Merge pull request #14371 from DefectDojo/release/2.55.4

rossops · web-flow · commit e4df9d92b925 · 2026-02-23T10:52:40.000-06:00
Release: Merge release into master from: release/2.55.4
diff --git a/.github/workflows/release-2-tag-docker-push.yml b/.github/workflows/release-2-tag-docker-push.yml
@@ -71,7 +71,7 @@ jobs:
     secrets: inherit
 
   release-drafter:
-    needs: publish-container-digests
+    needs: [publish-container-digests, release-helm-chart]
     uses: ./.github/workflows/release-drafter.yml
     with:
       version: ${{ inputs.release_number }}
diff --git a/components/package.json b/components/package.json
@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.55.3",
+  "version": "2.55.4",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -122,6 +122,7 @@ services:
   postgres:
     image: postgres:18.1-alpine@sha256:4eb15de8e7b692c02427a2df278d18eb89422a534e428efb6d43c968250334d4
     environment:
+      PGDATA: /var/lib/postgresql/data
       POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
       POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}
       POSTGRES_PASSWORD: ${DD_DATABASE_PASSWORD:-defectdojo}
diff --git a/docs/content/releases/os_upgrading/2.51.md b/docs/content/releases/os_upgrading/2.51.md
@@ -77,6 +77,14 @@ If you already have a valid backup of the postgres 16 database, you can start at
 
 _Note: If you are using a bound volume, the path has changed for Postgres18. It is now `/var/lib/postgresql/` instead of `/var/lib/postgresql/data`. Failure to change the path may result in errors about failure to create a shim task. See the discussion in [docker-library/postgres](https://github.com/docker-library/postgres/issues/1370)._
 
+> **Postgres Data storage**
+>
+> PostgreSQL 18 changed its default `PGDATA` path from `/var/lib/postgresql/data` to `/var/lib/postgresql/18/docker`. Because the Docker volume was mounted at `/var/lib/postgresql/data`, data was written to the container's ephemeral layer instead of the volume.
+>
+> This has been fixed in 2.55.4 by explicitly setting `PGDATA: /var/lib/postgresql/data` in `docker-compose.yml`.
+>
+> If you customise the postgres service in your own `docker-compose.override.yml`, make sure `PGDATA` is set to the path where your volume is mounted.
+
 ### 0. Backup
 
 Always back up your data before starting and save it somewhere.
diff --git a/docs/content/releases/pro/changelog.md b/docs/content/releases/pro/changelog.md
@@ -10,7 +10,20 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/changelog/os_upgrading/upgrading_guide/).
 
-## Feb 2025: v2.55
+## Feb 2026: v2.55
+
+### Feb 17, 2026: v2.55.3
+
+* **(Pro UI)** Added “Scheduled” status to Engagements to enhances the tracking and management of Engagements.
+
+### Feb 10, 2026: v2.55.2
+
+* **(Pro UI)** Enhanced Organization addition permissions with configuration checks.
+
+### Feb 4, 2026: v2.55.1
+
+* **(Pro UI)** Findings: Added support for Custom Fields; key-value pairs that can be added to Findings.
+* **(Pro UI)** Fixed an issue where a date filter could throw a 500 error.
 
 ### Feb 2, 2026: v2.55.0
 
diff --git a/docs/content/triage_findings/findings_workflows/finding_status_definitions.md b/docs/content/triage_findings/findings_workflows/finding_status_definitions.md
@@ -89,3 +89,52 @@ If you have a testing and remediation effort related to a specific aspect of you
 Once you’ve reviewed a Finding, you might discover that the vulnerability reported does not actually exist. The False Positive status will be maintained by reimport and prevent matching findings from being opened or closed, which assists with noise reduction.  
 
 If a different scanning tool finds a similar Finding, it will not be recorded as a False Positive. DefectDojo can only compare Findings within the same tool to determine if a Finding has already been recorded.
+
+## Severity vs Risk
+Severity reflects the technical impact of an issue if exploited. Risk reflects the business urgency and required response, factoring in context such as exposure, exploitability, compensating controls, and operational impact.
+
+
+## Risk Level Definitions
+### Urgent
+A finding that represents an immediate and unacceptable business risk.
+
+High likelihood of exploitation or active exploitation observed
+Direct exposure of critical systems, sensitive data, or customer environments
+Limited or no compensating controls
+Failure to act could result in severe business disruption, regulatory impact, or reputational damage
+
+Expected action: Immediate response Typical SLA: Emergency remediation
+
+
+### Needs Action
+A finding that poses a clear and actionable risk requiring timely remediation or mitigation.
+
+A realistic attack path exists
+The affected asset is exposed, business-critical, or customer-facing
+Compensating controls are weak, missing, or unverified
+Exploitation would result in measurable business, security, or compliance impact
+
+Expected action: Active remediation or mitigation required Typical SLA: Short-term remediation window
+
+
+### Medium Risk
+A finding that presents a moderate level of business risk and should be remediated in a planned timeframe.
+
+Meaningful impact could occur if exploited
+Some exposure exists, but exploitation requires specific conditions or privileges
+May affect production systems or customer data indirectly
+Often aligns with medium or high severity issues without immediate exploitability
+
+Expected action: Prioritized remediation Typical SLA: Planned remediation window
+
+
+### Low Risk
+A finding that presents minimal business impact and does not require immediate action.
+
+No known exploitation in the wild
+Limited or no exposure (e.g., internal systems, non-production, strong compensating controls)
+Remediation can be addressed as part of normal development or maintenance cycles
+Often informational or low-severity findings, but may include higher-severity issues that are well-mitigated
+
+Expected action: Track and address opportunistically Typical SLA: Best effort / backlog
+
diff --git a/dojo/__init__.py b/dojo/__init__.py
@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.55.3"
+__version__ = "2.55.4"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"  # noqa: RUF067
 __docs__ = "https://documentation.defectdojo.com"  # noqa: RUF067
diff --git a/dojo/importers/endpoint_manager.py b/dojo/importers/endpoint_manager.py
@@ -114,6 +114,8 @@ def chunk_endpoints_and_disperse(
         endpoints: list[Endpoint],
         **kwargs: dict,
     ) -> None:
+        if not endpoints:
+            return
         dojo_dispatch_task(EndpointManager.add_endpoints_to_unsaved_finding, finding, endpoints, sync=True)
 
