DefectDojo · rossops · Sep 15, 2025 · Sep 8, 2025 · Sep 8, 2025 · Sep 10, 2025
@@ -34,6 +34,7 @@ RUN CPUCOUNT=1 pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
 
 
 FROM build AS collectstatic
+ARG COLLECT_DJANGO_DEBUG_TOOLBAR_STATIC=false
 RUN apk add nodejs npm
 RUN npm install -g yarn --force
 
@@ -52,7 +53,7 @@ RUN \
   yarn
 COPY manage.py ./
 COPY dojo/ ./dojo/
-RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
+RUN env DD_SECRET_KEY='.' DD_DJANGO_DEBUG_TOOLBAR_ENABLED=${COLLECT_DJANGO_DEBUG_TOOLBAR_STATIC} python3 manage.py collectstatic --noinput --verbosity=2 && true
 
 FROM nginx:1.29.1-alpine3.22@sha256:42a516af16b852e33b7682d5ef8acbd5d13fe08fecadc7ed98605ba5e3b26ab8
 ARG uid=1001

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.50.1",
+  "version": "2.50.2",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

@@ -7,6 +7,7 @@ services:
     environment:
       PYTHONWARNINGS: error  # We are strict about Warnings during development
       DD_DEBUG: 'True'
+      DD_DJANGO_DEBUG_TOOLBAR_ENABLED: 'True'
       DD_ADMIN_USER: "${DD_ADMIN_USER:-admin}"
       DD_ADMIN_PASSWORD: "${DD_ADMIN_PASSWORD:-admin}"
       DD_EMAIL_URL: "smtp://mailhog:1025"
@@ -33,6 +34,11 @@ services:
       DD_ADMIN_USER: "${DD_ADMIN_USER:-admin}"
       DD_ADMIN_PASSWORD: "${DD_ADMIN_PASSWORD:-admin}"
   nginx:
+    build:
+      args:
+        COLLECT_DJANGO_DEBUG_TOOLBAR_STATIC: 'True'
+    environment:
+      DD_DJANGO_DEBUG_TOOLBAR_ENABLED: 'True'
     volumes:
       - './dojo/static/dojo:/usr/share/nginx/html/static/dojo'
   postgres:

@@ -16,7 +16,7 @@ For Open-Source users, the quickest way to get help is through the [OWASP Slack
 
 To report a bug, issues can be raised on our [GitHub](https://github.com/DefectDojo/django-DefectDojo).
 
-See our [Community Site](https://defectdojo.com/community) for more information.
+See our [Community Site](https://defectdojo.com/open-source) for more information.
 
 ## DefectDojo Pro Support
 

@@ -10,6 +10,11 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Sept 2025: v2.50
 
+### Sept 9, 2025: v2.50.1
+
+* **(Tools)** Removed CSV limit for Qualys HackerGuardian
+* **(SSO)** Removed Force Password Reset for users created via SSO
+
 ### Sept 2, 2025: v2.50.0
 
 * **(Pro UI)** "Date During" filter has been added to the UI, allowing users to filter by a range of dates

@@ -1,10 +1,12 @@
 ---
-title: "Generic Findings Import"
+title: 'Generic Findings Import'
 toc_hide: true
 ---
+
 Import Generic findings in CSV or JSON format.
 
 Attributes supported for CSV:
+
 - Date: Date of the finding in mm/dd/yyyy format.
 - Title: Title of the finding
 - CweId: Cwe identifier, must be an integer value.
@@ -18,13 +20,79 @@ Attributes supported for CSV:
 - Verified: Indicator if the finding has been verified. Must be empty, TRUE, or FALSE
 - FalsePositive: Indicator if the finding is a false positive. Must be TRUE, or FALSE.
 - Duplicate:Indicator if the finding is a duplicate. Must be TRUE, or FALSE
-- IsMitigated: Indicator if the finding is mitigated.  Must be TRUE, or FALSE
+- IsMitigated: Indicator if the finding is mitigated. Must be TRUE, or FALSE
 - MitigatedDate: Date the finding was mitigated in mm/dd/yyyy format or ISO format
+- epss_score: Finding [EPSS score](https://www.first.org/epss/)
+- epss_percentile: Finding [EPSS percentile](https://www.first.org/epss/articles/prob_percentile_bins)
+- CVSSV3: CVSSv3 verctor of the finding
+- CVSSV3_score: CVSSv3 score of the finding
+- CVSSV4: CVSSv4 vector of the finding
+- CVSSV4_score: CVSSv4 score of the finding
+- known_exploited: Indicator if the finding is listed in Known Exploited List. Must be TRUE, or FALSE
+- ransomware_used: Indicator if the finding is used in Ransomware. Must be TRUE, or FALSE
+- fix_available: Indicator if fix available for the finding. Must be TRUE, or FALSE
+- kev_date: Date the finding was added to Known Exploited Vulnerabilities list in mm/dd/yyyy format or ISO format.
 
