[develop] Release 4.15.0

CHANGELOG

@@ -1,33 +1,15 @@
-[v#.#.#] ([month] [YYYY])
+v4.15.0 (December 2024)
   - Tags: Add custom ordering
   - Welcome Kit:
     - Add HTML report template
     - Add Issue and evidence templates
     - Update OWASP Top 10 methodology to latest version (2021)
   - Upgraded gems:
     - rails, rexml
-  - Bugs fixes:
-    - [entity]:
-      - [future tense verb] [bug fix]
-    - Bug tracker items:
-      - [item]
-  - New integrations:
-    - [integration]
-  - Integration enhancements:
-    - [integration]:
-      - [future tense verb] [integration enhancement]
-      - [integration bug fixes]:
-        - [future tense verb] [integration bug fix]
-  - Reporting enhancements:
-    - [report type]:
-      - [future tense verb] [reporting enhancement]
-  - REST/JSON API enhancements:
-    - [API entity]:
-      - [future tense verb] [API enhancement]
+  - Integration enhancements: 
+    - Qualys: Add `cvss3_base`, `cvss3_temporal`, and `cvss3_version` as available vuln fields
   - Security Fixes:
-    - High: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
-    - Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
-    - Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
+    - High: Authenticated (author) persistent cross-site scripting
 
 v4.14.0 (October 2024)
   - Kit Import: Use file name sequencing when a template file with the same name exists

Gemfile

@@ -216,12 +216,12 @@ end
 #
 
 # Base framework classes required by other plugins
-gem 'dradis-plugins', '~> 4.14.0'
+gem 'dradis-plugins', '~> 4.15.0'
 
 gem 'dradis-api', path: 'engines/dradis-api'
 
 # Import / export project data
-gem 'dradis-projects', '~> 4.14.0'
+gem 'dradis-projects', '~> 4.15.0'
 
 plugins_file = 'Gemfile.plugins'
 if File.exists?(plugins_file)
@@ -233,33 +233,33 @@ end
 
 # ----------------------------------------------------------------- Calculators
 
-gem 'dradis-calculator_cvss', '~> 4.14.0'
-gem 'dradis-calculator_dread', '~> 4.14.0'
+gem 'dradis-calculator_cvss', '~> 4.15.0'
+gem 'dradis-calculator_dread', '~> 4.15.0'
 
 # ---------------------------------------------------------------------- Export
-gem 'dradis-csv_export', '~> 4.14.0'
-gem 'dradis-html_export', '~> 4.14.0'
+gem 'dradis-csv_export', '~> 4.15.0'
+gem 'dradis-html_export', '~> 4.15.0'
 
 # ---------------------------------------------------------------------- Import
-gem 'dradis-csv', '~> 4.14.0'
+gem 'dradis-csv', '~> 4.15.0'
 
 # ---------------------------------------------------------------------- Upload
-gem 'dradis-acunetix', '~> 4.14.0'
-gem 'dradis-brakeman', '~> 4.14.0'
-gem 'dradis-burp', '~> 4.14.0'
-gem 'dradis-coreimpact', '~> 4.14.0'
-gem 'dradis-metasploit', '~> 4.14.0'
-gem 'dradis-nessus', '~> 4.14.0'
-gem 'dradis-netsparker', '~> 4.14.0'
-gem 'dradis-nexpose', '~> 4.14.0'
-gem 'dradis-nikto', '~> 4.14.0'
-gem 'dradis-nipper', '~> 4.14.0'
-gem 'dradis-nmap', '~> 4.14.0'
-gem 'dradis-ntospider', '~> 4.14.0'
-gem 'dradis-openvas', '~> 4.14.0'
-gem 'dradis-pentera', '~> 4.14.0'
-gem 'dradis-qualys', '~> 4.14.0'
-gem 'dradis-saint', '~> 4.14.0'
-gem 'dradis-veracode', '~> 4.14.0'
-gem 'dradis-wpscan', '~> 4.14.0'
-gem 'dradis-zap', '~> 4.14.0'
+gem 'dradis-acunetix', '~> 4.15.0'
+gem 'dradis-brakeman', '~> 4.15.0'
+gem 'dradis-burp', '~> 4.15.0'
+gem 'dradis-coreimpact', '~> 4.15.0'
+gem 'dradis-metasploit', '~> 4.15.0'
+gem 'dradis-nessus', '~> 4.15.0'
+gem 'dradis-netsparker', '~> 4.15.0'
+gem 'dradis-nexpose', '~> 4.15.0'
+gem 'dradis-nikto', '~> 4.15.0'
+gem 'dradis-nipper', '~> 4.15.0'
+gem 'dradis-nmap', '~> 4.15.0'
+gem 'dradis-ntospider', '~> 4.15.0'
+gem 'dradis-openvas', '~> 4.15.0'
+gem 'dradis-pentera', '~> 4.15.0'
+gem 'dradis-qualys', '~> 4.15.0'
+gem 'dradis-saint', '~> 4.15.0'
+gem 'dradis-veracode', '~> 4.15.0'
+gem 'dradis-wpscan', '~> 4.15.0'
+gem 'dradis-zap', '~> 4.15.0'

