Merge pull request #3712 from DefectDojo/release/1.12.0

Release: Merge release into master from: release/1.12.0

Author: madchap

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -1,6 +1,7 @@
-**Descriptions**
+**Description**
 
-Describe the feature / bug fix implemented by this PR
+Describe the feature / bug fix implemented by this PR.
+If this is a new parser, [the parser guide](../../doc/guide_to_parser_writing.md) may be worth (re)reading.
 
 **Test results**
 
@@ -55,12 +56,12 @@ In case of conflict:
  git rebase --continue
  ```
 
-When everything's fine on your local branch, force push to your `myOrigin` remote: 
+When everything's fine on your local branch, force push to your `myOrigin` remote:
 ```
 git push myOrigin --force-with-lease
 ```
 
-To cancel everything: 
+To cancel everything:
 ```
 git rebase --abort
 ```
@@ -74,7 +75,7 @@ git rebase -i origin/dev
 - Replace `pick` by `reword` on the first commit if you want to change the commit message
 - Save the file and quit your editor
 
-Force push to your `myOrigin` remote: 
+Force push to your `myOrigin` remote:
 ```
 git push myOrigin --force-with-lease
 ```

.github/release-drafter.yml

@@ -34,6 +34,8 @@ categories:
     labels:
       - 'dependencies'
       - 'maintenance'
+exclude-labels:
+  - 'skip-changelog'      
 change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
 template: |
   ## Changes since $PREVIOUS_TAG

.github/workflows/cancel-outdated-workflow-runs.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 3
     steps:
-      - uses: styfle/cancel-workflow-action@0.6.0
+      - uses: styfle/cancel-workflow-action@0.7.0
         with:
           workflow_id: 'integration-tests.yml,k8s-testing.yml,unit-tests.yml'
           access_token: ${{ github.token }}

.github/workflows/release-drafter.yml

@@ -2,6 +2,13 @@ name: Release Drafter
 
 on:
   workflow_dispatch:
+    inputs:
+      version:
+        description: |
+          The version to be associated with the GitHub release that's created or updated.
+          This will override any version calculated by the release-drafter.
+        required: false
+
   push:
     # branches to consider in the event; optional, defaults to all
     branches:
@@ -13,5 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/[email protected]
+        with:
+          version: ${{github.event.inputs.version}}  
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

BRANCHING-MODEL.md

@@ -1,18 +1,18 @@
 # Introduction
-This section describes
-- how branches are handled
-- defectdojo release cycle
+The DefectDojo team aims to release at least once a month, on the last Tuesday.
+Bugfix or security releases can come at any time.
 
-Please be careful to submit your pull requests to the correct branch: 
-- bugfix: latest  "release/a.b.x" branch (+ merge using a separate PR against the dev branch)
-- evolutions: dev branch
+In doubt, GitHub Actions are the source of truth. The releases are semi-automated right now, with a DefectDojo maintainer proceeding with each major step in the release. The steps for a regular release are:
+1. Create the release branch from `dev` and prepare a PR against `master` ([Details](.github/workflows/new-release-pr.yml))
+--> A maintainer verifies and manually merges the PR
+2. Tag, issue draft release and docker build+push ([Details](.github/workflows/new-release-tag-docker.yml))
+--> A maintainer massages the release-drafter notes and publishes the release
+3. A PR to merge `master` back to `dev` is created to re-align the branches ([details](.github/workflows/new-release-master-into-dev.yml))
 
-If in doubt please use dev branch.
+# Security releases
+PRs that relate to security issues are done through [Security advisories](https://github.com/DefectDojo/django-DefectDojo/security/advisories) which provide a way to work privately on code without prematurely disclosing vulnerabilities.
 
 # Release and hotfix model
 ![Schemas](doc/branching_model.png)
 
-
-Diagrams created with https://www.planttext.com/
-
-This model is inspired by https://nvie.com/posts/a-successful-git-branching-model/ with the feature branch being made in each contributor repository.
+Diagrams created with [plantUML](https://plantuml.com). Find a web-based editor for PlantUML at https://www.planttext.com.

CONTRIBUTING.md

@@ -12,6 +12,10 @@ Bugs that do not have this information will be closed.
 
 Here are a few things to keep in mind when making changes to DefectDojo.
 
+## Writing a new parser
+
+Please see [this file](doc/guide_to_parser_writing.md) for guidance on how to write a parser.