 The CSV expects a header row with the names of the attributes.
 
 Date fields are parsed using [dateutil.parse](https://dateutil.readthedocs.io/en/stable/parser.html) supporting a variety of formats such a YYYY-MM-DD or ISO-8601.
 
+The list of supported fields in JSON format:
+
+- title: **Required.** String
+- severity: **Required.** One of the "Critical", "High", "Medium", "Low", "Info"
+- description: **Required.** String
+- date: Date
+- cwe: Int
+- cve: String
+- epss_score: Float
+- epss_percentile: Float
+- cvssv3: String
+- cvssv3_score: Float
+- cvssv4: String
+- cvssv4_score: Float
+- mitigation: String
+- impact: String
+- steps_to_reproduce: String
+- severity_justification: String
+- references: String
+- active: Bool
+- verified: Bool
+- false_p: Bool
+- out_of_scope: Bool
+- risk_accepted: Bool
+- under_review: Bool
+- is_mitigated: Bool
+- thread_id: String
+- mitigated: Bool
+- numerical_severity: Int
+- param: String
+- payload: String
+- line: Int
+- file_path: String
+- component_name: String
+- component_version: String
+- static_finding: Bool
+- dynamic_finding: Bool
+- scanner_confidence: Int
+- unique_id_from_tool: String
+- vuln_id_from_tool: String
+- sast_source_object: String
+- sast_sink_object: String
+- sast_source_line: Int
+- sast_source_file_path: String
+- nb_occurences: Int
+- publish_date: Date
+- service: String
+- planned_remediation_date: Date
+- planned_remediation_version: String
+- effort_for_fixing: One of the "High", "Medium", "Low"
+- tags: List of Strings
+- kev_date: Date
+- known_exploited: Bool
+- ransomware_used: Bool
+- fix_available: Bool
+
 Example of JSON format:
 
 ```JSON
@@ -39,13 +107,23 @@ Example of JSON format:
             "cve": "CVE-2020-36234",
             "cwe": 261,
             "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
+            "cvssv4": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
+            "cvssv4_score": 7.3,
+            "known_exploited": true,
+            "ransomware_used": true,
+            "fix_available": true,
+            "kev_date": "2024-05-01",
             "file_path": "src/first.cpp",
             "line": 13,
             "endpoints": [
                 {
                     "host": "exemple.com"
                 }
-            ]
+            ],
+            "tags": [
+                "security",
+                "myTag"
+            ],
         },
         {
             "title": "test title with endpoints as strings",
@@ -144,9 +222,11 @@ Example:
 ```
 
 ### Sample Scan Data
+
 Sample Generic Findings Import scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/generic).
 
 ### Default Deduplication Hashcode Fields
+
 By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
 
 - title

@@ -183,8 +183,8 @@ def get_dependabot_alerts_repository(repo, owner):
         )
 
         result = request.json()
-        output_result["data"]["repository"]["name"] = result["data"]["repository"][
-            "name"
+        output_result["data"]["repository"]["nameWithOwner"] = result["data"]["repository"][
+            "nameWithOwner"
         ]
         output_result["data"]["repository"]["url"] = result["data"]["repository"]["url"]
         if result["data"]["repository"]["vulnerabilityAlerts"]["totalCount"] == 0:

@@ -564,6 +564,7 @@ You can also optionally set the following variables:
     DD_SOCIAL_AUTH_OIDC_AUTHORIZATION_URL=(str, ''),
     DD_SOCIAL_AUTH_OIDC_USERINFO_URL=(str, ''),
     DD_SOCIAL_AUTH_OIDC_JWKS_URI=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT=(str, "Login with OIDC"),
     {{< /highlight >}}
 
 Once these variables have been set, restart DefectDojo. Log In With OIDC should now be added to the DefectDojo login page.

