Skip to content

Release: Merge back 2.51.1 into dev from: master-into-dev/2.51.1-2.52.0-dev #13422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rossops merged 44 commits into from
Oct 14, 2025
Merged

Release: Merge back 2.51.1 into dev from: master-into-dev/2.51.1-2.52.0-dev #13422

rossops merged 44 commits into from
Oct 14, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Oct 14, 2025

Release triggered by rossops

valentijnscholten and others added 30 commits October 6, 2025 12:21
@valentijnscholten
order alerts explicitly (#13314)
9dc11ff
Update versions in application files
209010d
@rossops
Merge branch 'bugfix' into master-into-bugfix/2.51.0-2.52.0-dev
f9b0961
@rossops
Merge pull request #13354 from DefectDojo/master-into-bugfix/2.51.0-2…
96fa917 
….52.0-dev

Release: Merge back 2.51.0 into bugfix from: master-into-bugfix/2.51.0-2.52.0-dev
@kiblik
fix(gha): Run Release-Nightly only once a day (#13329)
9d2e906
@dependabot
Bump django from 5.1.12 to 5.1.13 (#13353)
5e7fe2a 
Bumps [django](https://github.com/django/django) from 5.1.12 to 5.1.13.
- [Commits](django/django@5.1.12...5.1.13)

---
updated-dependencies:
- dependency-name: django
  dependency-version: 5.1.13
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@Irfan-Mohd
fix: handle broken endpoints when <startURL> includes a port number i…
7d8b3f9 
…n Acunetix XML parser
@Irfan-Mohd
fix:broken endpoint error in acunetix XML parser with unittests
12ea082
@Irfan-Mohd
all unittests clear for broken endpoint in Acunetix parser
51447c7
@Irfan-Mohd
Fix: resolve ruff linting errors
aba31c7
@Irfan-Mohd
Fix: resolve ruff linting errors
004f492
@Irfan-Mohd
Fix: resolve ruff linting errors
6eba956
@Irfan-Mohd
Fix: resolve ruff linting errors
f548051
@kiblik
feat(helm): Add support for automountServiceAccountToken
4460758
@valentijnscholten
pghistory_backfill: avoid prefetching - dry-run working
f809828
@valentijnscholten
JIRA instance config: improve error handling on open/close status ids (
a02c4e3 
…#13326)
@valentijnscholten
skip duplicates: remove obsolete references (#13327)
9ba01e3
@valentijnscholten
watson middleware: skip logging if no instances updated (#13363)
e13a95c 
* watson middleware: skip logging if no instances updated

* watson middleware: skip logging if no instances updated
@valentijnscholten
finalize
b503b8b
@kiblik
feat(helm): Make release commits more verbose (#13367)
3eb4e36
@kiblik
feat(gha): Help Renovate + Dependabot to update HELM docs (#13366)
f4b53ca
@kiblik
feat(helm): Hint for correct "artifacthub.io/changes" syntax (#13397)
3fca6c1
@valentijnscholten
add new test
9437ce3
@valentijnscholten
supporting changes
1fef56d
@valentijnscholten
progress
4a43381
@valentijnscholten
progress new samples
df65888
@valentijnscholten
somewhat working
2dfe5cf
@valentijnscholten
cleanup
5c1bee5
@valentijnscholten
update tests
64e120b
@valentijnscholten
capture dedupe performance
2eb45b8
valentijnscholten and others added 8 commits October 12, 2025 19:29
@valentijnscholten
add backfill using insert with select from
39b51a1
@rossops
Merge pull request #13375 from kiblik/helm_automountServiceAccountToken
659e136 
feat(helm): Add support for automountServiceAccountToken
@rossops
Merge pull request #13372 from valentijnscholten/dedupe-importers-uni…
d4caea5 
…ttests

add unit tests to test importer deduplication
@rossops
Merge pull request #13371 from Irfan-Mohd/fix/acunetix-broken-endpoint
dbb4950 
fix: handle broken endpoints when <StartURL> includes a port number in Acunetix XML parser
@rossops
Merge pull request #13383 from valentijnscholten/pghistory-backfill-i…
2ae7490 
…mprovements

pghistory improvements: backfill and "empty" changes
Update versions in application files
a1737ee
@rossops
Merge pull request #13421 from DefectDojo/release/2.51.1
cba7d81 
Release: Merge release into master from: release/2.51.1
Update versions in application files
0372b07
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 14, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request includes a sensitive edit to dojo/user/views.py that matches configured-sensitive file patterns, and introduces a command-injection vulnerability in .github/workflows/release-x-manual-helm-chart.yml where the user-controlled workflow_dispatch input release_number is interpolated into a shell run step (git commit -m), allowing arbitrary command execution on the Actions runner.

🔴 Configured Codepaths Edit in dojo/user/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Command Injection in .github/workflows/release-x-manual-helm-chart.yml
Vulnerability Command Injection
Description The GitHub Actions workflow release-x-manual-helm-chart.yml is vulnerable to command injection. The inputs.release_number value, which is user-controlled via workflow_dispatch, is directly interpolated into a git commit -m command within a run step. This allows an attacker to inject shell metacharacters and execute arbitrary commands on the GitHub Actions runner.

django-DefectDojo/.github/workflows/release-x-manual-helm-chart.yml

Lines 120 to 121 in e650c0f

git commit -m "Update index.yaml - ${{ inputs.release_number }}"
git push -u origin helm-charts

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@github-actions
Copy link
Contributor Author

github-actions bot commented Oct 14, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions
Copy link
Contributor Author

github-actions bot commented Oct 14, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions
Copy link
Contributor Author

github-actions bot commented Oct 14, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@rossops rossops merged commit 4d2fe44 into dev Oct 14, 2025
148 of 150 checks passed
@rossops rossops deleted the master-into-dev/2.51.1-2.52.0-dev branch October 14, 2025 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

docs helm parser ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rossops @valentijnscholten @kiblik @Irfan-Mohd