Merge pull request #550 from DefectDojo/dev

1.3.0 Release

Author: devGregA

.gitignore

@@ -81,7 +81,6 @@ Quarterly.txt
 # yarn
 components/*
 !components/package.json
-yarn_components/
 dojo/static/*
 !dojo/static/dojo/*
 dojo/media

ansible/dev-install/templates/settings.py.j2

@@ -89,7 +89,8 @@ STATICFILES_DIRS = (
     # Put strings here, like "/home/html/static" or "C:/www/django/static".
     # Always use forward slashes, even on Windows.
     # Don't forget to use absolute paths, not relative paths.
-    os.path.dirname(DOJO_ROOT) + "/components/yarn_components",
+    os.path.join(os.path.dirname(DOJO_ROOT), 'components', 'node_modules',
+                 '@yarn_components'),
 )
 
 # List of finder classes that know how to find static files in
@@ -99,7 +100,9 @@ STATICFILES_FINDERS = (
     'django.contrib.staticfiles.finders.AppDirectoriesFinder',
 )
 
-FILE_UPLOAD_HANDLERS = ("django.core.files.uploadhandler.TemporaryFileUploadHandler",)
+FILE_UPLOAD_HANDLERS = (
+    "django.core.files.uploadhandler.TemporaryFileUploadHandler",
+)
 
 # Make this unique, and don't share it with anybody.
 SECRET_KEY = 'DOJOSECRET'
@@ -222,7 +225,8 @@ LOGGING = {
     'disable_existing_loggers': False,
     'formatters': {
         'verbose': {
-            'format': '[%(asctime)s] %(levelname)s [%(name)s:%(lineno)d] %(message)s',
+            'format': '[%(asctime)s] %(levelname)s '
+                      '[%(name)s:%(lineno)d] %(message)s',
             'datefmt': '%d/%b/%Y %H:%M:%S',
         },
         'simple': {

components/package.json

@@ -32,8 +32,5 @@
   },
   "engines": {
     "yarn": ">= 1.0.0"
-  },
-  "scripts": {
-    "postinstall": "node -e \"try { require('fs').symlinkSync(require('path').resolve('node_modules/@yarn_components'), 'yarn_components', 'junction') } catch (e) { }\""
   }
 }

dojo/__init__.py

@@ -4,7 +4,7 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa
 
-__version__ = '1.2.9'
+__version__ = '1.3.0'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'http://defectdojo.readthedocs.io/'
 __demo__ = 'http://defectdojo.pythonanywhere.com/'

dojo/benchmark/urls.py

@@ -5,5 +5,7 @@
 
 urlpatterns = [
     url(r'^benchmark/(?P<pid>\d+)/type/(?P<type>\d+)$', views.benchmark_view, name='view_product_benchmark'),
-    url(r'^benchmark/(?P<pid>\d+)/type/(?P<type>\d+)/category/(?P<cat>\d+)', views.benchmark_view, name='view_product_benchmark')
+    url(r'^benchmark/(?P<pid>\d+)/type/(?P<type>\d+)/category/(?P<cat>\d+)', views.benchmark_view, name='view_product_benchmark'),
+    url(r'^benchmark/(?P<pid>\d+)/type/(?P<type>\d+)/category/(?P<cat>\d+)/edit/(?P<bid>\d+)', views.benchmark_view, name='edit_benchmark'),
+    url(r'^benchmark/(?P<pid>\d+)/type/(?P<type>\d+)/delete', views.delete, name='delete_product_benchmark')
     ]

dojo/benchmark/views.py

@@ -19,7 +19,7 @@
 from django.db.models import Count, Q
 
 from dojo.filters import ProductFilter, ProductFindingFilter
-from dojo.forms import ProductForm, EngForm, DeleteProductForm, Benchmark_Requirement, Benchmark_Product_SummaryForm
+from dojo.forms import Benchmark_Requirement, Benchmark_Product_SummaryForm, DeleteBenchmarkForm
 from dojo.models import Notifications, Dojo_User, Benchmark_Type, Benchmark_Category, \
 Benchmark_Requirement, Benchmark_Product, Product, Benchmark_Product_Summary
 from dojo.utils import get_page_items, add_breadcrumb, get_punchcard_data, handle_uploaded_selenium, get_system_setting
@@ -79,7 +79,7 @@ def score_asvs(product, benchmark_type):
 
     benchmark_product_summary.save()
 
-
+@user_passes_test(lambda u: u.is_staff)
 def benchmark_view(request, pid, type, cat=None):
     product = get_object_or_404(Product, id=pid)
     benchmark_type = get_object_or_404(Benchmark_Type, id=type)
@@ -145,26 +145,32 @@ def benchmark_view(request, pid, type, cat=None):
                    'category_name': category_name,
                    'benchmark_category': benchmark_category})
 
