Merge pull request #12515 from DefectDojo/release/2.46.4

Release: Merge release into master from: release/2.46.4

Author: rossops

README.md

@@ -129,7 +129,6 @@ Core Moderators can help you with pull requests or feedback on dev ideas:
 
 Moderators can help you with pull requests or feedback on dev ideas:
 * Charles Neill ([@cneill](https://github.com/cneill) | [@ccneill](https://twitter.com/ccneill))
-* Jay Paz ([@jjpaz](https://twitter.com/jjpaz))
 * Blake Owens ([@blakeaowens](https://github.com/blakeaowens))
 
 ## Hall of Fame

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.46.3",
+  "version": "2.46.4",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docker/entrypoint-initializer.sh

@@ -26,7 +26,7 @@ echo "Creating Announcement Banner"
 cat <<EOD | python3 manage.py shell
 from dojo.models import Announcement, UserAnnouncement, Dojo_User
 announcement, created = Announcement.objects.get_or_create(id=1)
-announcement.message = '<a href="https://defectdojo.com/contact" target="_blank">Cloud and On-Premise Subscriptions Now Available! Click here for more details</a>'
+announcement.message = '<a href="https://cloud.defectdojo.com/accounts/onboarding/plg_step_1" target="_blank">DefectDojo Pro Cloud and On-Premise Subscriptions Now Available! Create an account to try Pro for free!</a>'
 announcement.dismissable = True
 announcement.save()
 for dojo_user in Dojo_User.objects.all():

docs/assets/images/pro_dashboard_priority.png

@@ -8,12 +8,66 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/en/open_source/upgrading/upgrading_guide/).
 
+
+## May 2025: v2.46
+
+### ⚠️ Tag Format Change 
+
+As of version 2.46.0, Tags can no longer contain the following characters:
+- Commas (,)
+- Quotations (both single ' and double ")
+- Spaces
+
+To ensure a smooth transition, an automatic migration will be applied to existing tags as follows:
+- Commas → Replaced with hyphens (-)
+- Quotations (single and double) → Removed
+- Spaces → Replaced with underscores (_)
+Examples
+- example,tag → example-tag
+- 'SingleQuoted' → SingleQuoted
+- "DoubleQuoted" → DoubleQuoted
+- space separated tag → space_separated_tag
+
+This update improves consistency, enhances DefectDojo's search capabilities, and aligns with best practices for tag formatting.
+
+We recommend reviewing your current tags to ensure they align with the new format.  Following the deployment of these new behaviors, requests sent to the API or through the UI with any of the violations listed above will result in an error, with the details of the error raised in the response.
+
+### May 19, 2025: v2.46.3
+
+- **(Calendar)** New filters have been added to Calendar view: Unassigned Lead, and Engagement/Test Type.
+- **(Dashboard)** Added Finding Status filter for Dashboard tiles.
+- **(Engagements)** A repository URI can be added to an Engagement via **Edit Engagement > Optional Fields > Repo**.  If this field is set, Findings under that Engagement will automatically generate clickable links to the source code if File Path is set on the Finding.  See [docs](/en/working_with_findings/organizing_engagements_tests/source-code-repositories/) for more details.
+- **(Findings)** Added "Jira Issue URL" column to the CSV export of Finding tables.
+- **(Metrics)** Priority Dashboard has been added to Metrics, to display your organization's risk profile at a glance.
+![image](images/pro_dashboard_priority.png)
+- **(Universal Parser)** Added a 'SOC Alerts' flag to Universal Parser, to indicate whether the Findings from the parser originate from a Security Operations Center.
+
+### May 12, 2025: v2.46.2
+
+- **(Findings)** Component Name and Version have been added to the metadata table on a Finding View.
+- **(Metrics)** Pro Insights Dashboards can now be filtered by Tag.
+- **(Users)** The Users table can now be exported as a .csv file.
+
+### May 7, 2025: v2.46.1
+
+Hotfix release - no significant feature changes.
+
+### May 5, 2025: v2.46.0
+
+
+- **(Import)** Mitigated timestamp in reports are no longer ignored/overwritten on Reimport.
+- **(Tools)** Fortify Webinspect has been added as a supported tool.
+- **(Tools)** Added JSON as a supported tool for Immuniweb.
+- **(Tools)** Nessus (Tenable) parser now handles additional fields.
+- **(Tools)** Wiz parser now handles additional fields and unique_id_from_tool.
+
+
 ## Apr 2025: v2.45
 
