Skip to content

Release: Merge back 2.55.1 into dev from: master-into-dev/2.55.1-2.56.0-dev#14250

Merged
Maffooch merged 11 commits intodevfrom
master-into-dev/2.55.1-2.56.0-dev
Feb 5, 2026
Merged

Release: Merge back 2.55.1 into dev from: master-into-dev/2.55.1-2.56.0-dev#14250
Maffooch merged 11 commits intodevfrom
master-into-dev/2.55.1-2.56.0-dev

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Feb 5, 2026

Release triggered by Maffooch

DefectDojo release bot and others added 10 commits February 3, 2026 00:14
Update versions in application files
e13b991
@rossops
Merge pull request #14232 from DefectDojo/master-into-bugfix/2.55.0-2…
f12f27e 
….56.0-dev

Release: Merge back 2.55.0 into bugfix from: master-into-bugfix/2.55.0-2.56.0-dev
@paulOsinski
[docs] indexing improvements (#14229)
014d737 
* update robots.txt for indexing

* add audience content to algolia indexing

* add cache refresh for release notes version
@dependabot
chore(deps): bump django from 5.2.9 to 5.2.11 (#14236)
15b3c4c 
Bumps [django](https://github.com/django/django) from 5.2.9 to 5.2.11.
- [Commits](django/django@5.2.9...5.2.11)

---
updated-dependencies:
- dependency-name: django
  dependency-version: 5.2.11
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@paulOsinski
Update views.py (#14243)
9864582
@Maffooch @valentijnscholten
Set last reviewed date and reviewer when note is added (#14209)
9e651dc 
* Set last reviewed date and reviewer for finding

Update finding's last reviewed date and reviewer to maintain parity with UI behaviors

* Apply suggestion from @Maffooch

* Set last reviewed date and author for finding

Update finding with last reviewed date and author.

* Apply suggestions from code review

* Apply suggestion from @Maffooch

---------

Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
@valentijnscholten @paulOsinski
Fix finding counts showing as 1 due to subquery ordering bug (#14242)
121b789 
Hardened build_count_subquery to explicitly clear ordering and order by
group_field before slicing. This prevents Django from adding implicit
ORDER BY <pk> which causes GROUP BY to collapse counts to 1.

Also updated prefetch_for_product_type to use the hardened helper instead
of a local Subquery with the same vulnerability.

Added unit tests to verify the fixes work correctly.

Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com>
Update versions in application files
9778f34
@Maffooch
Merge pull request #14248 from DefectDojo/release/2.55.1
1c086fb 
Release: Merge release into master from: release/2.55.1
Update versions in application files
17d71f3
@dryrunsecurity
Copy link

dryrunsecurity bot commented Feb 5, 2026
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request introduces changes to dojo/jira_link/views.py that automatically mark findings as reviewed (setting last_reviewed and last_reviewed_by to a generic 'JIRA' user) when comments are imported from JIRA, allowing any user who can comment on the linked JIRA issue to alter review status and potentially bypass security review controls. Additionally, the scanner flagged this file as a sensitive edit that may require special path/author configuration in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/jira_link/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Authorization Bypass in dojo/jira_link/views.py
Vulnerability Authorization Bypass
Description The function check_for_and_create_comment in dojo/jira_link/views.py is updated to automatically set a finding's last_reviewed and last_reviewed_by status whenever a comment is imported from JIRA. This action is triggered by any user who can comment on the linked JIRA issue, regardless of whether they have security review permissions in DefectDojo. Furthermore, the last_reviewed_by field is set to a generic 'JIRA' user, which obscures accountability. Since the last_reviewed field is used for filtering findings and compliance tracking, this allows unauthorized actors to manipulate the security review status, potentially hiding stale or unreviewed findings from security oversight.

django-DefectDojo/dojo/jira_link/views.py

Lines 288 to 291 in 17d71f3

finding.last_reviewed = new_note.date
finding.last_reviewed_by = author
# Only update the timestamp fields, not other fields like 'active' to avoid
# race conditions with concurrent webhook events (e.g. issue_updated)

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch merged commit 43b9dac into dev Feb 5, 2026
150 checks passed
@Maffooch Maffooch deleted the master-into-dev/2.55.1-2.56.0-dev branch February 5, 2026 00:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

apiv2 docs helm unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Maffooch @rossops @paulOsinski @valentijnscholten