chmod -R g=u /var/run && \
   mkdir -p /etc/nginx/ssl && \

MAINTAINERS.md

@@ -1,21 +1,36 @@
-## Maintainer Responsibilities
+## Maintainer responsibilities
 
-* Maintainers regularly attend quarterly project meetings.
+* Maintainers regularly attend monthly project meetings on the first Tuesday, and maintainers "office hours" on the third Tuesday of every month.
+* Participate in the #defectdojo and #defectdojo-dev channels regularly.
+* Reviews pull requests.
 * Volunteer for and willingly accept assignments and complete them thoroughly and on time.
 * Stay informed about project matters.
 * Prepare themselves well for meetings.
 * Build a collegial working relationship that contributes to consensus.
-* Is an active participant in the project’s annual evaluating and planning efforts.
-* Reviews pull requests within two weeks if requested.
-
-## Becoming a Maintainer
 
+## Becoming a maintainer
 New maintainers are selected by consensus from the current group of maintainers on an invite-only basis.
 
-## Current Maintainers
+## Stop being a maintainer
+Maintainership is not a necesarily a lifetime subscription. Maintainers can withdraw at any time.
+
+Furthermore, maintainers that have not had any activities (commits, PR, PR reviews, no meeting attendance) in:
+- 3 months: Current maintainers will attempt a contact.
+- 6 months: If no sign of life, will be automatically removed from maintainers groups.
 
-Greg Anderson
+## Current maintainers
+### OWASP Project Leaders:
+* Greg Anderson (@devGregA)
+* Aaron Weaver (@aaronweaver)
+* Matt Tesauro (@mtesauro)
 
-Aaron Weaver
+### Core Maintainers
+* Valentijn Scholten (@valentijnscholten)
+* Fred Blaise (@madchap)
+* Cody Maffucci (@Maffooch)
 
-Matt Tesauro
+### Maintainers
+* Anthony Pipia (@apipia)
+* Saurabh (@dr3dd589)
+* Jannik Jürgens (@alles-klar)
+* Pascal Trovatelli (@ptrovatelli)

PULL_REQUEST_TEMPLATE.md

@@ -1,28 +1,30 @@
 This template is for your information. Please clear everything when submitting your pull request.
 
-**Note: DefectDojo is now on Python3.5 and Django 2.2.x Please submit your pull requests to the 'dev' branch as the 'legacy-python2.7' branch is only for bug fixes. Any new features submitted to the legacy branch will be ignored and closed.**
+**Note: DefectDojo is now on Python3.6 and Django 2.2.x. Please submit your pull requests to the 'dev' branch as the 'legacy-python2.7' branch is only for bug fixes. Any new features submitted to the legacy branch will be ignored and closed.**
 
 When submitting a pull request, please make sure you have completed the following checklist:
 
+- [ ] Give a meaninful name to your PR, as it may end up being used in the release notes.
 - [ ] Your code is flake8 compliant.
-- [ ] Your code is python 3.5 compliant (specific python >=3.6 syntax is currently not accepted).
+- [ ] Your code is python 3.6 compliant (specific python >3.6 syntax is currently not accepted).
 - [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the ReadTheDocs documentation folder. https://github.com/DefectDojo/Documentation/tree/master/docs or provide feature documentation in the PR.
 - [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.
 - [ ] Add applicable tests to the unit tests.
 - [ ] Add the proper label to categorize your PR.
 
 
-Current accepted labels for PRs:
+Moderators: Labels currently accepted for PRs:
 - Import Scans (for new scanners/importers)
 - enhancement
 - performance
 - feature
 - bugfix
 - maintenance (a.k.a chores)
 - dependencies
-- New Migration
+- New Migration (when the PR introduces a DB migration)
+- settings_changes (when the PR introduces changes or new settings in settings.dist.py)
 
-# Git Tips
+# Contributors: Git Tips
 ## Rebase on dev branch
 If the dev branch has changed since you started working on it, please rebase your work after the current dev.
 

README.md

@@ -151,6 +151,7 @@ Proceeds are used for testing, infrastructure, etc.
 [![SDA-SE](https://raw.githubusercontent.com/DefectDojo/Documentation/master/doc/img/sda-se-logo.png)](https://sda-se.com/)
 [![Signal-Iduna](https://raw.githubusercontent.com/DefectDojo/Documentation/master/doc/img/signal-iduna.png)](https://signal-iduna.de/)
 [![WSO2](https://raw.githubusercontent.com/DefectDojo/Documentation/master/doc/img/wso2-logo-for-screen.png)](https://wso2.com/)
+[![CloudBees](https://raw.githubusercontent.com/DefectDojo/Documentation/master/doc/img/cloudbees-logo.png)](https://cloudbees.com/)
 
 Interested in becoming a sponsor and having your logo displayed? Please review
 our [sponsorship information](SPONSORING.md) or email greg.anderson@owasp.org

SECURITY.md

@@ -2,11 +2,15 @@
 
 No technology is perfect, and OWASP DefectDojo believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
 
-## Disclosure Policy
+## Disclosure Policy and Process
 
-* Let us know by submitting the finding through HackerOne's [disclosure submission program](https://hackerone.com/defectdojo/reports/new) as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
-* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
-* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
+* Let us know by submitting the finding through HackerOne's [disclosure submission program](https://hackerone.com/defectdojo/reports/new) as soon as possible upon discovery of a potential security issue.
+* Once we've assessed your HackerOne report, a maintainer will create a GitHub "security advisory", which basically will allow the reporter and the DefectDojo team to work on the issue in a confidential manner, to avoid any premature disclosure. We will invite you as a collaborator to it and any needed trusted persons.
+* That "security advisory" will also allow us to have a temporary private fork, to work on the fix in confidentiality.
+* Once a fix is ready, we will coordonate a release.
+* If you've contributed the fix, you will be credited for it.
+
+> Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
 
 ## Exclusions
 

components/package.json

@@ -7,14 +7,16 @@
     "bootswatch": "3.4.1",
     "chosen": "harvesthq/bower-chosen#~1.4.0",
     "chosen-bootstrap": "dbtek/chosen-bootstrap#~1.1.0",
+    "clipboard": "^2.0.6",
     "components-jqueryui": "^1.0.0",
     "datatables": "1.10.18",
     "drmonty-datatables-plugins": "^1.0.0",
     "drmonty-datatables-responsive": "^1.0.0",
+    "easymde": "^2.11.0",
     "flot": "flot/flot#~0.8.3",
     "flot-axis": "markrcote/flot-axislabels#*",
     "font-awesome": "^4.0.0",
-    "fullcalendar": "^3.0.0",
+    "fullcalendar": "^3.10.2",
     "google-code-prettify": "^1.0.0",
     "jquery": "^3.4.0",
     "jquery-highlight": "3.5.0",
@@ -23,9 +25,8 @@
     "jquery.hotkeys": "jeresig/jquery.hotkeys#master",
     "justgage": "^1.3.0",
     "metismenu": "~3.0.6",
-    "moment": "^2.0.0",
+    "moment": "^2.27.0",
     "morris.js": "morrisjs/morris.js",
-    "simplemde": "^1.0.0",
     "startbootstrap-sb-admin-2": "1.0.7"
   },
   "engines": {