Release: Merge release into master from: release/3.0.0#15016
Closed
github-actions[bot] wants to merge 37 commits into
Closed
Release: Merge release into master from: release/3.0.0#15016github-actions[bot] wants to merge 37 commits into
github-actions[bot] wants to merge 37 commits into
Conversation
….0-dev Release: Merge back 2.59.0 into dev from: master-into-dev/2.59.0-2.60.0-dev
….60.0-dev Release: Merge back 2.59.0 into bugfix from: master-into-bugfix/2.59.0-2.60.0-dev
…/workflows/validate_docs_build.yml)
….2.0 (.github/workflows/release-x-manual-docker-containers.yml)
Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2026.5.1 to 2026.6.1. - [Commits](tfranzel/drf-spectacular-sidecar@2026.5.1...2026.6.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-version: 2026.6.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [django-polymorphic](https://github.com/django-commons/django-polymorphic) from 4.11.3 to 4.11.5. - [Release notes](https://github.com/django-commons/django-polymorphic/releases) - [Commits](django-commons/django-polymorphic@v4.11.3...v4.11.5) --- updated-dependencies: - dependency-name: django-polymorphic dependency-version: 4.11.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…tatus (#14611) * Check statusCategory for Jira issue status * status category is mainly used to decide if a jira issue is active or not * if the category is undefined or an unknown status, fall back to resolution checking * the resolution object was compared to a string "None", this always returned False * provide unit tests for new functionality * removed trailing whitespace * Fix JIRA helper tests to comply with JIRA API specification - Remove test_issue_from_jira_is_active_with_unknown_status_and_none_resolution - Remove test_issue_from_jira_is_active_without_status_category_with_none_string_resolution These tests checked for resolution field as string 'None', which violates JIRA API spec. According to JIRA API, resolution is either an object with properties (id, name, etc) or null, never a string value. Remaining 12 tests verify correct behavior per the API spec. * fix import due to restructured modules * Align with previous changes for 14716 * Fix linter --------- Co-authored-by: Bernhard Willert <bernhard.willert@synaos.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
…0 to v7.3.1 (.github/workflows/release-drafter.yml) (#14948) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ithub/workflows/validate_docs_build.yml) (#14947) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* feat(parser): scaffold Alert Logic parser package
Empty __init__.py + stub parser.py with the 4 required methods returning
placeholder values. Sets up the package for TDD tests to import against
before the real implementation in Task 8.
Authored by T. Walker - DefectDojo
* test(parser): add synthetic Alert Logic CSV fixtures
Three fixtures matching the 26-column Alert Logic vulnerability export
shape (UTF-8 BOM, embedded CRLF in multi-line fields):
- no_vuln.csv — header only, 0 data rows
- one_vuln.csv — single Medium finding (HTTP/2 Rapid Reset)
- many_vulns.csv — 7 rows covering Info / Low / Medium / High / Critical,
with/without CVE, single & multi-IP (IPv4+IPv6),
CISA Known Exploited Yes/No, multi-line Description
and Resolution, a >500-char title for truncation test,
empty CVSS and empty Operating System edge cases.
All asset names, IPs, deployment names, and the customer account are
synthetic (reserved doc IP ranges 192.0.2.x / 198.51.100.x / 203.0.113.x;
.example.com hostnames; fictional AcmeCorp account). CVE identifiers and
their associated descriptions/resolutions are from public sources.
Authored by T. Walker - DefectDojo
* test(parser): add failing TDD scaffold for Alert Logic parser
Skeleton with 4 tests: get_scan_types, parse_no_findings, parse_one_finding,
parse_many_findings. The one/many assertions fail against the Task 3 stub
(which returns []) — that's the intended TDD red state. Full field-validation
tests will be appended in Task 9 after the parser implementation lands in
Task 8.
Authored by T. Walker - DefectDojo
* feat(parser): implement Alert Logic CSV parser
Parses Alert Logic vulnerability scan CSV exports (26 columns, UTF-8 with
BOM, multi-line quoted fields). Single-format, monolithic implementation
following the IriusRisk skeleton.
Field mapping:
- Vulnerability → title (truncated at 500 chars with ellipsis)
- Severity → severity (direct 1:1 Info/Low/Medium/High/Critical)
- CVSS Score → cvssv3_score (float, None if empty)
- Asset Name → component_name
- IP Address → unsaved_endpoints (comma-split IPv4/IPv6)
- Protocol/Port → endpoint protocol + port (port 0 → omitted)
- CVE → unsaved_vulnerability_ids
- Resolution → mitigation
- Vulnerability ID → unique_id_from_tool (stable native ID)
- Description, Evidence, OS,
Vuln Span ID, Vuln Key,
Asset Key/Type, Service,
Category, VPC/Network,
Deployment Name, Customer
Account, First Seen, Last
Scanned, Published Date,
Age (days), CISA KEV → description (markdown table)
- CISA Known Exploited = Yes → unsaved_tags: ["cisa-known-exploited"]
static_finding=True, dynamic_finding=False (infrastructure vulnerability
scanner pattern, matches Qualys VMDR).
