Merge remote-tracking branch 'upstream/dev' into pghistory

Author: valentijnscholten

.github/workflows/k8s-tests.yml

@@ -27,7 +27,7 @@ jobs:
           # are tested (https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#available-versions)
           - databases: pgsql
             brokers: redis
-            k8s: 'v1.34.1'
+            k8s: 'v1.34.0'
             os: debian
     steps:
       - name: Checkout

docker/entrypoint-unit-tests.sh

@@ -80,9 +80,16 @@ echo "Unit Tests"
 echo "------------------------------------------------------------"
 
 # Removing parallel and shuffle for now to maintain stability
-python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag="non-parallel" || {
+python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag="non-parallel" --exclude-tag="transactional" || {
     exit 1;
 }
 python3 manage.py test unittests -v 3 --keepdb --no-input --tag="non-parallel" || {
     exit 1;
-}
+}
+# Running one unit tests that inherits from TransactionTestCase somehow changes the behaviour of how Django loads fixtures into the database.
+# Meaning any test after this one would fail to load our dojo_testdata.json fixture. In a way this makes sense as it contains some data integrity problems.
+# I tried to fix these in https://github.com/DefectDojo/django-DefectDojo/pull/13217.
+# For now here we run the only TranscationTestCase at the end to avoid the problem.
+python3 manage.py test unittests -v 3 --keepdb --no-input --tag="transactional" || {
+    exit 1;
+}

docs/content/en/changelog/changelog.md

@@ -10,6 +10,10 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Sept 2025: v2.50
 
+### Sept 15, 2025: v2.50.3
+
+* **(Pro UI)** Added support for [CVSSv4.0](https://www.first.org/cvss/v4-0/) vector strings.
+
 ### Sept 15, 2025: v2.50.2
 
 * **(Pro UI)** Added Any/All status filtering.  Filtering by status allows you to apply either AND (inner join) logic, or OR (outer join) logic to the filter.

dojo/api_v2/serializers.py

@@ -22,6 +22,7 @@
 from rest_framework.exceptions import ValidationError as RestFrameworkValidationError
 from rest_framework.fields import DictField, MultipleChoiceField
 
+import dojo.finding.helper as finding_helper
 import dojo.jira_link.helper as jira_helper
 import dojo.risk_acceptance.helper as ra_helper
 from dojo.authorization.authorization import user_has_permission
@@ -122,6 +123,7 @@
     requires_file,
     requires_tool_type,
 )
+from dojo.user.queries import get_authorized_users
 from dojo.user.utils import get_configuration_permissions_codenames
 from dojo.utils import is_scan_file_too_large
 from dojo.validators import ImporterFileExtensionValidator, tag_validator
@@ -2697,6 +2699,9 @@ class FindingCloseSerializer(serializers.ModelSerializer):
     false_p = serializers.BooleanField(required=False)
     out_of_scope = serializers.BooleanField(required=False)
     duplicate = serializers.BooleanField(required=False)
+    mitigated_by = serializers.PrimaryKeyRelatedField(required=False, allow_null=True, queryset=Dojo_User.objects.all())
+    note = serializers.CharField(required=False, allow_blank=True)
+    note_type = serializers.PrimaryKeyRelatedField(required=False, allow_null=True, queryset=Note_Type.objects.all())
 
     class Meta:
         model = Finding
@@ -2706,8 +2711,34 @@ class Meta:
             "false_p",
             "out_of_scope",
             "duplicate",
+            "mitigated_by",
+            "note",
+            "note_type",
         )
 
+    def validate(self, data):
+        request = self.context.get("request")
+        request_user = getattr(request, "user", None)
+
+        mitigated_by_user = data.get("mitigated_by")
+        if mitigated_by_user is not None:
+            # Require permission to edit mitigated metadata
+            if not (request_user and finding_helper.can_edit_mitigated_data(request_user)):
+                raise serializers.ValidationError({
+                    "mitigated_by": ["Not allowed to set mitigated_by."],
+                })
+
+            # Ensure selected user is authorized (Finding_Edit)
+            authorized_users = get_authorized_users(Permissions.Finding_Edit, user=request_user)
+            if not authorized_users.filter(id=mitigated_by_user.id).exists():
+                raise serializers.ValidationError({
+                    "mitigated_by": [
+                        "Selected user is not authorized to be set as mitigated_by.",
+                    ],
+                })
+
+        return data
+
 
 class ReportGenerateOptionSerializer(serializers.Serializer):
     include_finding_notes = serializers.BooleanField(default=False)

dojo/api_v2/views.py

@@ -31,6 +31,7 @@
 from rest_framework.permissions import DjangoModelPermissions, IsAuthenticated
 from rest_framework.response import Response
 
