Merge pull request #12717 from DefectDojo/release/2.47.4

Release: Merge release into master from: release/2.47.4

Author: rossops

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.47.3",
+  "version": "2.47.4",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docs/assets/images/pro_endpoint_metadata.png

@@ -11,6 +11,32 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## June 2025: v2.47
 
+### June 16, 2025: v2.47.2
+
+- **(Pro UI)** Endpoint Metadata can now be uploaded to Products.  You can now import a .csv list of all endpoints associated with a Product, from **View Product > Endpoints > Import Endpoint Metadata**
+
+![image](images/pro_endpoint_metadata.png)
+
+- **(Pro UI)** Pie Charts for Metrics now dynamically update based on selected categories.
+- **(Pro UI)** Finding metadata (specifically notes, endpoints, and file path/line number) are now visible from the Findings table if present.
+- **(Pro UI)** Findings table now uses icons to identify linked Endpoints, Notes or Files.  Clicking the Endpoints or Notes icon opens a window which lists all Endpoints or Notes.
+
+![image](images/pro_finding_icons.png)
+
+- **(Pro UI)** Login page has been redesigned.
+
+![image](images/pro_login.png)
+
+
+### June 9, 2025: v2.47.1
+
+- **(Pro UI)** Vulnerable Endpoints table has now been added to Finding pages.
+
+![image](images/pro_vulnerable_endpoints.png)
+
+- **(Pro UI)** "Original Finding" link has been added to Finding Metadata table for Duplicate Findings.
+- **(Pro UI)** CI/CD Metadata has been added to Engagement view.
+
 ### June 2, 2025: v2.47.0
 
 - **(Pro UI)** Finding review can now be set through the Pro UI.  You can now Request Review or clear a Finding review from Finding tables, or from the Finding View.

docs/assets/images/pro_finding_icons.png

@@ -7,6 +7,7 @@ All parsers which using API have common basic configuration step but with differ
 
 In `Tool Configuration`, select `Tool Type` to "Cobalt.io" and `Authentication Type` "API Key".
 Paste your Cobalt.io API token in the `API Key` field and the desired org token in the `Extras` field.
+Currently Defect Dojo only supports [V1 API Keys](https://github.com/DefectDojo/django-DefectDojo/issues/12572).
 
 In `Add API Scan Configuration` provide the ID
 of the asset from which to import findings in the field `Service key 1`.

docs/assets/images/pro_login.png

@@ -4,5 +4,22 @@ toc_hide: true
 ---
 JSON report of [trivy scanner](https://github.com/aquasecurity/trivy).
 
+The [status](https://trivy.dev/latest/docs/configuration/filtering/) field in Trivy is mapped to the Defect Dojo status flags in the following way:
+
+| Trivy Status         | Active | Verified | Mitigated | Remarks                                                                                                         |
+|----------------------|--------|----------|-----------|-----------------------------------------------------------------------------------------------------------------|
+| unknown              | True   | False    | False     | use default value for active which is usually True                                                              |
+| not_affected         | False  | True     | True      | false positive is the most appropriate status for not affected as out of scope might be interpreted as something else |
+| affected             | True   | True     | False     | standard case                                                                                                   |
+| fixed                | True   | True     | False     | fixed in this context means that there is a fix available by patching/updating/upgrading the package but it's still active and verified |
+| under_investigation  | True   | False    | False     | no status flag in Defect Dojo to capture this, but verified is False                                            |
+| will_not_fix         | True   | True     | False     | no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor; we can't set active to False as the user needs to risk accept this finding |
+| fix_deferred         | True   | True     | False     | no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor; we can't set active to False as the user needs to (temporarily) risk accept this finding |
+| end_of_life          | True   | True     | False     | no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor; we can't set active to False as the user needs to (temporarily) risk accept
+
+The status field contains the status as assigned by the OS/Package vendor such as Red Hat, Debian, etc.
+It is recommended to assess the appropriate action in your Product's context.
+If you want to exclude certain status from being imported into Defect Dojo, please [filter them in the export from Trivy](https://trivy.dev/latest/docs/configuration/filtering/)
+
 ### Sample Scan Data
-Sample Trivy scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/trivy).
+Sample Trivy scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/trivy)

docs/assets/images/pro_vulnerable_endpoints.png

@@ -59,3 +59,19 @@ To remove one or more Alerts from the Alerts Page, check the empty box next to i
 * Using the **Clear All Alerts \>** function in the Alerts Menu will also completely clear the **Alerts Page**, so use this feature with care.
 * Removing an Alert only affects your own Alerts List \- it will not affect any other user’s Alerts.
 * Removing an Alert does not remove any import history or activity logs from DefectDojo.
+
+## Open-Source Considerations
+
+### Specific overrides
+
+System notification settings (scope: system) describe the sending of notifications to superadmins. User notification settings (scope: personal) describe sending notifications to the specific user.
+
+However, there is a specific use-case when the user decides to disable notifications (to decrease noise) but the system setting is used to override this behavior. These overrides apply only to `user_mentioned` and `review_requested` by default.
+
+The scope of this setting is customizable (see environment variable `DD_NOTIFICATIONS_SYSTEM_LEVEL_TRUMP`).
+
+For more information about this behavior see the [related pull request #9699](https://github.com/DefectDojo/django-DefectDojo/pull/9699/)
+
+### Webhooks (experimental)
+
+DefectDojo also supports webhooks that follow the same events as other notifications (you can be notified in the same situations). Details about setup are described in [related page](/en/open_source/notification_webhooks/how_to).