Merge branch 'develop' into fix-heroku-1-click

.dockerignore

@@ -0,0 +1,36 @@
+
+# Ignore git directory.
+/.git
+
+# Ignore bundle config.
+/.bundle
+
+# Ignore environment and deployment files.
+/.env*
+/.kamal/*
+/config/deploy.yml
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore pidfiles.
+/tmp/pids/*
+!/tmp/pids/.keep
+
+# Ignore storage.
+/storage/*
+!/storage/.keep
+/tmp/storage/*
+!/tmp/storage/.keep
+
+# Ignore assets.
+/public/assets
+
+# Ignore applicaiton folders
+/attachments/
+/config/shared/*
+/db/*.sqlite3
+/templates/*

.github/workflows/ci.yml

@@ -18,7 +18,7 @@ jobs:
         with:
           bundler-cache: true
       - name: Security audit dependencies
-        run: bundle exec bundler-audit --update
+        run: bundle exec bundler-audit --update --ignore CVE-2023-31606 CVE-2023-50724 CVE-2023-50725 CVE-2023-50727
       - name: Security audit ruby
         run: bundle exec ruby-audit update && bundle exec ruby-audit check --ignore CVE-2021-33621
       - name: Security audit application code
@@ -48,15 +48,15 @@ jobs:
       RAILS_ENV: test
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Create database.yml
         run: cp config/database.yml.template config/database.yml
       - name: Install Ruby and gems
         uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
-      - name: Load database schema
-        run: bundle exec rails db:schema:load
+      - name: Prepare database
+        run: bundle exec rails db:prepare
       - name: Precompile assets
         run: bundle exec rails assets:precompile
       - name: Run tests

.gitignore

@@ -24,6 +24,11 @@
 # RSpec testing
 /spec/.examples.txt
 
+# Ignore environment and deployment files
+/.env*
+/.kamal/*
+/config/deploy.yml
+
 # App-specific
 /attachments/
 /backup/

CHANGELOG

@@ -2,9 +2,10 @@
   - [entity]:
     - [future tense verb] [feature]
   - Upgraded gems:
-    - [gem]
+    - nokogiri, rails
   - Bugs fixes:
     - Digital Ocean: Fix one click deploy button
+    - Tylium: Fix redirection when updating an issue or content block
     - Bug tracker items:
       - [item]
   - New integrations:
@@ -25,6 +26,65 @@
     - Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
     - Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
 
+v4.11.0 (January 2024)
+  - Assets: Add importmap-rails to handle js libraries
+  - Liquid: Add LiquidAssignsService
+  - Revision history: Improve version history for content with carriage return
+  - Tylium: Show liquid content in editor preview
+  - Web-server: Replace unicorn with puma in production
+  - Note: Enable ActiveSupport load hooks
+  - Upgraded gems:
+    - rails
+  - Bugs fixes:
+    - Evidence: Prevent loading old Evidence template content at the Issue level
+    - Methodologies: validate presence of content
+  - Integration enhancements:
+    - Burp: Change nokogiri search to xpath to support nokogiri >= 1.15
+    - Nexpose:
+      - Add port/protocol to evidences
+      - Use the details in <os> as the OS node property
+      - Import `vulnerability.risk_score` as a new Issue field
+      - Allow multiple evidence with the same test id & node address
+    - Qualys: Add support for the output for Qualys WAS API 3.13 and later
+  - Security Fixes:
+    - Low: Authenticated (author) information disclosure
+      - After a user has been removed from a project, they may still get 
+        notifications for Issues they were subscribed to, resulting in the
+        disclosure of Issue titles.
+    - Low: Authenticated (author) information disclosure in the output console of upload manager
+
+v4.10.0 (September 2023)
+  - Tylium: 
+    - Consolidate sidebars
+    - Add issue.author to liquid issue drop
+  - Upgraded gems:
+    - font-awesome-sass, nokogiri, puma, rails, sanitize, selenium-webdriver
+  - Bugs fixes:
+    - QA: Enable @mentions and formatting toolbar for comments in QA show views
+  - REST/JSON API enhancements:
+    - Boards, Lists, Cards: add initial implementation
+  - Security Fixes:
+    - Medium: Authenticated (author) broken access control: read access to system files
+
+v4.9.0 (June 2023)
+  - Tylium: Extend support for Liquid Dynamic Content
+  - QA: Show state changes in activity feed
+  - Upgraded gems:
+    - bootstrap, popper_js, simple_form
+  - Bugs fixes:
+    - QA: Redirect to correct view when changing states on QA edit views
+  - Integration enhancements:
+    - Acunetix: Parse inline code, not just code blocks
+    - Burp: Adds strong and code tags parsing
+    - CSV: Fix CSV Upload for files with special characters
+    - Nessus:
+      - Parse code tags as inline code
+      - Add plugin_type as an available Issue field
+    - Nexpose:
+      - Parse inline code, not just code blocks
+      - Wrap ciphers in the `ssl-weak-message-authentication-code-algorithms` finding
+    - Qualys: Adds Request/Response Evidence fields for Web Application Scans (WAS)
+
 v4.8.0 (April 2023)
   - Sessions: Store :secret_key_base in encrypted configuration file
   - Quality Assurance: Review/approve Issues and Content Blocks before including them in reports
@@ -198,6 +258,8 @@ v4.1.0 (November 2021)
       - Remove orphaned <b> tags
   - Security Fixes:
     - High: Authenticated author broken access control: read access to issue content
+    - Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
+    - Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
 