+import dojo.finding.helper as finding_helper
 import dojo.jira_link.helper as jira_helper
 from dojo.api_v2 import (
     mixins as dojo_mixins,
@@ -924,49 +925,27 @@ def close(self, request, pk=None):
         if request.method == "POST":
             finding_close = serializers.FindingCloseSerializer(
                 data=request.data,
+                context={"request": request},
             )
             if finding_close.is_valid():
-                finding.is_mitigated = finding_close.validated_data[
-                    "is_mitigated"
-                ]
-                if settings.EDITABLE_MITIGATED_DATA:
-                    finding.mitigated = (
-                        finding_close.validated_data["mitigated"]
-                        or timezone.now()
-                    )
-                else:
-                    finding.mitigated = timezone.now()
-                finding.mitigated_by = request.user
-                finding.active = False
-                finding.false_p = finding_close.validated_data.get(
-                    "false_p", False,
-                )
-                finding.duplicate = finding_close.validated_data.get(
-                    "duplicate", False,
-                )
-                finding.out_of_scope = finding_close.validated_data.get(
-                    "out_of_scope", False,
+                # Use shared helper to perform close operations
+                finding_helper.close_finding(
+                    finding=finding,
+                    user=request.user,
+                    is_mitigated=finding_close.validated_data["is_mitigated"],
+                    mitigated=(finding_close.validated_data.get("mitigated") if settings.EDITABLE_MITIGATED_DATA else timezone.now()),
+                    mitigated_by=finding_close.validated_data.get("mitigated_by") or (request.user if not finding_helper.can_edit_mitigated_data(request.user) else None),
+                    false_p=finding_close.validated_data.get("false_p", False),
+                    out_of_scope=finding_close.validated_data.get("out_of_scope", False),
+                    duplicate=finding_close.validated_data.get("duplicate", False),
+                    note_entry=finding_close.validated_data.get("note"),
+                    note_type=finding_close.validated_data.get("note_type"),
                 )
-
-                endpoints_status = finding.status_finding.all()
-                for e_status in endpoints_status:
-                    e_status.mitigated_by = request.user
-                    if settings.EDITABLE_MITIGATED_DATA:
-                        e_status.mitigated_time = (
-                            finding_close.validated_data["mitigated"]
-                            or timezone.now()
-                        )
-                    else:
-                        e_status.mitigated_time = timezone.now()
-                    e_status.mitigated = True
-                    e_status.last_modified = timezone.now()
-                    e_status.save()
-                finding.save()
             else:
                 return Response(
                     finding_close.errors, status=status.HTTP_400_BAD_REQUEST,
                 )
-        serialized_finding = serializers.FindingCloseSerializer(finding)
+        serialized_finding = serializers.FindingCloseSerializer(finding, context={"request": request})
         return Response(serialized_finding.data)
 
     @extend_schema(

dojo/finding/helper.py

@@ -7,10 +7,12 @@
 from django.db.models.signals import post_delete, pre_delete
 from django.db.utils import IntegrityError
 from django.dispatch.dispatcher import receiver
+from django.urls import reverse
 from django.utils import timezone
 from fieldsignals import pre_save_changed
 
 import dojo.jira_link.helper as jira_helper
+import dojo.risk_acceptance.helper as ra_helper
 from dojo.celery import app
 from dojo.decorators import dojo_async_task, dojo_model_from_id, dojo_model_to_id
 from dojo.endpoint.utils import save_endpoints_to_add
@@ -21,15 +23,18 @@
     Engagement,
     Finding,
     Finding_Group,
+    Notes,
     System_Settings,
     Test,
     Vulnerability_Id,
     Vulnerability_Id_Template,
 )
 from dojo.notes.helper import delete_related_notes
+from dojo.notifications.helper import create_notification
 from dojo.tools import tool_issue_updater
 from dojo.utils import (
     calculate_grade,
+    close_external_issue,
     do_dedupe_finding,
     do_false_positive_history,
     get_current_user,
@@ -161,6 +166,24 @@ def update_finding_status(new_state_finding, user, changed_fields=None):
     new_state_finding.last_status_update = now
 
