From bb3af43a1baccfb3f41a1b52c0dc7e25e7309621 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Tue, 20 Jan 2026 16:39:04 +0000 Subject: [PATCH 1/7] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 8 ++++---- helm/defectdojo/README.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/package.json b/components/package.json index fccfb9b562c..6fc51fe3ce9 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.54.2", + "version": "2.55.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 075b8876ba8..9dd1472090f 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.54.2" +appVersion: "2.55.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.9.8 +version: 1.9.9-dev icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png maintainers: - name: madchap @@ -33,5 +33,5 @@ dependencies: # - kind: security # description: Critical bug annotations: - artifacthub.io/prerelease: "false" - artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.54.2\n" + artifacthub.io/prerelease: "true" + artifacthub.io/changes: "" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 1241dadeda2..50e85e83810 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -511,7 +511,7 @@ The HELM schema will be generated for you. # General information about chart values -![Version: 1.9.8](https://img.shields.io/badge/Version-1.9.8-informational?style=flat-square) ![AppVersion: 2.54.2](https://img.shields.io/badge/AppVersion-2.54.2-informational?style=flat-square) +![Version: 1.9.9-dev](https://img.shields.io/badge/Version-1.9.9--dev-informational?style=flat-square) ![AppVersion: 2.55.0-dev](https://img.shields.io/badge/AppVersion-2.55.0--dev-informational?style=flat-square) A Helm chart for Kubernetes to install DefectDojo From 78cfa85f49a2d12465a4b0142002eb53ae4e895b Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Wed, 21 Jan 2026 13:57:26 +0100 Subject: [PATCH 2/7] :tada: add Trivy misconfiguration fields #14136 --- dojo/tools/trivy/parser.py | 49 +++++------ unittests/scans/trivy/issue_14136.json | 108 +++++++++++++++++++++++++ unittests/tools/test_trivy_parser.py | 10 ++- 3 files changed, 142 insertions(+), 25 deletions(-) create mode 100644 unittests/scans/trivy/issue_14136.json diff --git a/dojo/tools/trivy/parser.py b/dojo/tools/trivy/parser.py index 6308070d71a..573758ab5ee 100644 --- a/dojo/tools/trivy/parser.py +++ b/dojo/tools/trivy/parser.py @@ -335,52 +335,53 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""): misconfigurations = target_data.get("Misconfigurations", []) for misconfiguration in misconfigurations: + misc_id = misconfiguration.get("ID", None) + misc_avdid = misconfiguration.get("AVDID", misc_id) + misc_title = misconfiguration.get("Title", "Unknown Misconfiguration") misc_type = misconfiguration.get("Type") - misc_id = misconfiguration.get("ID") - misc_title = misconfiguration.get("Title") - misc_description = misconfiguration.get("Description") - misc_message = misconfiguration.get("Message") + misc_description = misconfiguration.get("Description", "") + misc_message = misconfiguration.get("Message", "") misc_resolution = misconfiguration.get("Resolution") - misc_severity = misconfiguration.get("Severity") + misc_severity = misconfiguration.get("Severity", "Low") misc_primary_url = misconfiguration.get("PrimaryURL") misc_references = misconfiguration.get("References", []) - misc_causemetadata = misconfiguration.get("CauseMetadata", {}) - misc_cause_code = misc_causemetadata.get("Code", {}) - misc_cause_lines = misc_cause_code.get("Lines", []) - string_lines_table = self.get_lines_as_string_table(misc_cause_lines) + causemeta = misconfiguration.get("CauseMetadata", {}) + cause_code = causemeta.get("Code", {}) + cause_lines = cause_code.get("Lines", []) + string_lines_table = self.get_lines_as_string_table(cause_lines) if string_lines_table: - misc_message += ("\n" + string_lines_table) - - title = f"{misc_id} - {misc_title}" + misc_message += "\n" + string_lines_table description = MISC_DESCRIPTION_TEMPLATE.format( target=target_target, type=misc_type, description=misc_description, message=misc_message, ) - severity = TRIVY_SEVERITIES[misc_severity] - references = None + refs = [] if misc_primary_url: - references = f"{misc_primary_url}\n" - if misc_primary_url in misc_references: - misc_references.remove(misc_primary_url) - if references: - references += "\n".join(misc_references) - else: - references = "\n".join(misc_references) - + refs.append(misc_primary_url) + refs.extend(r for r in misc_references if r != misc_primary_url) + references = "\n".join(refs) if refs else None + severity = TRIVY_SEVERITIES.get(misc_severity, "Info") + file_path = target_target finding = Finding( test=test, - title=title, + title=f"{misc_id} - {misc_title}", severity=severity, - references=references, description=description, mitigation=misc_resolution, + references=references, + url=misc_primary_url, + file_path=file_path, + impact=misc_description, fix_available=True, static_finding=True, dynamic_finding=False, service=service_name, ) + if misc_avdid: + finding.unsaved_vulnerability_ids = [] + finding.unsaved_vulnerability_ids.append(misc_avdid) finding.unsaved_tags = [target_type, target_class] items.append(finding) diff --git a/unittests/scans/trivy/issue_14136.json b/unittests/scans/trivy/issue_14136.json new file mode 100644 index 00000000000..464f6f8bd8e --- /dev/null +++ b/unittests/scans/trivy/issue_14136.json @@ -0,0 +1,108 @@ +{ + "SchemaVersion": 2, + "ReportID": "019bdfd9-f774-7da7-917a-6b15e3b0b2a0", + "CreatedAt": "2026-01-21T10:19:22.484900675+01:00", + "ArtifactName": "tofu/clusters/sandbox", + "ArtifactType": "filesystem", + "Results": [ + { + "Target": "../../aws-credentials/main.tf", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 0, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0143", + "AVDID": "AVD-AWS-0143", + "Title": "IAM policies should not be granted directly to users.", + "Description": "CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\n", + "Message": "One or more policies are attached directly to a user", + "Namespace": "builtin.aws.iam.aws0143", + "Query": "data.builtin.aws.iam.aws0143.deny", + "Resolution": "Grant policies at the group level instead.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0143", + "References": [ + "https://console.aws.amazon.com/iam/", + "https://avd.aquasec.com/misconfig/avd-aws-0143" + ], + "Status": "FAIL", + "CauseMetadata": { + "Resource": "module.aws_credentials", + "Provider": "AWS", + "Service": "iam", + "StartLine": 20, + "EndLine": 24, + "Code": { + "Lines": [ + { + "Number": 20, + "Content": "resource \"aws_iam_user\" \"this\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_iam_user\"\u001b[0m \u001b[38;5;37m\"this\"\u001b[0m {", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 21, + "Content": " for_each = var.users", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;245mfor_each\u001b[0m = \u001b[38;5;33mvar\u001b[0m.users", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " name = \"cluster-${var.cluster_name}-${each.key}\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;245mname\u001b[0m = \u001b[38;5;37m\"cluster-\u001b[0m\u001b[38;5;37m${\u001b[0m\u001b[38;5;33mvar\u001b[0m.cluster_name\u001b[38;5;37m}\u001b[0m\u001b[38;5;37m-\u001b[0m\u001b[38;5;37m${\u001b[0m\u001b[38;5;33meach\u001b[0m.key\u001b[38;5;37m}\u001b[0m\u001b[38;5;37m\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m}", + "FirstCause": false, + "LastCause": true + } + ] + }, + "Occurrences": [ + { + "Resource": "module.aws_credentials", + "Filename": "main.tf", + "Location": { + "StartLine": 183, + "EndLine": 248 + } + } + ] + } + } + ] + } + ] +} diff --git a/unittests/tools/test_trivy_parser.py b/unittests/tools/test_trivy_parser.py index c5333c2bd16..5711620a49e 100644 --- a/unittests/tools/test_trivy_parser.py +++ b/unittests/tools/test_trivy_parser.py @@ -170,7 +170,7 @@ def test_kubernetes(self): re_finding_description = re.sub(r"\s+", " ", finding.description) self.assertEqual(re_description.strip(), re_finding_description.strip()) self.assertEqual("Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", finding.mitigation) - self.assertIsNone(finding.unsaved_vulnerability_ids) + self.assertEqual(finding.unsaved_vulnerability_ids, ["KSV001"]) self.assertEqual(["kubernetes", "config"], finding.unsaved_tags) self.assertIsNone(finding.component_name) self.assertIsNone(finding.component_version) @@ -337,3 +337,11 @@ def test_severity_prio(self): self.assertEqual("Critical", finding.severity) self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", finding.cvssv3) self.assertEqual(7.5, finding.cvssv3_score) + + def test_misconfig_fields(self): + # this tests issue #14136. The unittest file is just a copy of cvss_severity_source.json with edited severities + with sample_path("issue_14136.json").open(encoding="utf-8") as test_file: + parser = TrivyParser() + findings = parser.get_findings(test_file, Test()) + self.assertEqual(len(findings), 1) + self.assertEqual("Low", findings[0].severity) From b65b41c3e8391b359747102b5a27d138c14663a9 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 22 Jan 2026 12:52:41 +0100 Subject: [PATCH 3/7] update --- docs/content/en/open_source/upgrading/2.54.3.