 ### Apr 28, 2025: v2.45.3
 
-- **(Tools)** Fortify parser can now assign False Positive status to Findings according to the audit.xml file.
 - **(Import)** Reimporting a scan can now handle special statuses assigned by a tool.  Now, if a Finding was initially imported as Active, but the status was changed to False Positive, Out Of Scope or Risk Accepted by a subsequent report, that status will now be respected and applied to the Finding by Reimport.
+- **(Tools)** Fortify parser can now assign False Positive status to Findings according to the audit.xml file.
 
 ### Apr 22, 2025: v2.45.2
 
@@ -35,35 +89,29 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Mar 2025: v2.44
 
-### Mar 31, 2025: v2.44.4
+#### Mar 31, 2025: v2.44.4
 
 - **(Pro UI)** Group and Configuration permissions can now be assigned quickly from a User page.  For more information, see [DefectDojo Pro Permissions](/en/customize_dojo/user_management/pro_permissions_overhaul/).
 
-### Mar 24, 2025: v2.44.3
+#### Mar 24, 2025: v2.44.3
 
 - **(Import)** Generic Findings Import will now parse tags in the JSON payload when Async Import is enabled.
 
-### Mar 17, 2025: v2.44.2
+#### Mar 17, 2025: v2.44.2
 
 - **(Pro UI)** Added a new method to quickly assign permissions to Products or Product Types.  See our [Pro Permissions](/en/customize_dojo/user_management/pro_permissions_overhaul/) for more details.
 
 ![image](images/pro_permissions_2.png)
 
-### Mar 10, 2025: v2.44.1
+#### Mar 10, 2025: v2.44.1
 
 - **(Pro UI)** Added a field in the View Engagement page which allows a user to navigate to the linked Jira Epic, if one exists.
 - **(Universal Parser)** XML is now a supported file type for Universal Parser.
 - **(SSO)** SSO can now be set up with any kind of [OIDC Configuration](https://auth0.com/docs/authenticate/protocols/openid-connect-protocol).  See OIDC Settings in the Pro UI:
 
 ![image](images/oidc.png)
 
-### Mar 3, 2025: v2.44.0
-
-- **(Pro UI)** Breadcrumbs have been overhauled to better represent the context each page exists in.  Breadcrumbs will now include filtering and query parameters.  The titles of tables now better represent their context, for example when looking at the Engagements list for a particular Product, the view will be titled {Product Name} Engagements, rather than All Engagements as before.
-
-## Mar 2025: v2.44
-
-### Mar 3, 2025: v2.44.0
+#### Mar 3, 2025: v2.44.0
 
 - **(Pro UI)** Breadcrumbs have been overhauled to better represent the context each page exists in.  Breadcrumbs will now include filtering and query parameters.  The titles of tables now better represent their context, for example when looking at the Engagements list for a particular Product, the view will be titled {Product Name} Engagements, rather than All Engagements as before.
 

docs/content/en/changelog/changelog.md

@@ -2,7 +2,16 @@
 title: "AnchoreCTL Policies Report"
 toc_hide: true
 ---
-AnchoreCTLs JSON policies report format
+AnchoreCTLs JSON policies report format. Both legacy list-based format and new evaluation-based format are supported.
+
+## Usage
+
+To generate a policy report that can be imported into DefectDojo:
+
+```bash
+# Evaluate policies and output to JSON format
+anchorectl policy evaluate -o json > policy_report.json
+```
 
