DefectDojo · valentijnscholten · Aug 30, 2025 · Aug 27, 2025 · Aug 29, 2025 · Aug 29, 2025
@@ -8,6 +8,24 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/en/open_source/upgrading/upgrading_guide/).
 
+## August 2025: v2.49
+
+The Pro UI has been significantly reorganized, with changes to page organization.
+![image](images/pro_ui_249.png)
+
+### August 25: 2.49.3
+
+[Integrations](/en/share_your_findings/integrations/) has been added to DefectDojo Pro, adding an Jira-style integrations for Azure DevOps, GitHub and GitLab boards.
+
+* **(API)** Basic Auth Login has been removed from the swagger form.  Only cookieAuth and tokenAuth are accepted.
+* **(API)** When MFA is enabled, an MFA code will be required to use the `/api-token-auth` endpoint.
+* **(Connectors)** "Location" has been renamed to "Location URL" in Connectors setup form.
+* **(Universal Parser)** Fixed an issue where a False value in an Active key still created an Active Finding.
+* **(Pro UI)** Unique ID from Tool has been added to the Findings list and Finding view
+* **(Pro UI)** Test Status added to Test View.
+* **(Pro UI)** Added additional Import/Reimport success messages to confirm successful test creation.
+
+
 ## July 2025: v2.48
 
 ### July 21/22/28, 2025: v2.48.3 / v2.48.4 / v2.48.5
@@ -37,23 +55,23 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## June 2025: v2.47
 
-### July 1, 2025: v2.47.4
+#### July 1, 2025: v2.47.4
 
 - **(Pro UI)** Products, Engagements, Tests, Findings and Endpoints can be edited directly from their respective tables via a modal.
 - **(Pro UI)** Calendar view now supports additional query parameters for filtering Tests or Engagements.
 - **(Pro UI)** Engagements, Tests and the entire Calendar can be exported as .ics files.
 
 ![image](images/pro_ics_export.png)
 
-### June 23, 2025: v2.47.3
+#### June 23, 2025: v2.47.3
 
 - **(Pro UI)** Finding Templates can now be added in the Pro UI, from **Findings > Finding Templates** on the sidebar.
 - **(Pro UI)** A better error message is displayed when Jira Instance deletion is unsuccessful.
 - **(Pro UI)** Product Types can now be edited through a modal: **"⋮" > Edit Product Type** will open a pop-up modal window instead of taking a user to a new page.
 
 ![image](images/pro_product_type_modal.png)
 
-### June 16, 2025: v2.47.2
+#### June 16, 2025: v2.47.2
 
 - **(Pro UI)** Endpoint Metadata can now be uploaded to Products.  You can now import a .csv list of all endpoints associated with a Product, from **View Product > Endpoints > Import Endpoint Metadata**
 
@@ -69,7 +87,7 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ![image](images/pro_login.png)
 
-### June 9, 2025: v2.47.1
+#### June 9, 2025: v2.47.1
 
 - **(Pro UI)** Vulnerable Endpoints table has now been added to Finding pages.
 
@@ -78,7 +96,7 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 - **(Pro UI)** "Original Finding" link has been added to Finding Metadata table for Duplicate Findings.
 - **(Pro UI)** CI/CD Metadata has been added to Engagement view.
 
-### June 2, 2025: v2.47.0
+#### June 2, 2025: v2.47.0
 
 - **(Pro UI)** Finding review can now be set through the Pro UI.  You can now Request Review or clear a Finding review from Finding tables, or from the Finding View.
 

@@ -18,6 +18,8 @@ By creating and marking Duplicates in this way, DefectDojo ensures that all the
 
 By default, these Tests would need to be nested under the same Product for Deduplication to be applied. If you wish, you can further limit the Deduplication scope to a single Engagement.
 
+![Deduplication on product and engagement level](images/deduplication.png)
+
 Duplicate Findings are set as Inactive by default. This does not mean the Duplicate Finding itself is Inactive. Rather, this is so that your team only has a single active Finding to work on and remediate, with the implication being that once the original Finding is Mitigated, the Duplicates will also be Mitigated.
 
 ## Deduplication vs Reimport

@@ -8,45 +8,62 @@ Each Finding created in DefectDojo has a Status which communicates relevant info
 
 Each Finding status has a context\-specific meaning which will need to be defined by your own team. These are our suggestions, but your team's usage may vary.
 
-## **Active** **Findings**
+Please note that Open/Closed are not **explicit** Status types for Findings.  Certain aspects of the Classic UI (the "All Open Findings" table, for example) may refer to Open or Closed Findings: this is meant as a catchall for
+
+* Active and/or Verified Findings, in the case of "Open Findings"
+* Inactive and/or Risk Accepted, Under Review, Out Of Scope, False Positive Findings, in the case of "Closed Findings"
+
+## **Open Finding Statuses**
+
+Once a Finding is **Active**, it will be labeled as an **Open** Finding, regardless of whether or not it has been **Verified.**
+
+Open Findings can be seen from the **Findings \> Open Findings** view of DefectDojo.
+
+### **Active Findings**
 
 ‘This Finding has been discovered by a scanning tool.’
 