+
 ## Modifying DefectDojo and Testing
 
 Please use [these test scripts](./tests) to test your changes. These are the scripts we run in our [integration tests](DOCKER.md#run-the-tests-with-docker).

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "DefectDojo",
-  "version": "1.11.1",
+  "version": "1.12.0",
   "dependencies": {
     "JUMFlot": "jumjum123/JUMFlot#*",
     "bootstrap": "^3.4.0",
@@ -35,7 +35,7 @@
     "metismenu": "~3.0.6",
     "moment": "^2.29.1",
     "morris.js": "morrisjs/morris.js",
-    "pdfmake": "^0.1.69",
+    "pdfmake": "^0.1.70",
     "startbootstrap-sb-admin-2": "1.0.7"
   },
   "engines": {

components/yarn.lock

@@ -828,10 +828,10 @@ pdfkit@>=0.8.1, pdfkit@^0.11.0:
     linebreak "^1.0.2"
     png-js "^1.0.0"
 
-pdfmake@^0.1.69:
-  version "0.1.69"
-  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.1.69.tgz#e4c6dcc9b058ab7a639061e295518a8fd196097d"
-  integrity sha512-XGMtTpbgEwXsa9DcuKhMowOPVJ+8cnGuJz7LV/bE5pnMmxBXAlMGgidQVyEfEUPFywCU2Y/4xibeX1vEm0hd7g==
+pdfmake@^0.1.70:
+  version "0.1.70"
+  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.1.70.tgz#b5102799deef264defa675dbb2dbf12ad49a9bae"
+  integrity sha512-xPhkblaQ71U97qhRTPj/1HknAHHFZ3cPRmRdrqEWD2xXBcEjEM3Yw0MIjML8DRy9Dt9n6QRjHVf662f0eLtd7Q==
   dependencies:
     iconv-lite "^0.6.2"
     linebreak "^1.0.2"

doc/branching_model.puml

@@ -1,95 +1,46 @@
 @startuml
 !pragma teoz true
 
-== Initial release ==
+== Monthly release ==
 participant "Dev branch" as devbranch order 10 #LightBlue
 participant "Release branch" as rlsbranch order 20 #YellowGreen
 participant "Master branch" as master order 30 #99FF99
-participant "Maintainance branch" as maintainbranch order 40 #YellowGreen
-participant "Hotfix branch" as hotbranch order 40 #DarkSalmon
+'participant "Maintenance branch" as maintainbranch order 40 #YellowGreen
 
 {startrc} devbranch -> rlsbranch ++ #YellowGreen: Create branch "release/1.0.0"
 
-
-note left of devbranch
-  Evolutions
-end note
-
-
-note right of rlsbranch
-  Bug fixes
-end note
-
-rlsbranch --> devbranch: Contributors merge bug fixes using a separate PR
-
-
-
 rlsbranch -> master: Merge
 note right of master
     Official release
     - Tag "1.0.0"
     - Push "1.0.0" to DockerHub
 end note
 
-== Release maintainance ==
-master -> maintainbranch ++ #YellowGreen: Create branch "release/1.0.x"
-
-note right of maintainbranch
-  Bug fixes
-end note
-
-maintainbranch --> devbranch: Contributors merge bug fixes using a separate PR
+master --> devbranch: Merge master back to dev to re-align
 
+... ...
 
-maintainbranch -> master: Merge
-note right of master
+== Maintenance/security releases ==
+master -> rlsbranch ++ #YellowGreen: Create branch "release/1.0.x"
+note left of rlsbranch
     Official release
     - Tag "1.0.1"
     - Push "1.0.1" to DockerHub
 end note
+rlsbranch -> master: Merge
+master --> devbranch: Merge
 
-maintainbranch --> devbranch: Contributors merge bug fixes using a separate PR
+... ...
 
-maintainbranch -> master: Merge
-note right of master
+master -> rlsbranch ++ #YellowGreen: Create branch "release/1.0.x"
+note left of rlsbranch
     Official release
     - Tag "1.0.2"
     - Push "1.0.2" to DockerHub
 end note
-
-== Hotfix ==
-
-master -> hotbranch ++ #DarkSalmon: Create short-lived fix branch "hotfix/1.0.3"
-note left
-If in need of an urgent fix 
-and PR have already been merged to release/1.0.x
-since 1.0.2 release
-end note
-
-note right of hotbranch
-    Severe bug
-    to be corrected
-end note
-
-hotbranch -> maintainbranch: Merge
-hotbranch -> devbranch --: Merge (Optional)
-hotbranch -> master --: Merge
-note right of master
-    Official release
-    - Tag "1.0.3"
-    - Push "1.0.3" to DockerHub
-end note
-
-== Next release ==
-{endrc} devbranch -> rlsbranch: Create branch\n "release/1.1.0"
-note left of devbranch
-  Or release/2.0.0 in case of
-  major breaking change
-end note
-
+rlsbranch -> master: Merge
+master --> devbranch: Merge
 
 ... ...
-{startrc} <-> {endrc}: \n4-8 weeks
-
 
-@enduml
+@enduml

doc/guide_to_parser_writing.md

@@ -0,0 +1,92 @@
+# How to write a DefectDojo parser
+
+> All commands assume that you're located at the root of the django-DefectDojo cloned repo.
+
+## Pre-requisites
+- You have forked https://github.com/DefectDojo/django-DefectDojo and cloned locally.
+- Checkout `dev` and make sure you're up to date with the latest changes.
+- It's advised that you create a dedicated branch for your development, such as `git checkout -b parser-name` yet that's up to you.
+
+It is probably easier to use the docker-compose stack (and benefit from the hot-reload capbility for uWSGI).