+@user_passes_test(lambda u: u.is_staff)
+def delete(request, pid, type):
+    product = get_object_or_404(Product, id=pid)
+    benchmark_type = get_object_or_404(Benchmark_Type, id=type)
+    benchmark_product_summary = Benchmark_Product_Summary.objects.filter(product=product, benchmark_type=type).first()
+    form = DeleteBenchmarkForm(instance=benchmark_product_summary)
+    print form
+    from django.contrib.admin.utils import NestedObjects
+    from django.db import DEFAULT_DB_ALIAS
 
-@user_passes_test(lambda u: u.is_superuser)
-def global_notifications(request):
-    try:
-        notifications_obj = Notifications.objects.get(user=None)
-    except:
-        notifications_obj = Notifications(user=None)
-
-    form = NotificationsForm(instance=notifications_obj)
     if request.method == 'POST':
-        form = NotificationsForm(request.POST, instance=notifications_obj)
-        if form.is_valid():
-            new_settings = form.save()
-            messages.add_message(request,
-                                 messages.SUCCESS,
-                                 'Settings saved.',
-                                 extra_tags='alert-success')
-
-    add_breadcrumb(title="Global notification settings", top_level=False, request=request)
-    return render(request, 'dojo/notifications.html',
-                  {'form': form,
-                   'scope': 'global',
-                   'admin': request.user.is_superuser})
+        if 'id' in request.POST and str(benchmark_product_summary.id) == request.POST['id']:
+            form = DeleteBenchmarkForm(request.POST, instance=benchmark_product_summary)
+            if form.is_valid():
+                benchmark_product = Benchmark_Product.objects.filter(product=product, control__category__type=type)
+                benchmark_product.delete()
+                benchmark_product_summary.delete()
+                messages.add_message(request,
+                                     messages.SUCCESS,
+                                     'Benchmarks removed.',
+                                     extra_tags='alert-success')
+                return HttpResponseRedirect(reverse('product'))
+
+    add_breadcrumb(parent=product, title="Delete Benchmarks", top_level=False, request=request)
+
+    return render(request, 'dojo/delete_benchmark.html',
+                  {'product': product,
+                   'form': form
+                   })

dojo/engagement/views.py

@@ -117,7 +117,7 @@ def edit_engagement(request, eid):
         form = EngForm2(request.POST, instance=eng)
         if 'jiraform-push_to_jira' in request.POST:
             jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=True)
-        if form.is_valid():
+        if form.is_valid() and jform and jform.is_valid():
             if 'jiraform-push_to_jira' in request.POST:
                 try:
                     jissue = JIRA_Issue.objects.get(engagement=eng)

dojo/finding/views.py

@@ -27,7 +27,7 @@
     ClosedFingingSuperFilter, TemplateFindingFilter
 from dojo.forms import NoteForm, CloseFindingForm, FindingForm, PromoteFindingForm, FindingTemplateForm, \
     DeleteFindingTemplateForm, FindingImageFormSet, JIRAFindingForm, ReviewFindingForm, ClearFindingReviewForm, \
-    DefectFindingForm, StubFindingForm, ApplyFindingTemplateForm
+    DefectFindingForm, StubFindingForm, DeleteFindingForm, DeleteStubFindingForm, ApplyFindingTemplateForm
 from dojo.models import Product_Type, Finding, Notes, \
     Risk_Acceptance, BurpRawRequestResponse, Stub_Finding, Endpoint, Finding_Template, FindingImage, \
     FindingImageAccessToken, JIRA_Issue, JIRA_PKey, JIRA_Conf, Dojo_User, Cred_User, Cred_Mapping, Test
@@ -322,19 +322,30 @@ def reopen_finding(request, fid):
                          extra_tags='alert-success')
     return HttpResponseRedirect(reverse('view_finding', args=(finding.id,)))
 
-
 @user_passes_test(lambda u: u.is_staff)
 def delete_finding(request, fid):
     finding = get_object_or_404(Finding, id=fid)
-    tid = finding.test.id
-    del finding.tags
-    finding.delete()
-    messages.add_message(request,
-                         messages.SUCCESS,
-                         'Finding deleted successfully.',
-                         extra_tags='alert-success')
-    return HttpResponseRedirect(reverse('view_test', args=(tid,)))
 
+    form = DeleteFindingForm(instance=finding)
+
+    if request.method == 'POST':
+        form = DeleteFindingForm(request.POST, instance=finding)
+        if form.is_valid():
+            tid = finding.test.id
+            del finding.tags
+            finding.delete()
+            messages.add_message(request,
+                                 messages.SUCCESS,
+                                 'Finding deleted successfully.',
+                                 extra_tags='alert-success')
+            return HttpResponseRedirect(reverse('view_test', args=(tid,)))
+        else:
+            messages.add_message(request,
+                                 messages.ERROR,
+                                 'Unable to delete finding, please try again.',
+                                 extra_tags='alert-danger')
+    else:
+        return HttpResponseForbidden()
 
 @user_passes_test(lambda u: u.is_staff)
 def edit_finding(request, fid):
@@ -697,20 +708,30 @@ def add_stub_finding(request, tid):
     add_breadcrumb(title="Add Stub Finding", top_level=False, request=request)
     return HttpResponseRedirect(reverse('view_test', args=(tid,)))
 