 ### Sample Scan Data
 Sample AnchoreCTL Policies Report scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/anchorectl_policies).

docs/content/en/connecting_your_tools/parsers/file/anchorectl_policies.md

@@ -37,8 +37,8 @@ $ docker compose build --build-arg uid=1000
 |`unittests/scans/<parser_dir>/{many_vulns,no_vuln,one_vuln}.json` | Sample files containing meaningful data for unit tests. The minimal set.
 |`unittests/tools/test_<parser_name>_parser.py` | Unit tests of the parser.
 |`dojo/settings/settings.dist.py`               | If you want to use a modern hashcode based deduplication algorithm
-|`docs/content/en/connecting_your_tools/parsers/<file/api>/<parser_file>.md` | Documentation, what kind of file format is required and how it should be obtained 
-    
+|`docs/content/en/connecting_your_tools/parsers/<file/api>/<parser_file>.md` | Documentation, what kind of file format is required and how it should be obtained
+
 
 ## Factory contract
 
@@ -57,6 +57,7 @@ Parsers are loaded dynamicaly with a factory pattern. To have your parser loaded
    3. `def get_description_for_scan_types(self, scan_type):` This function return a string used to provide some text in the UI (long description)
    4. `def get_findings(self, file, test)` This function return a list of findings
 6. If your parser have more than 1 scan_type (for detailled mode) you **MUST** implement `def set_mode(self, mode)` method
+7. The parser instance is re-used over all imports performed for this scan_type, so do not store any data at class level
 
 Example:
 
@@ -145,7 +146,7 @@ Very bad example:
 Various file formats are handled through libraries. In order to keep DefectDojo slim and also don't extend the attack surface, keep the number of libraries used minimal and take other parsers as an example.
 
 #### defusedXML in favour of lxml
-As xml is by default an unsecure format, the information parsed from various xml output has to be parsed in a secure way. Within an evaluation, we determined that defusedXML is the library which we will use in the future to parse xml files in parsers as this library is rated more secure. Thus, we will only accept PRs with the defusedxml library. 
+As xml is by default an unsecure format, the information parsed from various xml output has to be parsed in a secure way. Within an evaluation, we determined that defusedXML is the library which we will use in the future to parse xml files in parsers as this library is rated more secure. Thus, we will only accept PRs with the defusedxml library.
 
 ### Not all attributes are mandatory
 
@@ -232,7 +233,8 @@ Bad example (DIY):
 
 By default a new parser uses the 'legacy' deduplication algorithm documented at https://documentation.defectdojo.com/usage/features/#deduplication-algorithms
 
-Please use a pre-defined deduplication algorithm where applicable.
+Please use a pre-defined deduplication algorithm where applicable. When using the `unique_id_from_tool` or `vuln_id_from_tool` fields in the hash code configuration, it's important that these are uqniue for the finding and constant over time across subsequent scans. If this is not the case, the values can still be useful to set on the finding model without using them for deduplication.
+The values must be coming from the report directly and must not be something that is calculated by the parser internally.
 
 ## Unit tests
 
@@ -366,4 +368,3 @@ Please add a new .md file in [`docs/content/en/connecting_your_tools/parsers`] w
 * A link to the scanner itself - (e.g. GitHub or vendor link)
 
 Here is an example of a completed Parser documentation page: [https://github.com/DefectDojo/django-DefectDojo/blob/master/docs/content/en/connecting_your_tools/parsers/file/acunetix.md](https://github.com/DefectDojo/django-DefectDojo/blob/master/docs/content/en/connecting_your_tools/parsers/file/acunetix.md)
-

docs/content/en/open_source/contributing/how-to-write-a-parser.md

@@ -10,7 +10,8 @@ Certain tools (particularly SAST tools) will include the associated file name an
 ## Setting the repository in the Engagement and Test
 
 ### Engagement
-While editing the Engagement, users can set the URL of the specific SCM repo. 
+
+While editing the Engagement, users can set the URL of the specific Source Code Management repo.  **(In the Pro UI, this field can be set under Edit Engagement > Optional Fields > Repo)**.
 
