Merge pull request #13348 from DefectDojo/bugfix

Release 2.51.0: Merge Bugfix into Dev

Author: rossops

.github/workflows/close-stale.yml

@@ -15,6 +15,17 @@ jobs:
   close-stale:
     runs-on: ubuntu-latest
     steps:
+      - name: Close issues and PRs that are pending closure
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          # Disable automatic stale marking - only close manually labeled items
+          days-before-stale: -1
+          days-before-close: 7
+          stale-issue-label: 'pending-closure'
+          stale-pr-label: 'pending-closure'
+          close-issue-message: 'This issue has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
+          close-pr-message: 'This PR has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
+
       - name: Close stale issues and PRs
         uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
@@ -23,5 +34,5 @@ jobs:
           days-before-close: 7
           stale-issue-label: 'stale'
           stale-pr-label: 'stale'
-          close-issue-message: 'This issue has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
-          close-pr-message: 'This PR has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
+          close-issue-message: 'This issue has been automatically closed because it was labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'
+          close-pr-message: 'This PR has been automatically closed because it was labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.'

docs/content/en/changelog/changelog.md

@@ -10,6 +10,11 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Sept 2025: v2.50
 
+### Sept 22, 2025: v2.50.4
+
+* **(Pro UI)** Changes Engagement Deduplication form label and help text
+* **(Pro UI)** Adds toggle for MCP (for superusers only)
+
 ### Sept 15, 2025: v2.50.3
 
 * **(Pro UI)** Added support for [CVSSv4.0](https://www.first.org/cvss/v4-0/) vector strings.

docs/content/en/connecting_your_tools/parsers/file/github_secrets_detection_report.md

@@ -0,0 +1,9 @@
+---
+title: "Github Secrets Detection Report"
+toc_hide: true
+---
+Import findings in JSON format from Github Secret Scanning REST API:
+<https://docs.github.com/en/rest/secret-scanning/secret-scanning>
+
+### Sample Scan Data
+Sample Github SAST scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/github_secrets_detection_report_many_vul.json).