+Set up your environment to use the dev or ptvsd environment, such as:
+
+`$ docker/setEnv.sh dev`
+or
+`$ docker/setEnv.sh ptvsd` (allows to set breakpoints in uWSGI)
+
+Please have a look at [DOCKER.md](../DOCKER.md) for more details.
+
+### docker images
+You'd want to build your docker images locally, and eventually pass in your local user's `uid` to be able to write to the image (handy for database migration files). Assuming your user's `uid` is `1000`, then:
+
+`$ docker-compose build --build-arg uid=1000`
+
+## Which files do you need to modify?
+
+| File                                          | Purpose
+|-------                                        |--------
+|`dojo/fixtures/test_type.json`                 | Django fixture for the type of scan. Take the next available integer if you intend to push upstream. If you're planning to use only in your own fork, you could jump ahead by 1000 to avoid any potential conflicts.
+|`dojo/templates/dojo/import_scan_results.html` | Add the scan to the array presented in the drop-down box
+|`dojo/tools/<parser_dir>/__init__.py`          | Empty file for class initialization
+|`dojo/tools/<parser_dir>/parser.py`            | The meat. This is where you write your actual parser
+|`dojo/unittests/scans/<parser_dir>/{many_vulns,no_vuln,one_vuln}.json` | Sample files containing meaningful data for unit tests. The minimal set.
+|`dojo/unittests/test_<parser_dir>_parser.py`   | The unittest class, holding unit tests definitions
+|`dojo/tools/factory.py`                        | Import there your new parser class and add it to the long "if/else" statement
+
+## Things to pay attention to
+
+Parsers may have many fields, out of which many of them may be optional.
+
+Always make sure you include checks to avoid potential `KeyError` errors (e.g. field does not exist), for those fields you are not absolutely certain will always be in file that will get uploaded. These translate to 500 error, and do not look good.
+
+## Unit tests
+
+Each parser must have unit tests, at least to test for 0 vuln, 1 vuln and many vulns. You can take a look at how other parsers have them for starters. The more quality tests, the better.
+
+### Test database
+To test your unit tests locally, you first need to grant some rights. Get your MySQL root password from the docker-compose logs, login as root and issue the following commands:
+
+```
+MYSQL> grant all privileges on test_defectdojo.* to defectdojo@'%';
+MYSQL> flush privileges;
+```
+
+### Run your tests
+
+This local command will launch the unit test for your new parser
+
+`$ docker-compose exec uwsgi bash -c 'python manage.py test dojo.unittests.<your_unittest_py_file>.<main_class_name> -v2'`
+
+Example for the blackduck hub parser:
+
+`$ docker-compose exec uwsgi bash -c 'python manage.py test dojo.unittests.test_blackduck_csv_parser.TestBlackduckHubParser -v2'`
+
+> If you want to run all unit tests, simply run `$ docker-compose exec uwsgi bash -c 'python manage.py test dojo.unittests -v2'`
+
+## Other files that could be involved
+
+### Change to the model
+In the event where you'd have to change the model, e.g. to increase a database column size to accomodate a longer string of data to be saved
+* Change what you need in `dojo/models.py`
+* Create a new migration file in dojo/db_migrations by running and including as part of your PR
+
+    `$ docker-compose exec uwsgi bash -c 'python manage.py makemigrations -v2'`
+
+### Accept a different type of file to upload
+If you want to be able to accept a new type of file for your parser, take a look at `dojo/forms.py` around line 436 (at the time of this writing) or locate the 2 places (for import and re-import) where you find the string `attrs={"accept":`.
+
+Formats currently accepted: .xml, .csv, .nessus, .json, .html, .js, .zip.
+
+### A need for more than just the parser.py
+
+Of course, nothing prevents you from having more files than the `parser.py` file. It's python :-)
+
+## Example PRs
+
+If you want to take a look at previous parsers that are now part of DefectDojo, take a look at https://github.com/DefectDojo/django-DefectDojo/pulls?q=is%3Apr+label%3A%22import+scans%22+
+
+## Update the readthedocs documentation
+
+The DefectDojo official documentation lives in another repository, https://github.com/DefectDojo/documentation
+
+Please update the `docs/integration.rst` with the details of your new parser and create a PR in that repo. Reference the PR in the main DefectDojo repository to establish an automatic link between the two.