Merge pull request #13138 from DefectDojo/master-into-dev/2.50.1-2.51.0-dev

Release: Merge back 2.50.1 into dev from: master-into-dev/2.50.1-2.51.0-dev

Author: rossops

Dockerfile.django-alpine

@@ -132,8 +132,8 @@ ENV \
   DD_INITIALIZE=true \
   DD_UWSGI_MODE="socket" \
   DD_UWSGI_ENDPOINT="0.0.0.0:3031" \
-  DD_UWSGI_NUM_OF_PROCESSES="2" \
-  DD_UWSGI_NUM_OF_THREADS="2"
+  DD_UWSGI_NUM_OF_PROCESSES="4" \
+  DD_UWSGI_NUM_OF_THREADS="4"
 ENTRYPOINT ["/entrypoint-uwsgi.sh"]
 
 FROM django AS django-unittests

Dockerfile.django-debian

@@ -135,8 +135,8 @@ ENV \
   DD_INITIALIZE=true \
   DD_UWSGI_MODE="socket" \
   DD_UWSGI_ENDPOINT="0.0.0.0:3031" \
-  DD_UWSGI_NUM_OF_PROCESSES="2" \
-  DD_UWSGI_NUM_OF_THREADS="2"
+  DD_UWSGI_NUM_OF_PROCESSES="4" \
+  DD_UWSGI_NUM_OF_THREADS="4"
 ENTRYPOINT ["/entrypoint-uwsgi.sh"]
 
 FROM django AS django-unittests

docker/entrypoint-uwsgi-dev.sh

@@ -34,8 +34,8 @@ exec uwsgi \
   --protocol uwsgi \
   --wsgi dojo.wsgi:application \
   --enable-threads \
-  --processes "${DD_UWSGI_NUM_OF_PROCESSES:-2}" \
-  --threads "${DD_UWSGI_NUM_OF_THREADS:-2}" \
+  --processes "${DD_UWSGI_NUM_OF_PROCESSES:-4}" \
+  --threads "${DD_UWSGI_NUM_OF_THREADS:-4}" \
   --reload-mercy 1 \
   --worker-reload-mercy 1 \
   --py-autoreload 1 \

docker/entrypoint-uwsgi.sh

@@ -36,8 +36,8 @@ exec uwsgi \
   "--${DD_UWSGI_MODE}" "${DD_UWSGI_ENDPOINT}" \
   --protocol uwsgi \
   --enable-threads \
-  --processes "${DD_UWSGI_NUM_OF_PROCESSES:-2}" \
-  --threads "${DD_UWSGI_NUM_OF_THREADS:-2}" \
+  --processes "${DD_UWSGI_NUM_OF_PROCESSES:-4}" \
+  --threads "${DD_UWSGI_NUM_OF_THREADS:-4}" \
   --wsgi dojo.wsgi:application \
   --buffer-size="${DD_UWSGI_BUFFER_SIZE:-8192}" \
   --http 0.0.0.0:8081 --http-to "${DD_UWSGI_ENDPOINT}" \

docs/content/en/changelog/changelog.md

@@ -8,6 +8,14 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/en/open_source/upgrading/upgrading_guide/).
 
+## Sept 2025: v2.50
+
+### Sept 2, 2025: v2.50.0
+
+* **(Pro UI)** "Date During" filter has been added to the UI, allowing users to filter by a range of dates
+* **(Pro UI)** Vulnerability ID column can now be sorted, however the sorting only considers the **first** vulnerability ID.
+* **(Pro UI)** Request/Response pairs can now be added / updated / deleted via the Edit Finding form.
+
 ## August 2025: v2.49
 
 The Pro UI has been significantly reorganized, with changes to page organization.

docs/content/en/connecting_your_tools/parsers/file/semgrep_pro.md

@@ -0,0 +1,60 @@
+---
+title: "Semgrep Pro JSON Report"
+toc_hide: true
+---
+Import Semgrep Pro findings in JSON format.
+
+### Sample Scan Data
+Sample Semgrep Pro JSON Report scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/semgrep_pro).
+
+### Default Deduplication
+By default, DefectDojo uses the `match_based_id` from Semgrep Pro for deduplication. If this is not available, it falls back to using a combination of:
+- title
+- file path
+- line number
+
+### Fields Mapped
+The following fields are mapped from the Semgrep Pro JSON report:
+
+#### Basic Information
+- title: Mapped from `rule_name`
+- severity: Mapped from Semgrep Pro severity levels (ERROR/HIGH → High, WARNING/MEDIUM → Medium, INFO/LOW → Low)
+- file_path: Path to the affected file from `location.file_path`
+- line: Line number from `location.line`
+- unique_id_from_tool: Mapped from `match_based_id`
+
+#### Status Fields
+- active: Set to false if status is "fixed" or "removed"
+- verified: Set to true if triage_state is not "untriaged"
+
+#### Rich Content Fields
+- description: Includes:
+  - Rule message and details
+  - CWE references
+  - OWASP references
+  - Categories
+  - Triage information
+- impact: Includes:
+  - Vulnerability classes
+  - Confidence level
+  - Repository information
+- mitigation: Includes:
+  - Guidance summary
+  - Detailed instructions
+  - Auto-fix suggestions
+  - Auto-triage information
+  - Component details and risk level
+- references: Includes:
+  - Line of code URL
+  - CWE references
+  - OWASP references
+  - External ticket information
+
+#### Component Information
+- component_name: Mapped from `assistant.component.tag`
+
+#### Additional Fields
+- static_finding: Always set to true
+- dynamic_finding: Always set to false
+- cwe: Extracted from first CWE reference if available
+- date: Mapped from `created_at`

docs/content/en/open_source/installation/running-in-production.md

@@ -58,9 +58,9 @@ handle 4 concurrent connections.
 Based on your resource settings, you can tweak:
 
 -   `DD_UWSGI_NUM_OF_PROCESSES` for the number of spawned processes.
-    (default 2)
+    (default 4)
 -   `DD_UWSGI_NUM_OF_THREADS` for the number of threads in these
-    processes. (default 2)
+    processes. (default 4)
 
 For example, you may have 4 processes with 6 threads each, yielding 24
 concurrent connections.

docs/content/en/open_source/performance.md

@@ -614,6 +614,13 @@ class Meta:
         model = UserContactInfo
         fields = "__all__"
 
+    def validate(self, data):
+        user = data.get("user", None) or self.instance.user
+        if data.get("force_password_reset", False) and not user.has_usable_password():
+            msg = "Password resets are not allowed for users authorized through SSO."
+            raise ValidationError(msg)
+        return super().validate(data)
+
 
 class UserStubSerializer(serializers.ModelSerializer):
     class Meta:

dojo/api_v2/serializers.py

@@ -236,8 +236,8 @@ def order_field(self, request: HttpRequest, group_findings_queryset: QuerySet[Fi
             order_field_param = order_field_param[1:] if reverse_order else order_field_param
             if order_field_param in {"name", "creator", "findings_count", "sla_deadline"}:
                 prefix = "-" if reverse_order else ""
-                group_findings_queryset = group_findings_queryset.order_by(f"{prefix}{order_field_param}")
-        return group_findings_queryset
+                return group_findings_queryset.order_by(f"{prefix}{order_field_param}")
+        return group_findings_queryset.order_by("id")
 
     def filters(self, request: HttpRequest) -> tuple[str, str | None, list[str], list[str]]:
         name_filter: str = request.GET.get("name", "").lower()