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 docs/content/en/open_source/upgrading/2.54.3.md diff --git a/docs/content/en/open_source/upgrading/2.54.3.md b/docs/content/en/open_source/upgrading/2.54.3.md new file mode 100644 index 00000000000..515192579a4 --- /dev/null +++ b/docs/content/en/open_source/upgrading/2.54.3.md @@ -0,0 +1,9 @@ +--- +title: 'Upgrading to DefectDojo Version 2.54.3' +toc_hide: true +weight: -20250602 +description: Trivy parser deduplication +--- + +## Trivy parser deduplication +Deduplication of Trivy misconfiguration findings is improved for newly imported findings, but existing findings may no longer match because they don’t contain the new vulnerability_id or file_path fields. \ No newline at end of file From f561a40b933edab6a903c3d19a697346d8892f5c Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Thu, 22 Jan 2026 22:45:45 -0500 Subject: [PATCH 4/7] pro changelog: jan21 (#14144) * update changelog 2.54.1/2 * quick fix Removed note about no significant UX changes from changelog. --- docs/content/en/changelog/changelog.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/content/en/changelog/changelog.md b/docs/content/en/changelog/changelog.md index 2b61f5d09e1..a3561c407d5 100644 --- a/docs/content/en/changelog/changelog.md +++ b/docs/content/en/changelog/changelog.md @@ -10,6 +10,15 @@ For Open Source release notes, please see the [Releases page on GitHub](https:// ## Jan 2025: v2.54 +### Jan 20, 2025: v2.54.2 + +* **(Pro UI)** corrected a bug where unordered lists would display as ordered lists in editor forms. +* **(Smart Upload)** introduced severity filtering to the Smart Importer to skip findings below a specified severity level. Added detailed logging throughout the findings processing to improve traceability and debugging. + +### Jan 12, 2025: v2.54.1 + +* **(AI Tools)** added Risk Scores to schema for MCP processing. + ### Jan 5, 2025: v2.54.0 No significant UX changes. From d4fe8df4dc082b017e9dc75ab73a0feaf13df39a Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 22 Jan 2026 20:46:13 -0700 Subject: [PATCH 5/7] Update file upload field to accept dynamic file types and add validation for supported extensions (#14143) --- dojo/forms.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/dojo/forms.py b/dojo/forms.py index 000dec362a0..0e32fcb0b15 100644 --- a/dojo/forms.py +++ b/dojo/forms.py @@ -891,7 +891,7 @@ class EditRiskAcceptanceForm(forms.ModelForm): recommendation = forms.ChoiceField(choices=Risk_Acceptance.TREATMENT_CHOICES, initial=Risk_Acceptance.TREATMENT_ACCEPT, widget=forms.RadioSelect, label="Security Recommendation") decision = forms.ChoiceField(choices=Risk_Acceptance.TREATMENT_CHOICES, initial=Risk_Acceptance.TREATMENT_ACCEPT, widget=forms.RadioSelect) - path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ".jpg,.png,.pdf"})) + path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ", ".join(settings.FILE_IMPORT_TYPES)})) expiration_date = forms.DateTimeField(required=False, widget=forms.TextInput(attrs={"class": "datepicker"})) class Meta: @@ -904,10 +904,20 @@ def __init__(self, *args, **kwargs): self.fields["expiration_date_warned"].disabled = True self.fields["expiration_date_handled"].disabled = True + def clean_path(self): + if (data := self.cleaned_data.get("path")) is not None: + ext = Path(data.name).suffix # [0] returns path+filename + valid_extensions = settings.FILE_UPLOAD_TYPES + if ext.lower() not in valid_extensions: + if accepted_extensions := f"{', '.join(valid_extensions)}": + msg = f"Unsupported extension. Supported extensions are as follows: {accepted_extensions}" + else: + msg = "File uploads are prohibited due to the list of acceptable file extensions being empty" + raise ValidationError(msg) + return data + class RiskAcceptanceForm(EditRiskAcceptanceForm): - # path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ".jpg,.png,.pdf"})) - # expiration_date = forms.DateTimeField(required=False, widget=forms.TextInput(attrs={'class': 'datepicker'})) accepted_findings = forms.ModelMultipleChoiceField( queryset=Finding.objects.none(), required=True, widget=forms.widgets.SelectMultiple(attrs={"size": 10}), From 48cc5b86e65482b267342620ecdae99841c54beb Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 26 Jan 2026 09:08:32 -0700 Subject: [PATCH 6/7] Add Permissions-Policy header settings and corresponding tests (#14156) --- dojo/settings/settings.dist.py | 20 ++++++++++++++++++++ requirements.txt | 1 + unittests/test_permission_policy_headers.py | 11 +++++++++++ 3 files changed, 32 insertions(+) create mode 100644 unittests/test_permission_policy_headers.py diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index ab7918c922c..a5141612fea 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -817,6 +817,25 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param SESSION_EXPIRE_AT_BROWSER_CLOSE = env("DD_SESSION_EXPIRE_AT_BROWSER_CLOSE") SESSION_EXPIRE_WARNING = env("DD_SESSION_EXPIRE_WARNING") SESSION_COOKIE_AGE = env("DD_SESSION_COOKIE_AGE") +# Permission-Policy header settings +# See docs at https://pypi.org/project/django-permissions-policy/ +PERMISSIONS_POLICY = { + "accelerometer": [], + "ambient-light-sensor": [], + "autoplay": [], + "camera": [], + "display-capture": [], + "encrypted-media": [], + "fullscreen": [], + "geolocation": [], + "gyroscope": [], + "interest-cohort": [], + "magnetometer": [], + "microphone": [], + "midi": [], + "payment": [], + "usb": [], +} # ------------------------------------------------------------------------------ # DEFECTDOJO SPECIFIC @@ -966,6 +985,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param "django.contrib.sessions.middleware.SessionMiddleware", "django.middleware.csrf.CsrfViewMiddleware", "django.middleware.security.SecurityMiddleware", + "django_permissions_policy.PermissionsPolicyMiddleware", "django.contrib.auth.middleware.AuthenticationMiddleware", "django.contrib.messages.middleware.MessageMiddleware", "django.middleware.clickjacking.XFrameOptionsMiddleware", diff --git a/requirements.txt b/requirements.txt index 5f8d7b0e35d..f25a6aa9200 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,6 +16,7 @@ django-crispy-forms==2.5 django_extensions==4.1 django-slack==5.19.0 django-watson==1.6.3 +django-permissions-policy==4.28.0 django-prometheus==2.4.1 Django==5.2.9 django-single-session==0.2.0 diff --git a/unittests/test_permission_policy_headers.py b/unittests/test_permission_policy_headers.py new file mode 100644 index 00000000000..7deae634ac6 --- /dev/null +++ b/unittests/test_permission_policy_headers.py @@ -0,0 +1,11 @@ +from django.test import TestCase +from django.urls import reverse + + +class EmptyPermissionsPolicyTests(TestCase): + def test_empty_policy_still_sets_header(self): + response = self.client.get(reverse("login")) + self.assertIn("Permissions-Policy", response.headers) + # Header may be empty or minimal, but must exist + self.assertIsNotNone(response["Permissions-Policy"]) + self.assertGreaterEqual(len(response["Permissions-Policy"]), 2) From f318690c2aaf66b53327b7cc17b7bdac8d27748e Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 26 Jan 2026 16:42:51 +0000 Subject: [PATCH 7/7] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 8 ++++---- helm/defectdojo/README.md | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/components/package.json b/components/package.json index 6fc51fe3ce9..f652c2733ea 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.55.0-dev", + "version": "2.54.3", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index bf821e32077..262c2e3b52f 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = "2.54.2" +__version__ = "2.54.3" __url__ = "https://github.com/DefectDojo/django-DefectDojo" # noqa: RUF067 __docs__ = "https://documentation.defectdojo.com" # noqa: RUF067 diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 9dd1472090f..4c740040829 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.55.0-dev" +appVersion: "2.54.3" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.9.9-dev +version: 1.9.9 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png maintainers: - name: madchap @@ -33,5 +33,5 @@ dependencies: # - kind: security # description: Critical bug annotations: - artifacthub.io/prerelease: "true" - artifacthub.io/changes: "" + artifacthub.io/prerelease: "false" + artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.54.3\n" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 50e85e83810..eb755edc7a4 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -511,7 +511,7 @@ The HELM schema will be generated for you. # General information about chart values -![Version: 1.9.9-dev](https://img.shields.io/badge/Version-1.9.9--dev-informational?style=flat-square) ![AppVersion: 2.55.0-dev](https://img.shields.io/badge/AppVersion-2.55.0--dev-informational?style=flat-square) +![Version: 1.9.9](https://img.shields.io/badge/Version-1.9.9-informational?style=flat-square) ![AppVersion: 2.54.3](https://img.shields.io/badge/AppVersion-2.54.3-informational?style=flat-square) A Helm chart for Kubernetes to install DefectDojo