 v4.0.0 (July 2021)
   * Dynamic content across the app

CONTRIBUTING.md

@@ -49,16 +49,18 @@ top of things.
       http://securityreactions.tumblr.com/post/31726556638/we-have-an-ids-and-a-waf
 ````
 
+* Add a CHANGELOG entry.
 * Make sure you have added the necessary tests for your changes.
 * Run _all_ the tests to assure nothing else was accidentally broken.
 * Adhere to our [style guides](https://github.com/dradis/dradis-ce/wiki).
 * Ensure all GH checks have passed.
 
 ## Submitting Changes
 
-* Review our [Contributor's Agreement](https://github.com/dradis/dradis-ce/wiki/Contributor%27s-agreement). Sending us a pull request means you have read and accept to this agreement
+* Review our [Contributor's Agreement](https://github.com/dradis/dradis-ce/wiki/Contributor%27s-agreement). Sending us a pull request means you have read and accepted this agreement
 * Push your changes to a topic branch in your fork of the repository.
 * Submit a **pull request** to the repository in the dradis organization.
+* Ensure you include testing steps in your pull request
 * Include a link to the pull request in the ticket
 
 

Dockerfile

@@ -0,0 +1,39 @@
+# We're sticking to non-slim version: https://hub.docker.com/_/ruby/
+FROM --platform=amd64 ruby:3.1.2
+
+WORKDIR /app
+
+# Copying dradis-ce app
+COPY . .
+
+# Copying sample files
+COPY config/database.yml.template config/database.yml
+COPY config/smtp.yml.template config/smtp.yml
+
+# Preparing application folders
+RUN mkdir -p attachments/
+RUN mkdir -p config/shared/
+RUN mkdir -p templates/
+
+# Is this only needed because M1 build?
+RUN bundle config build.ffi --enable-libffi-alloc
+
+# Installing dependencies
+RUN bundle install
+
+# Run and own only the runtime files as a non-root user for security
+RUN useradd rails --create-home --shell /bin/bash && \
+    chown -R rails:rails attachments config/shared db log tmp templates
+USER rails:rails
+
+# Preparing database
+RUN bin/rails db:prepare
+#RUN bin/rails db:seed
+
+# Entrypoint prepares the database.
+# ENTRYPOINT ["/app/bin/docker-entrypoint"]
+
+# Start the server by default, this can be overwritten at runtime
+EXPOSE 3000
+# CMD ["./bin/rails", "server"]
+CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]

Gemfile

@@ -5,13 +5,13 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 ruby '3.1.2'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 6.1.7.3'
+gem 'rails', '~> 7.0.8'
 
 # Use SCSS for stylesheets
 gem 'sass-rails', '~> 6.0'
 
-# Use Uglifier as compressor for JavaScript assets
-gem 'uglifier', '>= 1.3.0'
+# Use ruby-terser as compressor for JavaScript assets
+gem 'terser', '~> 1.1'
 
 # See https://github.com/rails/execjs#readme for more supported runtimes
 gem 'mini_racer', platforms: :ruby
@@ -35,9 +35,8 @@ gem 'jbuilder', '~> 2.7'
 gem 'bootsnap', '>= 1.12.0', require: false
 
 # ---------------------------------------------------- Dradis Community Edition
-gem 'bootstrap', '~> 4.3.1'
+gem 'bootstrap', '~> 5.2.3'
 gem 'jquery-rails'
-gem 'jquery-ui-rails'
 gem 'jquery-fileupload-rails', '~> 0.3.4'
 gem 'jquery-hotkeys-rails'
 
@@ -67,6 +66,12 @@ gem 'thor', '~> 1.2.1'
 # Ruby dependency, version specified here due to CVE-2023-28756
 gem 'time', '>= 0.2.2'
 
+gem 'font-awesome-sass', '~> 6.4.0'
+
+gem 'importmap-rails', '~> 1.2'
+
+gem 'sprockets-rails', '>= 3.0.0'
+
 # ------------------------------------------------------ With native extensions
 # These require native extensions.
 # Ensure Traveling Ruby provides an appropriate version before bumping.
@@ -81,7 +86,7 @@ gem 'bcrypt', '3.1.12'
 gem 'json', '2.3.0'
 
 # XML manipulation
-gem 'nokogiri', '>= 1.14.3'
+gem 'nokogiri', '>= 1.16.2'
 
 # MySQL backend
 # gem 'mysql2', '~> 0.5.1'
@@ -99,7 +104,7 @@ gem 'RedCloth', '~> 4.3.2', require: 'redcloth'
 gem 'rinku'
 
