mtesauro
commented
2 years ago Couple of things:
(1) dojoConfig.yml is only for godojo installs. After the install is done, it's useful to know the options/settings that went into an install, nothing more. DefectDojo, the application, knows nothing about dojoConfig.yml
(2) It is possible to set a password in dojoConfig.yml that doesn't meet the password complexity requirements of DefectDojo - so if you set "baddpass" in the dojoConfig.yml, the password will fail to be updated at install time and you'll get a system which has the default admin user but no password. (the refactor of godojo takes this into account) [1]
To fix (2) or generally change the password for the default admin user, you'll need to run the correct manage.py option in the virtual environment that godojo sets up for godojo. You could so something like this:
cd /opt/dojo/django-DefectDojo/
source /opt/dojo/bin/activate && python3 manage.py changepassword adminor use this expect script as a guide
[1] I've been doing AppSec engineering for 20+ years, so I can easily forget that some people don't use password managers to generate unique and complex passwords for everything they do. Granted, password complexity checking wasn't in setup.bash but I've seen that it needs to be added here.
I've got DefectDojo from the tip of Master running on Fedora 35 with Postgres. When I attempt to login with it fails with the error "Please enter a correct username and password. Note that both fields may be case-sensitive."
I am fairly certain I am using the correct username and password:
The docs don't offer much guidance. The README just says to "set a password for the initial Admin user (Install > Admin > Pass)." It appears that is completed. The web says the default username/password pair is admin/admin. The web credentials don't work, either.
There is no
dojoConfig.ymlin/opt/dojo. The only place it is located is in my home directory.I'm not sure if this is related to GH #28.