All 7 fixture findings parse cleanly with correct severities, multi-IP
endpoint extraction (IPv4+IPv6), title truncation, CVE list, CVSS score,
and tags. endpoint.clean() passes on all 10 endpoints generated from the
many_vulns fixture.
Authored by T. Walker - DefectDojo
* test(parser): add field-validation tests for Alert Logic parser
Adds 28 new tests on top of the TDD scaffold, bringing total coverage to
32 tests. Categories covered:
- Scan-type metadata: get_label, get_description
- Basic fields: title, severity, component_name, unique_id_from_tool,
cvssv3_score, static/dynamic flags, mitigation content, description
structure
- Severity mapping: one test per source level (Info/Low/Medium/High/Critical)
- Title truncation: long (>500) gets [:497] + "...", short stays as-is
- unique_id_from_tool: distinct values per finding, matches source
- Endpoints: single IPv4, multi-IP (IPv4+IPv6), IPv6-only, port=0 omission,
endpoint.clean() on every endpoint
- CVE handling: present and absent
- CISA Known Exploited tag: added on "Yes", absent on "No"
- CVSS score: parsed when present, None when empty
- BOM handling: title resolves correctly (proves UTF-8 BOM is stripped)
- Multi-line field preservation in description
All 32 tests pass against the parser implementation from the previous
commit.
Authored by T. Walker - DefectDojo
* docs(parser): add Alert Logic parser documentation
Documents the Alert Logic CSV parser including:
- File-export workflow from the Alert Logic console
- Default deduplication strategy (unique_id_from_tool + hashcode fallback)
- Complete 26-column field mapping table (expandable)
- Additional Finding field settings (static/dynamic flags, active default)
- Special processing notes covering severity conversion, title truncation,
description construction, endpoint multi-IP / IPv6 / port-zero handling,
deduplication algorithm, CVE handling, CISA Known Exploited tagging,
and UTF-8 BOM + multi-line field handling
Authored by T. Walker - DefectDojo
* feat(parser): register Alert Logic deduplication configuration
Adds Alert Logic Scan entries to:
- HASHCODE_FIELDS_PER_SCANNER with ["title", "component_name", "vuln_id_from_tool"]
(fallback when Vulnerability ID is missing on a row)
- DEDUPLICATION_ALGORITHM_PER_PARSER as DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE
(uses Vulnerability ID as the stable native identifier with hashcode fallback)
Mirrors the Qualys VMDR dedup pattern (same field set, same algorithm).
Authored by T. Walker - DefectDojo
* fix(parser): support V3_FEATURE_LOCATIONS in Alert Logic parser
The Endpoint model is deprecated and raises NotImplementedError when V3_FEATURE_LOCATIONS is enabled. Build LocationData URL locations in that mode and fall back to Endpoint otherwise, matching the established parser migration pattern (e.g. Qualys VMDR). Endpoint tests now read via the get_unsaved_locations helper so they pass under both settings.
Authored by T. Walker - DefectDojo
Remove the exclusion of the current user from the reviewer dropdown in ReviewFindingForm so users can self-assign as reviewer.
When the original of a duplicate cluster is deleted (e.g. via engagement deletion), reconfigure_duplicate_cluster promotes the first remaining duplicate to the new primary. It already copies active and is_mitigated from the original, but not verified. The promoted finding kept its own verified=False, which blocked Jira's "Push All Issues" (requires active+verified). Add verified to the fields copied to the new original. Fixes #14911
…ied (#14935) * Prevent reimport from reactivating duplicate findings as active/verified Fixes #14910. process_matched_mitigated_finding reactivated a matched mitigated finding without checking whether it is a duplicate, producing an invalid active/verified duplicate state that the finding edit form rejects. Keep duplicates inactive/unverified on reactivation (un-mitigate only), matching the set_duplicate invariant. * Initialise reimporter accumulators in duplicate reactivation tests process_matched_mitigated_finding appends to self.reactivated_items, which is normally created in process_findings(). The tests drive the method directly, so set the accumulator lists explicitly.
…#14941) Dependency-Check's DependencyBundlingAnalyzer merges co-grouped artifacts into one main dependency and lists the others under <relatedDependencies>. The vulnerability is attached only to the main dependency in the XML; related entries are metadata for other files in the same logical component. Previously the parser emitted one finding per related entry in addition to the main finding. This multiplied a single CVE into N findings sharing the same title, CVE, component name, and version — only the file path differed. Projects with Spring Boot, ActiveMQ, or other libraries whose CPE matches many sibling artifacts (DC bundling scenario 4) were hit hardest. Instead, emit one finding per vulnerability per main dependency and surface related file paths in the description under a "**Related Filepaths:**" block. The five DependencyBundlingAnalyzer bundling scenarios are documented in the new build_related_dependencies_block() helper, the parser docs page, and the 2.59.1 upgrade notes. Closes-style note: findings previously tagged `related` will be closed on the next reimport as they are no longer emitted. The `related` tag is not applied.