 By default, any new Finding created in DefectDojo will be labeled as **Active**. Active in this case means ‘this is a new Finding that DefectDojo has not recorded on a past import’. If a Finding has been Mitigated in the past, but appears in a scan again in the future, the status of that Finding will reopen to reflect that the vulnerability has returned.
 
-## **Verified Findings**
+### **Verified Findings**
 
 ‘This Finding has been confirmed by our team to exist.’
 
 Just because a tool records a problem does not necessarily mean the Finding requires engineering attention. Therefore, new Findings are also labeled as **Unverified** by default. 
 
 If you’re able to confirm that the Finding does exist, you can mark it as **Verified**.
 
-If you don’t need to manually verify each Finding, you can automatically mark them as Verified during import, or disregard this Status.
+Certain DefectDojo functions require Findings to be Active and Verified.  If you don’t need to manually verify each Finding, you can deactivate the Verified requirement for any or all of these functions from the **System Settings** page (**Classic UI: Configuration > System Settings**, **Pro UI: Settings > Pro Settings > System Settings**).
 
-## **Open Findings**
+![image](images/verified_status_toggle.png)
 
-‘There is work to be done on these Findings.’
+These Verified Statuses are required for
 
-Once a Finding is **Active**, it will be labeled as an **Open** Finding, regardless of whether or not it has been **Verified.**
-
-Open Findings can be seen from the **Findings \> Open Findings** view of DefectDojo.
+* Pushing Jira Issues
+* Applying Grading to Products
+* Calculating Metrics
 
-## **Closed Findings**
+## **Closed Finding Statuses**
 
 'The Vulnerability recorded here is no longer active’.
 
-Once the work on a Finding is complete, you can manually Close it from the Close Findings option. Alternatively, if a scan is re\-imported into DefectDojo which does not contain a previously\-recorded Finding, the previously\-recorded Finding will automatically close.
+Once the work on a Finding is complete, you can manually Close it from the Close Findings option. Alternatively, if a scan is re-imported into DefectDojo which does not contain a previously-recorded Finding, the previously-recorded Finding will automatically close.
 
-## **Under Review**
+## **Inactive**
+
+‘This Finding was discovered previously but it was either mediated or does not require immediate attention.’
+
+If a Finding is marked as Inactive, this means that the issue currently has no impact on the software environment and does not need to be addressed. This status does not necessarily mean that the issue has been resolved, as active Risk Acceptances also label Findings as Inactive.
+
+### **Under Review**
 
 ‘I have sent this Finding to one or more team members to look at.’
 
 When a Finding is Under Review, it needs to be reviewed by a team member. You can put a Finding under review by Selecting **Request Peer Review** from the Finding’s drop\-down menu.
 
 ![image](images/Finding_Status_Definitions.png)
 
-## **Risk Accepted**
+### **Risk Accepted**
 
 ‘Our team has evaluated the risk associated with this Finding, and we’ve agreed that we can safely delay fixing it.’
 
@@ -56,24 +73,18 @@ Risk Acceptances have expiry dates, at which time you can reevaluate the impact
 
 For more information on Risk Acceptances, see our [Guide](../risk_acceptances).
 
-## **Out Of Scope**
+### **Out Of Scope**
 
 ‘This Finding was discovered by our scanning tool, but detecting this kind of vulnerability was not the direct goal of our test.’
 
 When you mark a Finding as Out Of Scope, you are indicating that it is not directly relevant to the Engagement or Test it is contained within.
 
 If you have a testing and remediation effort related to a specific aspect of your software, you can use this Status to indicate that this Finding is not part of your effort.
 
-## **False Positive**
+### **False Positive**
 
 ‘This Finding was discovered by our scanning tool, but after reviewing the Finding we have discovered that this reported vulnerability does not exist.’
 
 Once you’ve reviewed a Finding, you might discover that the vulnerability reported does not actually exist. The False Positive status will be maintained by reimport and prevent matching findings from being opened or closed, which assists with noise reduction.  
 
 If a different scanning tool finds a similar Finding, it will not be recorded as a False Positive. DefectDojo can only compare Findings within the same tool to determine if a Finding has already been recorded.
-
-## **Inactive**
-
-‘This Finding was discovered previously but it was either mediated or does not require immediate attention.’
-
-If a Finding is marked as Inactive, this means that the issue currently has no impact on the software environment and does not need to be addressed. This status does not necessarily mean that the issue has been resolved.