RustyHog: improve description and file_path

[valentijnscholten]

Description
Improvements to Rusy Hog parser:

• For Confluence and JIRA scans, set file_path to contain URL of scanned page;
• Ensure found_secret_string is actually a String and not a list;
• Add Reason to description;

Test results
Unit tests updated.

Documentation
No updates needed

Checklist

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[dryrunsecurity]

DryRun Security Summary

The pull request upgrades DefectDojo to version 2.43.x, focusing on renaming the disclaimer field, updating the Rusty Hog parser with improved field population and test coverage, while maintaining application security integrity.

Expand for full summary

Summary:

The code changes in this pull request are primarily focused on the upgrade of the DefectDojo application to version 2.43.x. The key changes include:

1. Disclaimer Field Rename/Split: The original disclaimer field has been renamed and split into three new fields: disclaimer_notifications, disclaimer_reports, and disclaimer_notes. Users who were managing the original disclaimer field via the API should update their code accordingly.

2. Rusty Hog Parser Updates: The Rusty Hog parser has been updated to populate more fields, some of which are part of the hash code calculation. To recalculate the hash codes and deduplicate existing Rusty Hog findings, the provided documentation includes a set of commands that can be executed using the docker compose exec command.

3. Rusty Hog Parser Test Improvements: The test suite for the RustyhogParser has been enhanced to include more detailed assertions, validating the specific details of the findings, such as the file path, payload, and the beginning of the description.

From an application security perspective, the changes do not introduce any obvious security vulnerabilities. The updates to the Rusty Hog parser and the corresponding test improvements are positive enhancements, as they help ensure the proper detection and reporting of sensitive information, such as private keys, which can be a significant security concern.

Files Changed:

1. docs/content/en/open_source/upgrading/2.43.md: This file contains the release notes for the upgrade to DefectDojo version 2.43.x, including the changes to the disclaimer fields and the Rusty Hog parser hash code updates.

2. unittests/tools/test_rusty_hog_parser.py: This file contains the test suite for the RustyhogParser, and the changes add more detailed assertions to validate the parsing of files with multiple vulnerabilities.

3. dojo/tools/rusty_hog/parser.py: This file contains the implementation of the RustyhogParser, which is responsible for handling the output of different Rusty Hog scanners and generating detailed security findings with appropriate mitigation recommendations.

4. docs/content/en/open_source/upgrading/2.42.md: This file contains the release notes for the upgrade to DefectDojo version 2.42.x, which includes information about the hash code changes and the deduplication process.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[valentijnscholten]

Just realized this may affect hash_code calculation, so these need to be updated on upgrading.
Should this happen in a migration, or just instructions be added to the upgrade notes as was done on earlier releases?
A similar case in #11419 seems to be OK without either.

[valentijnscholten]

wdyt about the PR @Maffooch

[mtesauro]

@valentijnscholten For PRs that change hash_code changes, we've been adding a note to the release notes since we can't know if someone in the community is using any specific tool, has overridden them in local_settings.py, etc. So that release note is likely the best thing we can do given the circumstances.

[mtesauro]

Approved

[Maffooch]

@valentijnscholten I have been out on holidays, but it looks Matt has answered your question 😄 a section in the release notes would be best

[Maffooch]

Hi @valentijnscholten do you have a moment to add some release notes for the 2.43.0 release?

[valentijnscholten]

Hi @valentijnscholten do you have a moment to add some release notes for the 2.43.0 release?

Sure, but shouldn't have been there upgrade notes for 2.42.0 as well? Added those too :-)