@@ -44,7 +44,7 @@ <h2 class="h4">Create Reports</h2>
       <div class="row justify-content-center text-center">
         <div class="col-lg-5">
           <h2 class="h4">Join the Dojo community</h2>
-          <p>Check out live events, upcoming features and connect with other security professionals on our <a href="https://defectdojo.com/community">Community Page</a>.</p>
+          <p>Check out live events, upcoming features and connect with other security professionals on our <a href="https://defectdojo.com/open-source">Community Page</a>.</p>
         </div>
         <div class="col-lg-5">
           <h2 class="h4">Sign up for a trial</h2>

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.50.1"
+__version__ = "2.50.2"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"
@@ -12,6 +12,7 @@ def globalize_vars(request):
         "FORGOT_USERNAME": settings.FORGOT_USERNAME,
         "CLASSIC_AUTH_ENABLED": settings.CLASSIC_AUTH_ENABLED,
         "OIDC_ENABLED": settings.OIDC_AUTH_ENABLED,
+        "SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT": settings.SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT,
         "AUTH0_ENABLED": settings.AUTH0_OAUTH2_ENABLED,
         "GOOGLE_ENABLED": settings.GOOGLE_OAUTH_ENABLED,
         "OKTA_ENABLED": settings.OKTA_OAUTH_ENABLED,

@@ -148,7 +148,9 @@ def is_keep_in_sync_with_jira(finding):
     jira_issue_exists = finding.has_jira_issue or (finding.finding_group and finding.finding_group.has_jira_issue)
     if jira_issue_exists:
         # Determine if any automatic sync should occur
-        keep_in_sync_enabled = get_jira_instance(finding).finding_jira_sync
+        jira_instance = get_jira_instance(finding)
+        if jira_instance:
+            keep_in_sync_enabled = jira_instance.finding_jira_sync
 
     return keep_in_sync_enabled
 

@@ -29,6 +29,7 @@
     # Set casting and default values
     DD_SITE_URL=(str, "http://localhost:8080"),
     DD_DEBUG=(bool, False),
+    DD_DJANGO_DEBUG_TOOLBAR_ENABLED=(bool, False),
     DD_TEMPLATE_DEBUG=(bool, False),
     DD_LOG_LEVEL=(str, ""),
     DD_DJANGO_METRICS_ENABLED=(bool, False),
@@ -120,6 +121,7 @@
     DD_SOCIAL_AUTH_OIDC_AUTHORIZATION_URL=(str, ""),
     DD_SOCIAL_AUTH_OIDC_USERINFO_URL=(str, ""),
     DD_SOCIAL_AUTH_OIDC_JWKS_URI=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT=(str, "Login with OIDC"),
     DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED=(bool, False),
     DD_SOCIAL_AUTH_AUTH0_KEY=(str, ""),
     DD_SOCIAL_AUTH_AUTH0_SECRET=(str, ""),
@@ -356,6 +358,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 # False if not in os.environ
 DEBUG = env("DD_DEBUG")
+DJANGO_DEBUG_TOOLBAR_ENABLED = env("DD_DJANGO_DEBUG_TOOLBAR_ENABLED")
 TEMPLATE_DEBUG = env("DD_TEMPLATE_DEBUG")
 
 # Hosts/domain names that are valid for this site; required if DEBUG is False
@@ -618,6 +621,8 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     SOCIAL_AUTH_OIDC_USERINFO_URL = value
 if value := env("DD_SOCIAL_AUTH_OIDC_JWKS_URI"):
     SOCIAL_AUTH_OIDC_JWKS_URI = value
+if value := env("DD_SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT"):
+    SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT = value
 