docs/content/en/open_source/contributing/how-to-write-a-parser.md

@@ -166,6 +166,17 @@ Good example:
        finding.cwe = data["mykey"]
 ```
 
+```python
+   finding.cwe = data.get("mykey", 123)
+```
+
+```python
+   some_list = data.get("key_of_the_list") or []
+```
+
+The finale example guards against cases where `key_of_the_list` is present, but `null`.
+
+
 ### Parsing of CVSS vectors
 
 Data can have `CVSS` vectors or scores. Defect Dojo use the `cvss` module provided by RedHat Security.

dojo/api_v2/serializers.py

@@ -1761,13 +1761,15 @@ def update(self, instance, validated_data):
         if reporter_id := validated_data.get("reporter"):
             instance.reporter = reporter_id
 
+        # Persist vulnerability IDs first so model save computes hash including them (if there is no hash yet)
+        # we can't pass unsaved_vulnerabilitiy_ids to super.update()
+        if parsed_vulnerability_ids:
+            save_vulnerability_ids(instance, parsed_vulnerability_ids)
+
         instance = super().update(
             instance, validated_data,
         )
 
-        if parsed_vulnerability_ids:
-            save_vulnerability_ids(instance, parsed_vulnerability_ids)
-
         if push_to_jira:
             jira_helper.push_to_jira(instance)
 
@@ -1901,11 +1903,15 @@ def create(self, validated_data):
         if (vulnerability_ids := validated_data.pop("vulnerability_id_set", None)):
             logger.debug("VULNERABILITY_ID_SET: %s", vulnerability_ids)
             parsed_vulnerability_ids.extend(vulnerability_id["vulnerability_id"] for vulnerability_id in vulnerability_ids)
+            logger.debug("PARSED_VULNERABILITY_IDST: %s", parsed_vulnerability_ids)
             logger.debug("SETTING CVE FROM VULNERABILITY_ID_SET: %s", parsed_vulnerability_ids[0])
             validated_data["cve"] = parsed_vulnerability_ids[0]
+            # validated_data["unsaved_vulnerability_ids"] = parsed_vulnerability_ids
 
-        new_finding = super().create(
-            validated_data)
+        # super.create() doesn't accept unsaved_vulnerability_ids or dedupe_option=False, so call save directly.
+        new_finding = Finding(**validated_data)
+        new_finding.unsaved_vulnerability_ids = parsed_vulnerability_ids or []
+        new_finding.save()
 
         logger.debug(f"New finding CVE: {new_finding.cve}")
 
@@ -1918,9 +1924,6 @@ def create(self, validated_data):
             new_finding.reviewers.set(reviewers)
         if parsed_vulnerability_ids:
             save_vulnerability_ids(new_finding, parsed_vulnerability_ids)
-            # can we avoid this extra save? the cve has already been set above in validated_data. but there are no tests for this
-            # on finding update nothing is done # with vulnerability_ids?
-            # new_finding.save()
 
         if push_to_jira:
             jira_helper.push_to_jira(new_finding)

dojo/finding/views.py

@@ -1561,7 +1561,7 @@ def request_finding_review(request, fid):
 
             create_notification(
                 event="review_requested",  # TODO: - if 'review_requested' functionality will be supported by API as well, 'create_notification' needs to be migrated to place where it will be able to cover actions from both interfaces
-                title="Finding review requested",
+                title=f"Finding review requested for Test created for {finding.test.engagement.product}: {finding.test.engagement.name}: {finding.test} - {finding.title}",
                 requested_by=user,
                 note=new_note,
                 finding=finding,

dojo/search/views.py

@@ -15,7 +15,7 @@
 from dojo.engagement.queries import get_authorized_engagements
 from dojo.filters import FindingFilter, FindingFilterWithoutObjectLookups
 from dojo.finding.queries import get_authorized_findings, get_authorized_vulnerability_ids, prefetch_for_findings
-from dojo.forms import SimpleSearchForm
+from dojo.forms import FindingBulkUpdateForm, SimpleSearchForm
 from dojo.models import Engagement, Finding, Finding_Template, Languages, Product, Test
 from dojo.product.queries import get_authorized_app_analysis, get_authorized_products
 from dojo.test.queries import get_authorized_tests
@@ -390,7 +390,9 @@ def simple_search(request):
         "form": form,
         "activetab": activetab,
         "show_product_column": True,
-        "generic": generic})
+        "generic": generic,
+        "bulk_edit_form": FindingBulkUpdateForm(request.GET),
+        })
 
     if cookie:
         response.set_cookie("highlight", value=keywords_query,

dojo/settings/settings.dist.py

@@ -172,6 +172,7 @@
     DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL=(str, ""),
     DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_KEY=(str, ""),
     DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_SECRET=(str, ""),
+    DD_SOCIAL_AUTH_USERNAME_IS_FULL_EMAIL=(bool, True),
     DD_SAML2_ENABLED=(bool, False),
     # Allows to override default SAML authentication backend. Check https://djangosaml2.readthedocs.io/contents/setup.html#custom-user-attributes-processing
     DD_SAML2_AUTHENTICATION_BACKENDS=(str, "djangosaml2.backends.Saml2Backend"),
@@ -577,7 +578,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 SOCIAL_AUTH_STRATEGY = "social_django.strategy.DjangoStrategy"
 SOCIAL_AUTH_STORAGE = "social_django.models.DjangoStorage"
 SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ["username", "first_name", "last_name", "email"]
-SOCIAL_AUTH_USERNAME_IS_FULL_EMAIL = True
+SOCIAL_AUTH_USERNAME_IS_FULL_EMAIL = env("DD_SOCIAL_AUTH_USERNAME_IS_FULL_EMAIL")
 
 GOOGLE_OAUTH_ENABLED = env("DD_SOCIAL_AUTH_GOOGLE_OAUTH2_ENABLED")
 SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = env("DD_SOCIAL_AUTH_GOOGLE_OAUTH2_KEY")
@@ -1325,6 +1326,7 @@ def saml2_attrib_map_format(din):
     "Scout Suite Scan": ["file_path", "vuln_id_from_tool"],  # for now we use file_path as there is no attribute for "service"
     "Meterian Scan": ["cwe", "component_name", "component_version", "description", "severity"],
     "Github Vulnerability Scan": ["title", "severity", "component_name", "vulnerability_ids", "file_path"],
+    "Github Secrets Detection Report": ["title", "file_path", "line"],
     "Solar Appscreener Scan": ["title", "file_path", "line", "severity"],
     "pip-audit Scan": ["vuln_id_from_tool", "component_name", "component_version"],
     "Rubocop Scan": ["vuln_id_from_tool", "file_path", "line"],
@@ -1570,6 +1572,7 @@ def saml2_attrib_map_format(din):
     "AWS Security Hub Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
     "Meterian Scan": DEDUPE_ALGO_HASH_CODE,
     "Github Vulnerability Scan": DEDUPE_ALGO_HASH_CODE,
+    "Github Secrets Detection Report": DEDUPE_ALGO_HASH_CODE,
     "Cloudsploit Scan": DEDUPE_ALGO_HASH_CODE,
     "SARIF": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
     "Azure Security Center Recommendations Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
@@ -1850,6 +1853,7 @@ def saml2_attrib_map_format(din):
     "ALSA-": "https://osv.dev/vulnerability/",  # e.g. https://osv.dev/vulnerability/ALSA-2024:0827
     "ASA-": "https://security.archlinux.org/",  # e.g. https://security.archlinux.org/ASA-202003-8
     "AVD": "https://avd.aquasec.com/misconfig/",  # e.g. https://avd.aquasec.com/misconfig/avd-ksv-01010
+    "AWS-": "https://aws.amazon.com/security/security-bulletins/",  # e.g. https://aws.amazon.com/security/security-bulletins/AWS-2025-001
     "BAM-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/BAM-25498
     "BSERV-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/BSERV-19020
     "C-": "https://hub.armosec.io/docs/",  # e.g. https://hub.armosec.io/docs/c-0085

dojo/templates/dojo/findings_list_snippet.html

@@ -722,6 +722,9 @@ <h3 class="has-filters">
                                         <td class="nowrap">
                                             {% if finding.planned_remediation_date %}{{ finding.planned_remediation_date }}{% endif %}
                                         </td>
+                                        <td class="nowrap">
+                                            {% if finding.planned_remediation_version %}{{ finding.planned_remediation_version }}{% endif %}
+                                        </td>
                                         {% if filter_name != 'Closed' %}
                                             <td class="nowrap">
                                                 {% if finding.reviewers %}
@@ -820,6 +823,7 @@ <h3 class="has-filters">
                 {% endif %}
                 { "data": "service" },
                 { "data": "planned_remediation_date" },
+                { "data": "planned_remediation_version" },
                 {% if filter_name != 'Closed' %}
                     { "data": "reviewers" },
                 {% endif %}