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: engines/dradis-api
   specs:
-    dradis-api (4.14.0)
+    dradis-api (4.15.0)
       jbuilder
 
 GEM
@@ -127,73 +127,73 @@ GEM
     date (3.3.4)
     diff-lcs (1.5.0)
     differ (0.1.2)
-    dradis-acunetix (4.14.0)
+    dradis-acunetix (4.15.0)
       dradis-plugins (~> 4.0)
       nokogiri (~> 1.3)
-    dradis-brakeman (4.14.0)
+    dradis-brakeman (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-burp (4.14.0)
+    dradis-burp (4.15.0)
       dradis-plugins (~> 4.0)
       nokogiri (~> 1.3)
-    dradis-calculator_cvss (4.14.0)
+    dradis-calculator_cvss (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-calculator_dread (4.14.0)
+    dradis-calculator_dread (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-coreimpact (4.14.0)
+    dradis-coreimpact (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-csv (4.14.0)
+    dradis-csv (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-csv_export (4.14.0)
+    dradis-csv_export (4.15.0)
       dradis-plugins (>= 4.8.0)
-    dradis-html_export (4.14.0)
+    dradis-html_export (4.15.0)
       RedCloth (~> 4.3.2)
       dradis-plugins (>= 4.8.0)
       rails_autolink (~> 1.1)
-    dradis-metasploit (4.14.0)
+    dradis-metasploit (4.15.0)
       dradis-plugins (~> 4.0)
       nokogiri (~> 1.3)
-    dradis-nessus (4.14.0)
+    dradis-nessus (4.15.0)
       dradis-plugins (~> 4.0)
       nokogiri
-    dradis-netsparker (4.14.0)
+    dradis-netsparker (4.15.0)
       dradis-plugins (~> 4.0)
       nokogiri (>= 1.12.5)
-    dradis-nexpose (4.14.0)
+    dradis-nexpose (4.15.0)
       dradis-plugins (~> 4.0)
       nokogiri (~> 1.3)
-    dradis-nikto (4.14.0)
+    dradis-nikto (4.15.0)
       dradis-plugins (~> 4.0)
       nokogiri (~> 1.3)
-    dradis-nipper (4.14.0)
+    dradis-nipper (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-nmap (4.14.0)
+    dradis-nmap (4.15.0)
       dradis-plugins (~> 4.0)
       ruby-nmap (~> 0.7)
-    dradis-ntospider (4.14.0)
+    dradis-ntospider (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-openvas (4.14.0)
+    dradis-openvas (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-pentera (4.14.0)
+    dradis-pentera (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-plugins (4.14.0)
-    dradis-projects (4.14.0)
+    dradis-plugins (4.15.0)
+    dradis-projects (4.15.0)
       dradis-plugins (>= 4.8.0)
       rubyzip
-    dradis-qualys (4.14.0)
+    dradis-qualys (4.15.1)
       dradis-plugins (~> 4.0)
       nokogiri (~> 1.3)
-    dradis-saint (4.14.0)
+    dradis-saint (4.15.0)
       combustion (~> 0.6.0)
       dradis-plugins (~> 4.0)
       nokogiri
       rake (~> 13.0)
       rspec-rails
-    dradis-veracode (4.14.0)
+    dradis-veracode (4.15.0)
       dradis-plugins (~> 4.0)
-    dradis-wpscan (4.14.0)
+    dradis-wpscan (4.15.0)
       dradis-plugins (~> 4.0)
       multi_json
-    dradis-zap (4.14.0)
+    dradis-zap (4.15.0)
       dradis-plugins (~> 4.0)
       nokogiri (~> 1.3)
     erubi (1.13.0)
@@ -530,33 +530,33 @@ DEPENDENCIES
   coffee-rails (~> 5.0)
   database_cleaner
   differ (~> 0.1.2)
-  dradis-acunetix (~> 4.14.0)
+  dradis-acunetix (~> 4.15.0)
   dradis-api!
-  dradis-brakeman (~> 4.14.0)
-  dradis-burp (~> 4.14.0)
-  dradis-calculator_cvss (~> 4.14.0)
-  dradis-calculator_dread (~> 4.14.0)
-  dradis-coreimpact (~> 4.14.0)
-  dradis-csv (~> 4.14.0)
-  dradis-csv_export (~> 4.14.0)
-  dradis-html_export (~> 4.14.0)
-  dradis-metasploit (~> 4.14.0)
-  dradis-nessus (~> 4.14.0)
-  dradis-netsparker (~> 4.14.0)
-  dradis-nexpose (~> 4.14.0)
-  dradis-nikto (~> 4.14.0)
-  dradis-nipper (~> 4.14.0)
-  dradis-nmap (~> 4.14.0)
-  dradis-ntospider (~> 4.14.0)
-  dradis-openvas (~> 4.14.0)
-  dradis-pentera (~> 4.14.0)
-  dradis-plugins (~> 4.14.0)
-  dradis-projects (~> 4.14.0)
-  dradis-qualys (~> 4.14.0)
-  dradis-saint (~> 4.14.0)
-  dradis-veracode (~> 4.14.0)
-  dradis-wpscan (~> 4.14.0)
-  dradis-zap (~> 4.14.0)
+  dradis-brakeman (~> 4.15.0)
+  dradis-burp (~> 4.15.0)
+  dradis-calculator_cvss (~> 4.15.0)
+  dradis-calculator_dread (~> 4.15.0)
+  dradis-coreimpact (~> 4.15.0)
+  dradis-csv (~> 4.15.0)
+  dradis-csv_export (~> 4.15.0)
+  dradis-html_export (~> 4.15.0)
+  dradis-metasploit (~> 4.15.0)
+  dradis-nessus (~> 4.15.0)
+  dradis-netsparker (~> 4.15.0)
+  dradis-nexpose (~> 4.15.0)
+  dradis-nikto (~> 4.15.0)
+  dradis-nipper (~> 4.15.0)
+  dradis-nmap (~> 4.15.0)
+  dradis-ntospider (~> 4.15.0)
+  dradis-openvas (~> 4.15.0)
+  dradis-pentera (~> 4.15.0)
+  dradis-plugins (~> 4.15.0)
+  dradis-projects (~> 4.15.0)
+  dradis-qualys (~> 4.15.0)
+  dradis-saint (~> 4.15.0)
+  dradis-veracode (~> 4.15.0)
+  dradis-wpscan (~> 4.15.0)
+  dradis-zap (~> 4.15.0)
   factory_bot_rails
   font-awesome-sass (~> 6.4.0)
   foreman

