Merge branch 'dev' into valkey-compose

Author: valentijnscholten

.github/workflows/close-stale.yml

@@ -15,6 +15,17 @@ jobs:
   close-stale:
     runs-on: ubuntu-latest
     steps:
+      - name: Close issues and PRs that are pending closure
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          # Disable automatic stale marking - only close manually labeled items
+          days-before-stale: -1
+          days-before-close: 7
+          stale-issue-label: 'pending-closure'
+          stale-pr-label: 'pending-closure'
+          close-issue-message: 'This issue has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
+          close-pr-message: 'This PR has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
+
       - name: Close stale issues and PRs
         uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
@@ -23,5 +34,5 @@ jobs:
           days-before-close: 7
           stale-issue-label: 'stale'
           stale-pr-label: 'stale'
-          close-issue-message: 'This issue has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
-          close-pr-message: 'This PR has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
+          close-issue-message: 'This issue has been automatically closed because it was labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
+          close-pr-message: 'This PR has been automatically closed because it was labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.51.0-dev",
+  "version": "2.52.0-dev",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docs/content/en/changelog/changelog.md

@@ -10,6 +10,11 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Sept 2025: v2.50
 
+### Sept 22, 2025: v2.50.4
+
+* **(Pro UI)** Changes Engagement Deduplication form label and help text
+* **(Pro UI)** Adds toggle for MCP (for superusers only)
+
 ### Sept 15, 2025: v2.50.3
 
 * **(Pro UI)** Added support for [CVSSv4.0](https://www.first.org/cvss/v4-0/) vector strings.

docs/content/en/connecting_your_tools/parsers/file/github_secrets_detection_report.md

@@ -0,0 +1,9 @@
+---
+title: "Github Secrets Detection Report"
+toc_hide: true
+---
+Import findings in JSON format from Github Secret Scanning REST API:
+<https://docs.github.com/en/rest/secret-scanning/secret-scanning>
+
+### Sample Scan Data
+Sample Github SAST scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/github_secrets_detection_report_many_vul.json).