 For an Interactive Engagement, it needs to be a URL that specifies the branch:
 - for GitHub - like https://github.com/DefectDojo/django-DefectDojo/tree/dev

docs/content/en/working_with_findings/organizing_engagements_tests/source-code-repositories.md

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.46.3"
+__version__ = "2.46.4"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/__init__.py

@@ -12,7 +12,7 @@ def add_announcement_to_new_user(sender, instance, **kwargs):
         dojo_user = Dojo_User.objects.get(id=instance.id)
         announcement = announcements.first()
         cloud_announcement = (
-            "Cloud and On-Premise Subscriptions Now Available!"
+            "DefectDojo Pro Cloud and On-Premise Subscriptions Now Available!"
             in announcement.message
         )
         if not cloud_announcement or settings.CREATE_CLOUD_BANNER:

dojo/announcement/signals.py

@@ -29,6 +29,7 @@ def globalize_vars(request):
         "DOCUMENTATION_URL": settings.DOCUMENTATION_URL,
         "API_TOKENS_ENABLED": settings.API_TOKENS_ENABLED,
         "API_TOKEN_AUTH_ENDPOINT_ENABLED": settings.API_TOKEN_AUTH_ENDPOINT_ENABLED,
+        "CREATE_CLOUD_BANNER": settings.CREATE_CLOUD_BANNER,
     }
 
 

dojo/context_processors.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.1.8 on 2025-05-19 16:14
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0228_alter_jira_username_password'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='finding',
+            name='unique_id_from_tool',
+            field=models.CharField(blank=True, help_text='Vulnerability technical id from the source tool. Allows to track unique vulnerabilities over time across subsequent scans.', max_length=500, null=True, verbose_name='Unique ID from tool'),
+        ),
+    ]

dojo/db_migrations/0229_alter_finding_unique_id_from_tool.py

@@ -404,7 +404,7 @@ def match_new_finding_to_existing_finding(
             # If you have use cases going through this section, you're advised to create a deduplication configuration for your parser
             logger.warning("Legacy reimport. In case of issue, you're advised to create a deduplication configuration in order not to go through this section")
             return Finding.objects.filter(
-                    title=unsaved_finding.title,
+                    title__iexact=unsaved_finding.title,
                     test=self.test,
                     severity=unsaved_finding.severity,
                     numerical_severity=Finding.get_numerical_severity(unsaved_finding.severity)).order_by("id")

dojo/importers/default_reimporter.py

@@ -2562,7 +2562,7 @@ class Finding(models.Model):
                                            blank=True,
                                            max_length=500,
                                            verbose_name=_("Unique ID from tool"),
-                                           help_text=_("Vulnerability technical id from the source tool. Allows to track unique vulnerabilities."))
+                                           help_text=_("Vulnerability technical id from the source tool. Allows to track unique vulnerabilities over time across subsequent scans."))
     vuln_id_from_tool = models.CharField(null=True,
                                          blank=True,
                                          max_length=500,

dojo/models.py

@@ -83,6 +83,7 @@
     DD_CELERY_BEAT_SCHEDULE_FILENAME=(str, root("dojo.celery.beat.db")),
     DD_CELERY_TASK_SERIALIZER=(str, "pickle"),
     DD_CELERY_PASS_MODEL_BY_ID=(str, True),
+    DD_CELERY_LOG_LEVEL=(str, "INFO"),
     DD_FOOTER_VERSION=(str, ""),
     # models should be passed to celery by ID, default is False (for now)
     DD_FORCE_LOWERCASE_TAGS=(bool, True),
@@ -1146,6 +1147,7 @@ def saml2_attrib_map_format(din):
 CELERY_ACCEPT_CONTENT = ["pickle", "json", "msgpack", "yaml"]
 CELERY_TASK_SERIALIZER = env("DD_CELERY_TASK_SERIALIZER")
 CELERY_PASS_MODEL_BY_ID = env("DD_CELERY_PASS_MODEL_BY_ID")
+CELERY_LOG_LEVEL = env("DD_CELERY_LOG_LEVEL")
 