app/assets/javascripts/shared/differ.js

@@ -0,0 +1,37 @@
+class Differ {
+  constructor() {
+    this.delRegex = /\[31m([\s\S]*?)\[0m/g;
+    this.insRegex = /\[32m([\s\S]*?)\[0m/g;
+  }
+
+  ansiToHTML(text) {
+    return text
+      .replace(this.delRegex, '<del class="differ">$1</del>')
+      .replace(this.insRegex, '<ins class="differ">$1</ins>');
+  }
+
+  highlightString(text, diffType) {
+    if (diffType === 'del') {
+      return text
+        .replace(this.delRegex, '<mark>$1</mark>')
+        .replace(this.insRegex, '');
+    }
+    else if (diffType === 'ins') {
+      return text
+        .replace(this.insRegex, '<mark>$1</mark>')
+        .replace(this.delRegex, '');
+    }
+    else {
+      console.log('Invalid diffType!');
+    }
+  }
+}
+
+document.addEventListener('turbolinks:load', function() {
+  if ($('.js-diff-body').length) {
+    let differ = new Differ(),
+        content = $('.js-diff-body').html();
+
+    $('.js-diff-body').html(differ.ansiToHTML(content));
+  }
+});

app/assets/javascripts/tylium.js

@@ -21,11 +21,11 @@
 //= require shared/charts
 //= require shared/comments
 //= require shared/console_updater
+//= require shared/differ
 //= require shared/editor_toolbar
 //= require shared/quote_selector
 //= require shared/mentions
 //= require shared/notifications
-//= require shared/revisions
 //= require shared/rtp_validation
 //= require shared/state_button
 //= require shared/subscriptions

app/models/comment.rb

@@ -47,7 +47,7 @@ def notify(action:, actor:, recipients:)
       # to be an ActiveRecord::Relation.
       subscribers = User.includes(:subscriptions).where(
         subscriptions: { subscribable_id: commentable.id, subscribable_type: commentable.class.to_s }
-      ).where.not(id: [user.id] + mentions.pluck(:id))
+      ).where.not(id: [user.id] + mentions.pluck(:id)).enabled
       subscribers = subscribers.select { |user| Ability.new(user).can?(:read, self) }
       create_notifications(action: :create, actor: actor, recipients: subscribers)
     end
@@ -87,7 +87,7 @@ def to_xml(xml_builder, version: 3)
     xml_builder.content do
       xml_builder.cdata!(content)
     end
-    xml_builder.author(user.email)
+    xml_builder.author(user&.email)
     xml_builder.created_at(created_at.to_i)
   end