 
+def filter_findings_by_existence(findings):
+    """
+    Return only findings that still exist in the database (by id).
+
+    Centralized helper used by importers to avoid FK violations during
+    bulk_create.
+    """
+    if not findings:
+        return []
+    candidate_ids = [finding.id for finding in findings if getattr(finding, "id", None)]
+    if not candidate_ids:
+        return []
+    existing_ids = set(
+        Finding.objects.filter(id__in=candidate_ids).values_list("id", flat=True),
+    )
+    return [finding for finding in findings if finding.id in existing_ids]
+
+
 def can_edit_mitigated_data(user):
     return settings.EDITABLE_MITIGATED_DATA and user.is_superuser
 
@@ -271,7 +294,6 @@ def get_group_by_group_name(finding, finding_group_by_option):
     else:
         msg = f"Invalid group_by option {finding_group_by_option}"
         raise ValueError(msg)
-
     if group_name:
         return f"Findings in: {group_name}"
 
@@ -689,3 +711,91 @@ def save_vulnerability_ids_template(finding_template, vulnerability_ids):
         finding_template.cve = vulnerability_ids[0]
     else:
         finding_template.cve = None
+
+
+def close_finding(
+    *,
+    finding,
+    user,
+    is_mitigated,
+    mitigated,
+    mitigated_by,
+    false_p,
+    out_of_scope,
+    duplicate,
+    note_entry=None,
+    note_type=None,
+) -> None:
+    """
+    Shared close logic used by UI and API.
+
+    Handles status updates, endpoint statuses, risk acceptance, external issues,
+    JIRA sync, and notification.
+    """
+    # Core status updates
+    finding.is_mitigated = is_mitigated
+    now = timezone.now()
+    finding.mitigated = mitigated or now
+    finding.mitigated_by = mitigated_by or user
+    finding.active = False
+    finding.false_p = bool(false_p)
+    finding.out_of_scope = bool(out_of_scope)
+    finding.duplicate = bool(duplicate)
+    finding.under_review = False
+    finding.last_reviewed = finding.mitigated
+    finding.last_reviewed_by = user
+
+    # Create note if provided
+    new_note = None
+    if note_entry:
+        new_note = Notes.objects.create(
+            entry=note_entry,
+            author=user,
+            note_type=note_type,
+            date=finding.mitigated,
+        )
+        finding.notes.add(new_note)
+
+    # Endpoint statuses
+    for status in finding.status_finding.all():
+        status.mitigated_by = finding.mitigated_by
+        status.mitigated_time = finding.mitigated
+        status.mitigated = True
+        status.last_modified = timezone.now()
+        status.save()
+
+    # Risk acceptance
+    ra_helper.risk_unaccept(user, finding, perform_save=False)
+
+    # External issues (best effort)
+    close_external_issue(finding, "Closed by defectdojo", "github")
+
+    # JIRA sync
+    push_to_jira = False
+    finding_in_group = finding.has_finding_group
+    jira_issue_exists = finding.has_jira_issue or (
+        finding.finding_group and finding.finding_group.has_jira_issue
+    )
+    jira_instance = jira_helper.get_jira_instance(finding)
+    jira_project = jira_helper.get_jira_project(finding)
+    if jira_issue_exists:
+        push_to_jira = (
+            jira_helper.is_push_all_issues(finding)
+            or (jira_instance and jira_instance.finding_jira_sync)
+        )
+        if new_note and (getattr(jira_project, "push_notes", False) or push_to_jira) and not finding_in_group:
+            jira_helper.add_comment(finding, new_note, force_push=True)
+
+    # Persist and push JIRA if applicable
+    finding.save(push_to_jira=(push_to_jira and not finding_in_group))
+    if push_to_jira and finding_in_group:
+        jira_helper.push_to_jira(finding.finding_group)
+
+    # Notification
+    create_notification(
+        event="finding_closed",
+        title=f"Closing of {finding.title}",
+        finding=finding,
+        description=f'The finding "{finding.title}" was closed by {user}',
+        url=reverse("view_finding", args=(finding.id,)),
+    )