     @staticmethod
diff --git a/dojo/importers/location_manager.py b/dojo/importers/location_manager.py
@@ -84,6 +84,8 @@ def chunk_locations_and_disperse(
         locations: list[AbstractLocation],
         **kwargs: dict,
     ) -> None:
+        if not locations:
+            return
         dojo_dispatch_task(LocationManager.add_locations_to_unsaved_finding, finding, locations, sync=True)
 
     @staticmethod
diff --git a/dojo/management/commands/dedupe.py b/dojo/management/commands/dedupe.py
@@ -1,3 +1,4 @@
+import argparse
 import logging
 
 import pghistory
@@ -53,7 +54,7 @@ def add_arguments(self, parser):
         parser.add_argument("--dedupe_sync", action="store_true", help="Run dedupe in the foreground, default false")
         parser.add_argument(
             "--dedupe_batch_mode",
-            action="store_true",
+            action=argparse.BooleanOptionalAction,
             default=True,
             help="Deduplicate in batches (similar to import), works with both sync and async modes (default: True)",
         )
@@ -130,12 +131,13 @@ def _run_dedupe(self, *, restrict_to_parsers, hash_code_only, dedupe_only, dedup
                 elif dedupe_sync:
                     mass_model_updater(Finding, findings, do_dedupe_finding_task_internal, fields=None, order="desc", page_size=100, log_prefix="deduplicating ")
                 else:
-                    # async tasks only need the id
+                    # async tasks only need the id; clear select/prefetch_related to avoid
+                    # FieldError when combining only("id") with select_related traversal
                     from dojo.celery_dispatch import dojo_dispatch_task  # noqa: PLC0415 circular import
 
                     mass_model_updater(
                         Finding,
-                        findings.only("id"),
+                        findings.select_related(None).prefetch_related(None).only("id"),
                         lambda f: dojo_dispatch_task(do_dedupe_finding_task, f.id),
                         fields=None,
                         order="desc",
diff --git a/dojo/tools/ms_defender/parser.py b/dojo/tools/ms_defender/parser.py
@@ -194,7 +194,7 @@ def process_json_with_machine_info(self, vulnerability, machine):
             # TODO: Delete this after the move to Locations
             if "computerDnsName" in machine and machine["computerDnsName"] is not None:
                 host = str(machine["computerDnsName"]).replace(" ", "").replace("(", "_").replace(")", "_")
-                locations.append(URL(host=host))
+                locations.append(Endpoint(host=host))
             if "lastIpAddress" in machine and machine["lastIpAddress"] is not None:
                 locations.append(Endpoint(host=str(machine["lastIpAddress"])))
             if "lastExternalIpAddress" in machine and machine["lastExternalIpAddress"] is not None:
diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.55.3"
+appVersion: "2.55.4"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.9.13
+version: 1.9.14
 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png
 maintainers:
   - name: madchap
@@ -34,4 +34,4 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "false"
-  artifacthub.io/changes: "- kind: changed\n  description: Bump DefectDojo to 2.55.3\n"
+  artifacthub.io/changes: "- kind: changed\n  description: Bump DefectDojo to 2.55.4\n"
diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md
@@ -511,7 +511,7 @@ The HELM schema will be generated for you.
 
 # General information about chart values
 
-![Version: 1.9.13](https://img.shields.io/badge/Version-1.9.13-informational?style=flat-square) ![AppVersion: 2.55.3](https://img.shields.io/badge/AppVersion-2.55.3-informational?style=flat-square)
+![Version: 1.9.14](https://img.shields.io/badge/Version-1.9.14-informational?style=flat-square) ![AppVersion: 2.55.4](https://img.shields.io/badge/AppVersion-2.55.4-informational?style=flat-square)
 
 A Helm chart for Kubernetes to install DefectDojo
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "defectdojo",`
`3`		`- "version": "2.55.3",`
	`3`	`+ "version": "2.55.4",`
`4`	`4`	`"license" : "BSD-3-Clause",`
`5`	`5`	`"private": true,`
`6`	`6`	`"dependencies": {`