 if len(env("DD_CELERY_BROKER_TRANSPORT_OPTIONS")) > 0:
     CELERY_BROKER_TRANSPORT_OPTIONS = json.loads(env("DD_CELERY_BROKER_TRANSPORT_OPTIONS"))
@@ -1433,6 +1435,8 @@ def saml2_attrib_map_format(din):
 # legacy one with multiple conditions (default mode)
 DEDUPE_ALGO_LEGACY = "legacy"
 # based on dojo_finding.unique_id_from_tool only (for checkmarx detailed, or sonarQube detailed for example)
+# When using the `unique_id_from_tool` or `vuln_id_from_tool` fields for dedupication, it's important that these are uqniue for the finding and constant over time across subsequent scans.
+# If this is not the case, the values can still be useful to set on the finding model without using them for deduplication.
 DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL = "unique_id_from_tool"
 # based on dojo_finding.hash_code only
 DEDUPE_ALGO_HASH_CODE = "hash_code"
@@ -1702,7 +1706,7 @@ def saml2_attrib_map_format(din):
         },
         "celery": {
             "handlers": [rf"{LOGGING_HANDLER}"],
-            "level": str(LOG_LEVEL),
+            "level": str(CELERY_LOG_LEVEL),
             "propagate": False,
             # workaround some celery logging known issue
             "worker_hijack_root_logger": False,
@@ -1807,7 +1811,9 @@ def saml2_attrib_map_format(din):
 VULNERABILITY_URLS = {
     "ALAS": "https://alas.aws.amazon.com/AL2/&&.html",  # e.g. https://alas.aws.amazon.com/alas2.html
     "ALBA-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/ALBA-2019:3411
+    "ALEA-": "https://errata.almalinux.org/8/&&.html",  # e.g. https://errata.almalinux.org/8/ALEA-2022-1998.html
     "ALINUX2-SA-": "https://mirrors.aliyun.com/alinux/cve/",  # e.g. https://mirrors.aliyun.com/alinux/cve/alinux2-sa-20250007.xml
+    "ALINUX3-SA-": "https://mirrors.aliyun.com/alinux/3/cve/",  # e.g. https://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20250059.xml
     "ALSA-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/ALSA-2024:0827
     "ASA-": "https://security.archlinux.org/",  # e.g. https://security.archlinux.org/ASA-202003-8
     "AVD": "https://avd.aquasec.com/misconfig/",  # e.g. https://avd.aquasec.com/misconfig/avd-ksv-01010

dojo/settings/settings.dist.py

@@ -204,7 +204,7 @@ def evaluate_pro_proposition(*args, **kwargs):
         entry in announcement.message
         for entry in [
             "",
-            "Cloud and On-Premise Subscriptions Now Available!",
+            "DefectDojo Pro Cloud and On-Premise Subscriptions Now Available!",
             "Findings/Endpoints in their systems",
         ]
     ):

dojo/tasks.py

@@ -194,6 +194,14 @@
                                             </a>
                                         </li>
                                     {% endif %}
+                                    {% if CREATE_CLOUD_BANNER %}
+                                        <li>
+                                            <a href="https://cloud.defectdojo.com/accounts/onboarding/plg_step_1">
+                                                <i class="fa-solid fa-level-up fa-fw"></i>
+                                                {% trans "Try Pro for Free!" %}
+                                            </a>
+                                        </li>
+                                    {% endif %}
                                     <li>
                                         <a href="{% url 'logout' %}">
                                             <i class="fa-solid fa-right-from-bracket fa-fw"></i>