 AUTH0_OAUTH2_ENABLED = env("DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED")
 SOCIAL_AUTH_AUTH0_KEY = env("DD_SOCIAL_AUTH_AUTH0_KEY")
@@ -1853,6 +1858,7 @@ def saml2_attrib_map_format(din):
     "NTAP-": "https://security.netapp.com/advisory/",  # e.g. https://security.netapp.com/advisory/ntap-20250328-0007
     "OPENSUSE-SU-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/openSUSE-SU-2025:14898-1
     "OSV-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/OSV-2024-1330
+    "OXAS-ADV-": "https://cvepremium.circl.lu/vuln/",  # e.g. https://cvepremium.circl.lu/vuln/OXAS-ADV-2023-0001
     "PAN-SA-": "https://security.paloaltonetworks.com/",  # e.g. https://security.paloaltonetworks.com/PAN-SA-2024-0010
     "PFPT-SA-": "https://www.proofpoint.com/us/security/security-advisories/",  # e.g. https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-0002
     "PMASA-": "https://www.phpmyadmin.net/security/",  # e.g. https://www.phpmyadmin.net/security/PMASA-2025-1
@@ -1941,3 +1947,45 @@ def saml2_attrib_map_format(din):
 warnings.filterwarnings("ignore", "The FORMS_URLFIELD_ASSUME_HTTPS transitional setting is deprecated.")
 FORMS_URLFIELD_ASSUME_HTTPS = True
 # Inspired by https://adamj.eu/tech/2023/12/07/django-fix-urlfield-assume-scheme-warnings/
+
+if DEBUG:
+    # adding DEBUG logging for all of Django.
+    LOGGING["loggers"]["root"] = {
+                "handlers": ["console"],
+                "level": "DEBUG",
+           }
+
+if DJANGO_DEBUG_TOOLBAR_ENABLED:
+
+    INSTALLED_APPS += (
+    "debug_toolbar",
+    )
+
+    MIDDLEWARE = ["debug_toolbar.middleware.DebugToolbarMiddleware", *MIDDLEWARE]
+
+    def show_toolbar(request):
+        return True
+
+    DEBUG_TOOLBAR_CONFIG = {
+        "SHOW_TOOLBAR_CALLBACK": show_toolbar,
+        "INTERCEPT_REDIRECTS": False,
+        "SHOW_COLLAPSED": True,
+    }
+
+    DEBUG_TOOLBAR_PANELS = [
+        # 'ddt_request_history.panels.request_history.RequestHistoryPanel',  # Here it is
+        "debug_toolbar.panels.versions.VersionsPanel",
+        "debug_toolbar.panels.timer.TimerPanel",
+        "debug_toolbar.panels.settings.SettingsPanel",
+        "debug_toolbar.panels.headers.HeadersPanel",
+        "debug_toolbar.panels.request.RequestPanel",
+        "debug_toolbar.panels.sql.SQLPanel",
+        "debug_toolbar.panels.templates.TemplatesPanel",
+        # 'debug_toolbar.panels.staticfiles.StaticFilesPanel',
+        "debug_toolbar.panels.cache.CachePanel",
+        "debug_toolbar.panels.signals.SignalsPanel",
+        # 'debug_toolbar.panels.logging.LoggingPanel',
+        "debug_toolbar.panels.redirects.RedirectsPanel",
+        "debug_toolbar.panels.profiling.ProfilingPanel",
+        # 'cachalot.panels.CachalotPanel',
+    ]
@@ -1,21 +1,7 @@
 # local_settings.py
 # this file will be included by settings.py *after* loading settings.dist.py
 
-# this example configures the django debug toolbar and sets some loglevels to DEBUG
-
-from django.urls import re_path
-from django.conf.urls import include
-
-# UPDATE: Adding debug_toolbar to to INSTALLED_APPS here prevents the nginx container from generating the correct static files
-#         So add debug_toolbar to INSTALLED_APPS in settings.dist.py and rebuild to get started with the debug_toolbar.
-#         Thje middleware and other config can remain in this file (local_settings.py) to avoid chance of conflicts on upgrades.
-INSTALLED_APPS += (
-#    'debug_toolbar',
-)
-
-MIDDLEWARE = [
-    'debug_toolbar.middleware.DebugToolbarMiddleware',
-] + MIDDLEWARE
+# this example sets some loglevels to DEBUG
 
 # adding DEBUG logging for all of Django.
 LOGGING['loggers']['root'] = {
@@ -27,35 +13,3 @@ LOGGING['loggers']['root'] = {
 
 # output DEBUG logging for deduplication
 # LOGGING['loggers']['dojo.specific-loggers.deduplication']['level'] = 'DEBUG'
-
-
-def show_toolbar(request):
-    return True
-
-
-DEBUG_TOOLBAR_CONFIG = {
-    "SHOW_TOOLBAR_CALLBACK": show_toolbar,
-    "INTERCEPT_REDIRECTS": False,
-    "SHOW_COLLAPSED": True,
-}
-
-DEBUG_TOOLBAR_PANELS = [
-    # 'ddt_request_history.panels.request_history.RequestHistoryPanel',  # Here it is
-    'debug_toolbar.panels.versions.VersionsPanel',
-    'debug_toolbar.panels.timer.TimerPanel',
-    'debug_toolbar.panels.settings.SettingsPanel',
-    'debug_toolbar.panels.headers.HeadersPanel',
-    'debug_toolbar.panels.request.RequestPanel',
-    'debug_toolbar.panels.sql.SQLPanel',
-    'debug_toolbar.panels.templates.TemplatesPanel',
-    # 'debug_toolbar.panels.staticfiles.StaticFilesPanel',
-    'debug_toolbar.panels.cache.CachePanel',
-    'debug_toolbar.panels.signals.SignalsPanel',
-    'debug_toolbar.panels.logging.LoggingPanel',
-    'debug_toolbar.panels.redirects.RedirectsPanel',
-    'debug_toolbar.panels.profiling.ProfilingPanel',
-    # 'cachalot.panels.CachalotPanel',
-]
-
-import debug_toolbar
-EXTRA_URL_PATTERNS = [re_path(r"^__debug__/", include(debug_toolbar.urls))]