docs/content/en/open_source/contributing/how-to-write-a-parser.md

@@ -166,6 +166,17 @@ Good example:
        finding.cwe = data["mykey"]
 ```
 
+```python
+   finding.cwe = data.get("mykey", 123)
+```
+
+```python
+   some_list = data.get("key_of_the_list") or []
+```
+
+The finale example guards against cases where `key_of_the_list` is present, but `null`.
+
+
 ### Parsing of CVSS vectors
 
 Data can have `CVSS` vectors or scores. Defect Dojo use the `cvss` module provided by RedHat Security.

docs/content/en/open_source/upgrading/2.51.md

@@ -5,6 +5,18 @@ weight: -20250902
 description: Helm chart changes and Postgres major version updates.
 ---
 
+## Performance improvements
+
+This release includes multiple improvements aimed at making DefectDojo faster, more scalable, and lighter on your database and workers.
+
+- Import and reimport are significantly more efficient: product grading is now orchestrated in batches using Celery chords, reducing the number of background tasks and database churn during large scans. This means faster imports and smoother post-processing on busy systems. See [PR 12914](https://github.com/DefectDojo/django-DefectDojo/pull/12914).
+- Query-count reductions and importer hot-path tuning: we trimmed unnecessary ORM calls and optimized how findings/endpoints are updated during (re)import. You should see noticeably quicker runs out of the box. See [PR 13182](https://github.com/DefectDojo/django-DefectDojo/pull/13182) and [PR 13152](https://github.com/DefectDojo/django-DefectDojo/pull/13152).
+- Smarter background task orchestration for product graing: less duplicate work and better scheduling during heavy operations, keeping the UI responsive while long jobs run. See [PR 12900](https://github.com/DefectDojo/django-DefectDojo/pull/12900).
+- Bulk tag addition for large batches: adds an internal method to add tags to many findings at once, performing tagging in batches (default 1,000) with only a few queries per batch. This replaces ~3 queries per finding with ~3 queries per batch, significantly reducing DB load during imports, reimports, and bulk edit. On a ~10k-findings sample, import time dropped from ~372s to ~190s. See [PR 13285](https://github.com/DefectDojo/django-DefectDojo/pull/13285).
+- Preparations for our switch to `django-pghistory` which provides more features and better performance compared to `django-auditlog`. See [PR 13169](https://github.com/DefectDojo/django-DefectDojo/pull/13169).
+
+No configuration changes are required—gains are automatic after upgrading.
+
 ## Helm Chart Changes
 
 This release introduces several important changes to the Helm chart configuration:

docs/content/en/open_source/upgrading/2.52.md

@@ -31,3 +31,4 @@ If you want to be 110% sure no tasks will be lost you could perform the upgrade
 `docker compose pull`
 `docker compose up -d`
 
+There are no special instructions for upgrading to 2.52.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.52.0) for the contents of the release.

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.51.0-dev"
+__version__ = "2.52.0-dev"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/api_v2/serializers.py

@@ -1761,13 +1761,15 @@ def update(self, instance, validated_data):
         if reporter_id := validated_data.get("reporter"):
             instance.reporter = reporter_id
 
+        # Persist vulnerability IDs first so model save computes hash including them (if there is no hash yet)
+        # we can't pass unsaved_vulnerabilitiy_ids to super.update()
+        if parsed_vulnerability_ids:
+            save_vulnerability_ids(instance, parsed_vulnerability_ids)
+
         instance = super().update(
             instance, validated_data,
         )
 
-        if parsed_vulnerability_ids:
-            save_vulnerability_ids(instance, parsed_vulnerability_ids)
-
         if push_to_jira:
             jira_helper.push_to_jira(instance)
 
@@ -1901,11 +1903,15 @@ def create(self, validated_data):
         if (vulnerability_ids := validated_data.pop("vulnerability_id_set", None)):
             logger.debug("VULNERABILITY_ID_SET: %s", vulnerability_ids)
             parsed_vulnerability_ids.extend(vulnerability_id["vulnerability_id"] for vulnerability_id in vulnerability_ids)
+            logger.debug("PARSED_VULNERABILITY_IDST: %s", parsed_vulnerability_ids)
             logger.debug("SETTING CVE FROM VULNERABILITY_ID_SET: %s", parsed_vulnerability_ids[0])
             validated_data["cve"] = parsed_vulnerability_ids[0]
+            # validated_data["unsaved_vulnerability_ids"] = parsed_vulnerability_ids
 
-        new_finding = super().create(
-            validated_data)
+        # super.create() doesn't accept unsaved_vulnerability_ids or dedupe_option=False, so call save directly.
+        new_finding = Finding(**validated_data)
+        new_finding.unsaved_vulnerability_ids = parsed_vulnerability_ids or []
+        new_finding.save()
 
         logger.debug(f"New finding CVE: {new_finding.cve}")
 
@@ -1918,9 +1924,6 @@ def create(self, validated_data):
             new_finding.reviewers.set(reviewers)
         if parsed_vulnerability_ids:
             save_vulnerability_ids(new_finding, parsed_vulnerability_ids)
-            # can we avoid this extra save? the cve has already been set above in validated_data. but there are no tests for this
-            # on finding update nothing is done # with vulnerability_ids?
-            # new_finding.save()
 
         if push_to_jira:
             jira_helper.push_to_jira(new_finding)

dojo/finding/views.py

@@ -1561,7 +1561,7 @@ def request_finding_review(request, fid):
 
             create_notification(
                 event="review_requested",  # TODO: - if 'review_requested' functionality will be supported by API as well, 'create_notification' needs to be migrated to place where it will be able to cover actions from both interfaces
-                title="Finding review requested",
+                title=f"Finding review requested for Test created for {finding.test.engagement.product}: {finding.test.engagement.name}: {finding.test} - {finding.title}",
                 requested_by=user,
                 note=new_note,
                 finding=finding,