-
 @user_passes_test(lambda u: u.is_staff)
 def delete_stub_finding(request, fid):
     finding = get_object_or_404(Stub_Finding, id=fid)
-    tid = finding.test.id
-    if hasattr(finding, 'tags'):
-        del finding.tags
-    finding.delete()
-    messages.add_message(request,
-                         messages.SUCCESS,
-                         'Potential Finding deleted successfully.',
-                         extra_tags='alert-success')
-    return HttpResponseRedirect(reverse('view_test', args=(tid,)))
+    form = DeleteStubFindingForm(instance=finding)
 
+    if request.method == 'POST':
+        form = DeleteStubFindingForm(request.POST, instance=finding)
+        if form.is_valid():
+            tid = finding.test.id
+            if hasattr(finding, 'tags'):
+                del finding.tags
+            finding.delete()
+            messages.add_message(request,
+                                 messages.SUCCESS,
+                                 'Potential Finding deleted successfully.',
+                                 extra_tags='alert-success')
+            return HttpResponseRedirect(reverse('view_test', args=(tid,)))
+        else:
+            messages.add_message(request,
+                                 messages.ERROR,
+                                 'Unable to delete potential finding, please try again.',
+                                 extra_tags='alert-danger')
+    else:
+        return HttpResponseForbidden()
 
 @user_passes_test(lambda u: u.is_staff)
 def promote_to_finding(request, fid):
@@ -725,7 +746,7 @@ def promote_to_finding(request, fid):
         jira_available = True
     else:
         jform = None
-        
+
     form = PromoteFindingForm(initial={'title': finding.title,
                                        'date': finding.date,
                                        'severity': finding.severity,

dojo/forms.py

@@ -844,8 +844,13 @@ class Meta:
 
 
 class FindingBulkUpdateForm(forms.ModelForm):
+    def __init__(self, *args, **kwargs):
+        super(FindingBulkUpdateForm, self).__init__(*args, **kwargs)
+        self.fields['severity'].required = False
+
     def clean(self):
         cleaned_data = super(FindingBulkUpdateForm, self).clean()
+
         if (cleaned_data['active'] or cleaned_data['verified']) and cleaned_data['duplicate']:
             raise forms.ValidationError('Duplicate findings cannot be'
                                         ' verified or active')
@@ -1286,7 +1291,7 @@ class ReportOptionsForm(forms.Form):
     include_finding_images = forms.ChoiceField(choices=yes_no, label="Finding Images")
     include_executive_summary = forms.ChoiceField(choices=yes_no, label="Executive Summary")
     include_table_of_contents = forms.ChoiceField(choices=yes_no, label="Table of Contents")
-    report_type = forms.ChoiceField(choices=(('AsciiDoc', 'AsciiDoc'), ('PDF', 'PDF')))
+    report_type = forms.ChoiceField(choices=(('AsciiDoc', 'AsciiDoc'),('HTML', 'HTML'), ('PDF', 'PDF')))
 
 
 class CustomReportOptionsForm(forms.Form):
@@ -1305,6 +1310,21 @@ class Meta:
         model = Report
         fields = ('id',)
 
+class DeleteFindingForm(forms.ModelForm):
+    id = forms.IntegerField(required=True,
+                            widget=forms.widgets.HiddenInput())
+
+    class Meta:
+        model = Finding
+        fields = ('id',)
+
+class DeleteStubFindingForm(forms.ModelForm):
+    id = forms.IntegerField(required=True,
+                            widget=forms.widgets.HiddenInput())
+
+    class Meta:
+        model = Stub_Finding
+        fields = ('id',)
 
 class AddFindingImageForm(forms.ModelForm):
     class Meta:
@@ -1333,6 +1353,14 @@ class Meta:
         model = Benchmark_Product_Summary
         exclude = ['product', 'current_level', 'benchmark_type', 'asvs_level_1_benchmark', 'asvs_level_1_score', 'asvs_level_2_benchmark', 'asvs_level_2_score', 'asvs_level_3_benchmark', 'asvs_level_3_score']
 
+class DeleteBenchmarkForm(forms.ModelForm):
+    id = forms.IntegerField(required=True,
+                            widget=forms.widgets.HiddenInput())
+
+    class Meta:
+        model = Benchmark_Product_Summary
+        exclude = ['product', 'benchmark_type', 'desired_level', 'current_level', 'asvs_level_1_benchmark', 'asvs_level_1_score', 'asvs_level_2_benchmark', 'asvs_level_2_score', 'asvs_level_3_benchmark', 'asvs_level_3_score', 'publish']
+
 class JIRA_PKeyForm(forms.ModelForm):
 
     class Meta:

dojo/models.py

@@ -1619,6 +1619,7 @@ class Meta:
 admin.site.register(Cred_User)
 admin.site.register(Cred_Mapping)
 admin.site.register(System_Settings, System_SettingsAdmin)
+admin.site.register(CWE)
 
 
 watson.register(Product)