…late (#14945) critical_product_metrics view renders metrics.html without a form context variable. Django resolves undefined template vars as empty string, causing get_filter_groups to crash with AttributeError on str.visible_fields(). Wrapping the filter_snippet include in {% if form %} prevents the crash. Fixes #14944.
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.14 to 0.15.15. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.14...0.15.15) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.15 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…tacular-sidecar-2026.6.1 chore(deps): bump drf-spectacular-sidecar from 2026.5.1 to 2026.6.1
…action-7.x chore(deps): update docker/build-push-action action from v7.1.0 to v7.2.0 (.github/workflows/release-x-manual-docker-containers.yml)
chore(deps): update dependency node from 24.15.0 to v24.16.0 (.github/workflows/validate_docs_build.yml)
Bumps [redis](https://github.com/redis/redis-py) from 7.4.0 to 8.0.0. - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@v7.4.0...v8.0.0) --- updated-dependencies: - dependency-name: redis dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…thub/workflows/close-stale.yml) (#14949) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…y counts (#14967) Re-baseline expected query counts after upstream merge that switched from RBAC to legacy authorization. Legacy auth has lower per-action overhead (no role-permission lookups, simpler dispatch), so all counts decreased by 1-7 queries. Also removes the unused `unittest.skip` import.
…y counts (#14968) Re-baseline expected query counts after upstream merge that switched from RBAC to legacy authorization. Legacy auth has lower per-action overhead (no role-permission lookups, simpler dispatch), so all counts decreased by 1-7 queries. Also removes the unused `unittest.skip` import.
Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.49 to 2.0.50. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-version: 2.0.50 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…1.37.12 to v1.38.0 (helm/defectdojo/values.yaml) (#14993) * chore(deps): update gcr.io/cloudsql-docker/gce-proxy docker tag from 1.37.12 to v1.38.0 (helm/defectdojo/values.yaml) * update Helm documentation --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* docs: add release notes for upgrading to DefectDojo Version 3.0.x * docs: repoint 2.59 upgrade-note links to 3.0 PR #15010 renamed releases/os_upgrading/2.59.md to 3.0.md, but seven pages under admin/ still deep-linked to /releases/os_upgrading/2.59/. Since the 2.59 page is no longer generated, the lychee internal-link check in the docs deploy job failed on those broken links. Repoint the links (and accompanying prose) to the 3.0 upgrade notes; the referenced anchors are unchanged and still present on the 3.0 page. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…15011) * feat(settings): enable v3 functionality and organization/asset relabeling by default * fix(v3): register authorized-users URLs in relabel branch When ENABLE_V3_ORGANIZATION_ASSET_RELABEL is on (now the default), the asset and organization URL configs failed to register the add/delete_product[_type]_authorized_user routes — those patterns only existed in the legacy (else) branch. The product/asset and product-type/organization detail templates still reverse those names, so rendering raised NoReverseMatch and returned HTTP 500, cascading into nearly all REST and UI test failures. Add the missing native patterns to the v3 branch plus the corresponding cross-edition redirects so both flag states stay at parity. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * test(v3): update UI and unit tests for org/asset relabeling The v3 organization/asset relabeling is now on by default, but the test suites still asserted the legacy "Product"/"Product Type" labels and the legacy /product/ URL routing, so both the integration (Selenium) and rest-framework unit test workflows failed. Integration tests: update relabel-driven UI strings (link text, success messages, headings, page text) to "Asset"/"Organization". This also fixes the wide cascade where most suites failed because the shared ProductTest.test_create_product fixture broke on the "Add Product" -> "Add Asset" link text. Unit tests: update the shared JIRA redirect helpers and the report-scoping URLs from /product/<id> to /asset/<id> (v3 URL routing), and the product type deletion audit message to the relabeled "Organization" form. Relabeling is the default in every CI leg (neither workflow overrides DD_ENABLE_V3_ORGANIZATION_ASSET_RELABEL), so the new strings/URLs are correct in both the v3_feature_locations true and false legs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…te (#15009) * refactor(migrations): update removal of Stub Findings and Credential Manager features to preserve database state * fix(migrations): keep enable_credentials column insertable after state-only removal The state-only removal in 0266 left dojo_system_settings.enable_credentials in place (NOT NULL, no DB default) for downgrade safety, but the model no longer supplies a value on INSERT. New System_Settings rows then failed with a NotNullViolation, surfacing as 28 errors in unittests.test_apply_finding_template. Split the field handling into its own SeparateDatabaseAndState: drop the field from Django state while a database_operations RunSQL sets a server-side default of true (matching the field's original default) on the retained column, so inserts that omit it still satisfy the NOT NULL constraint. Verified locally: the 28 test_apply_finding_template errors reproduce before the change and pass after; makemigrations --check reports no drift; and the cred_*/stub_finding tables, the enable_credentials column, and the cred_user pghistory triggers all remain in the database. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… add upgrade notes for version 3.0.0
Release 3.0.0: Merge bugfix -> dev
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
Maffooch