 # html-pipeline dependency for html sanitization
-gem 'sanitize', '6.0.1'
+gem 'sanitize', '6.0.2'
 
 # SQLite3 DB driver
 gem 'sqlite3'
@@ -136,25 +141,20 @@ gem 'net-imap'
 
 gem 'matrix'
 
-gem 'puma', '~> 5.0'
+gem 'puma', '>= 6.4.2'
 
 # ------------------------------------------------------------------ Deployment
 # Use Capistrano for deployment
 # gem 'capistrano-rails', group: :development
 
-group :production do
-  # Use Unicorn as the web server
-  gem 'unicorn',  '6.1.0'
-end
-
 # ----------------------------------------------------- Development and Testing
 group :development do
   # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
   gem 'web-console', '>= 4.1.0'
   # Display performance information such as SQL time and flame graphs for each request in your browser.
   # Can be configured to work on production as well see: https://github.com/MiniProfiler/rack-mini-profiler/blob/master/README.md
   gem 'rack-mini-profiler', '~> 2.0'
-  gem 'listen', '~> 3.3'
+  gem 'listen'
 
   # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
   gem 'spring'
@@ -190,12 +190,11 @@ end
 group :test do
   gem 'database_cleaner'
   gem 'factory_bot_rails'
-  gem 'capybara', '>= 3.26'
+  gem 'capybara', '~> 3.39'
   gem 'guard-rspec', require: false
-  gem 'selenium-webdriver'
+  gem 'selenium-webdriver', '~> 4.17'
   gem 'shoulda-matchers', '~> 3.1'
   gem 'timecop'
-  gem 'webdrivers'
 
   # Required by capybara
   gem 'matrix'
@@ -216,12 +215,12 @@ end
 #
 
 # Base framework classes required by other plugins
-gem 'dradis-plugins', '~> 4.8.0'
+gem 'dradis-plugins', github: 'dradis/dradis-plugins', branch: 'fix/template-caching'
 
 gem 'dradis-api', path: 'engines/dradis-api'
 
 # Import / export project data
-gem 'dradis-projects', '~> 4.8.0'
+gem 'dradis-projects', '~> 4.11.0'
 
 plugins_file = 'Gemfile.plugins'
 if File.exists?(plugins_file)
@@ -232,32 +231,33 @@ end
 # effective.
 
 # ----------------------------------------------------------------- Calculators
-gem 'dradis-calculator_cvss', '~> 4.8.0'
-gem 'dradis-calculator_dread', '~> 4.8.0'
+
+gem 'dradis-calculator_cvss', '~> 4.11.0'
+gem 'dradis-calculator_dread', '~> 4.11.0'
 
 # ---------------------------------------------------------------------- Export
-gem 'dradis-csv_export', '~> 4.8.0'
-gem 'dradis-html_export', '~> 4.8.0'
+gem 'dradis-csv_export', '~> 4.11.0'
+gem 'dradis-html_export', '~> 4.11.0'
 
 # ---------------------------------------------------------------------- Import
-gem 'dradis-csv', '~> 4.8.0'
+gem 'dradis-csv', '~> 4.11.0'
 
 # ---------------------------------------------------------------------- Upload
-gem 'dradis-acunetix', '~> 4.8.0'
-gem 'dradis-brakeman', '~> 4.8.0'
-gem 'dradis-burp', '~> 4.8.0'
-gem 'dradis-coreimpact', '~> 4.8.0'
-gem 'dradis-metasploit', '~> 4.8.0'
-gem 'dradis-nessus', '~> 4.8.0'
-gem 'dradis-netsparker', '~> 4.8.0'
-gem 'dradis-nexpose', '~> 4.8.0'
-gem 'dradis-nikto', '~> 4.8.0'
-gem 'dradis-nipper', '~> 4.8.0'
-gem 'dradis-nmap', '~> 4.8.0'
-gem 'dradis-ntospider', '~> 4.8.0'
-gem 'dradis-openvas', '~> 4.8.0'
-gem 'dradis-qualys', '~> 4.8.0'
-gem 'dradis-saint', '~> 4.8.0'
-gem 'dradis-veracode', '~> 4.8.0'
-gem 'dradis-wpscan', '~> 4.8.0'
-gem 'dradis-zap', '~> 4.8.0'
+gem 'dradis-acunetix', '~> 4.11.0'
+gem 'dradis-brakeman', '~> 4.11.0'
+gem 'dradis-burp', '~> 4.11.0'
+gem 'dradis-coreimpact', '~> 4.11.0'
+gem 'dradis-metasploit', '~> 4.11.0'
+gem 'dradis-nessus', '~> 4.11.0'
+gem 'dradis-netsparker', '~> 4.11.0'
+gem 'dradis-nexpose', '~> 4.11.0'
+gem 'dradis-nikto', '~> 4.11.0'
+gem 'dradis-nipper', '~> 4.11.0'
+gem 'dradis-nmap', '~> 4.11.0'
+gem 'dradis-ntospider', '~> 4.11.0'
+gem 'dradis-openvas', '~> 4.11.0'
+gem 'dradis-qualys', '~> 4.11.0'
+gem 'dradis-saint', '~> 4.11.0'
+gem 'dradis-veracode', '~> 4.11.0'
+gem 'dradis-wpscan', '~> 4.11.0'
+gem 'dradis-zap', '~> 4.11.0'