Merge pull request #12481 from DefectDojo/release/2.46.3

Release: Merge release into master from: release/2.46.3

Author: rossops

.github/pr-reminder.py

@@ -1,37 +1,19 @@
-name: Notify Pending PR Reviewers
+name: Daily PR Review Reminder
 
 on:
-  workflow_dispatch:
   schedule:
-    - cron: '0 16 * * 1-5'  # 11:00 AM CT M-F
+    - cron: "0 16 * * 1-5" # 11:00 AM CT M-F
+  workflow_dispatch:
 
 jobs:
   notify-reviewers:
     runs-on: ubuntu-latest
     if: github.repository == 'DefectDojo/django-DefectDojo' # Notify only in core repo, not in forks - it would just fail in fork
-
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+      - name: Notify reviewers in Slack
+        uses: DefectDojo-Inc/notify-pr-reviewers-action@master
         with:
-          # Only checkout the master branch to avoid changes to this script
-          # This is to reduce the possibilities of a secret leak from modifying
-          # this action, or the python script that is called down below
-          ref: master 
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.13"
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install requests
-
-      - name: Run PR reminder script
-        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
-          SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
-        run: |
-          python3 .github/pr-reminder.py
+          owner: "DefectDojo"
+          repository: "django-DefectDojo"
+          gh_token: ${{ secrets.GH_TOKEN }}
+          slack_token: ${{ secrets.SLACK_TOKEN }}

.github/workflows/slack-pr-reminder.yml

@@ -41,6 +41,7 @@ pip-delete-this-directory.txt
 .ruff_cache
 nosetests.xml
 coverage.xml
+selenium_page_source.html
 
 # Translations
 *.mo

.gitignore

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.46.2",
+  "version": "2.46.3",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

components/package.json

@@ -65,9 +65,27 @@ This option is especially relevant when using the API to import data. If uploadi
 * **Source Code Management URI** can also be specified. This form option must be a valid URI.
 * **Group By:** if you want to create Finding Groups out of this File, you can specify the grouping method here.
 
-### Next Steps
+### Triage-less scanners: Do Not Reactivate field
 
-Once your upload has completed, you should be redirected to the Test Page which contains the Findings found in the scan file. You can start working with those results right away, but feel free to consult the following articles:
+Some scanners might not include triage information in their reports (e.g. tfsec). They simply scan code or dependencies, flag issues, and return everything, regardless of whether a vulnerability has already been triaged or not.
 
-* Learn how to organize your Product Hierarchy to manage different contexts for your Findings and Tests: [Product Hierarchy Overview](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/).
-* Learn how to extend a Test with additional Findings and reports: [Reimport Guide](../using_reimport/)
+To handle this case, DefectDojo also includes a "Do not reactivate" checkbox in uploading reports (also in the reimport API), so you can use DefectDojo as the source of truth for triage, instead of reactivating your triaged Findings on each import / reimport.
+
+### Using the Scan Completion Date (API: `scan_date`) field
+
+DefectDojo offers a plethora of supported scanner reports, but not all of them contain the
+information most important to a user. The `scan_date` field is a flexible smart feature that
+allows users to set the completion date of the a given scan report, and have it propagate
+down to all the findings imported. This field is **not** mandatory, but the default value for
+this field is the date of import (whenever the request is processed and a successful response is returned).
+
+Here are the following use cases for using this field:
+
+1. The report **does not** set the date, and `scan_date` is **not** set at import
+    - Finding date will be the default value of `scan_date`
+2. The report **sets** the date, and the `scan_date` is **not** set at import
+    - Finding date will be whatever the report sets
+3. The report **does not** set the date, and the `scan_date` is **set** at import
+    - Finding date will be whatever the user set for `scan_date`
+4. The report **sets** the date, and the `scan_date` is **set** at import
+    - Finding date will be whatever the user set for `scan_date`

docs/assets/images/oidc_pro.png

@@ -16,6 +16,8 @@ Users can connect to DefectDojo with a Username and Password, but if you prefer,
 
 All of these methods can only be configured by a Superuser in DefectDojo.  DefectDojo Pro users can quickly set up SSO through their system settings, while Open Source users will need to configure these settings on the back-end by setting an environment variable within Docker.  This article covers both methods of configuration.
 
+**NOTE: DefectDojo Pro users will all need to add the IP addresses of SAML or SSO services to their Firewall whitelist.  See [Firewall Rules](/en/cloud_management/using-cloud-manager/#changing-your-firewall-settings) for more information.**
+
 ## Disable username / password use
 You may wish to disable traditional username/password login on your instance.
 
@@ -513,6 +515,59 @@ GET parameter starts with `http://` instead of
 
 2. Restart DefectDojo, and 'Login With Okta' should appear on the login screen.
 
+## OIDC (OpenID Connect)
+
+Adding OIDC gives you the option to authenticate users using a generic OIDC provider.
+
+### Pro Configuration
+
+In DefectDojo Pro, OIDC can be configured from the OIDC settings page:
+
+![image](images/oidc_pro.png)
+
+Fill out the form as follows
+
+1. Enter your OIDC endpoint in the Endpoint field.  This is the base URL of your OIDC instance (you do not need to include `/.well-known/open-id-configuration/`)
+
+2. Enter your OIDC Client ID in the Client ID field.
+
+3. Enter the OIDC Client Secret in the Client Secret field.
+
+4. Check the box for Enable OIDC.
+
+Once the form has been submitted, Log In With OIDC should be added as an option to the DefectDojo login page.
+
+
+### Open-Source
+
+The minimum configuration requires you to set the following environment variables:
+
+    {{< highlight python >}}
+    DD_SOCIAL_AUTH_OIDC_AUTH_ENABLED=True,
+    DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT=(str, 'https://example.com'),
+    DD_SOCIAL_AUTH_OIDC_KEY=(str, 'YOUR_CLIENT_ID'),
+    DD_SOCIAL_AUTH_OIDC_SECRET=(str, 'YOUR_CLIENT_SECRET')
+    {{< /highlight >}}
+
+The rest of the OIDC configuration will be auto-detected by fetching data from:
+ - <DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT>/.well-known/open-id-configuration/
+
+You can also optionally set the following variables:
+
+    {{< highlight python >}}
+    DD_SOCIAL_AUTH_OIDC_ID_KEY=(str, ''),                           #the key associated with the OIDC user IDs
+    DD_SOCIAL_AUTH_OIDC_USERNAME_KEY=(str, ''),                     #the key associated with the OIDC usernames
+    DD_SOCIAL_AUTH_OIDC_WHITELISTED_DOMAINS=(list, ['']),           #list of domains allowed for login
+    DD_SOCIAL_AUTH_OIDC_JWT_ALGORITHMS=(list, ["RS256","HS256"]),
+    DD_SOCIAL_AUTH_OIDC_ID_TOKEN_ISSUER=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_ACCESS_TOKEN_URL=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_AUTHORIZATION_URL=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_USERINFO_URL=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_JWKS_URI=(str, ''),
+    {{< /highlight >}}
+
+Once these variables have been set, restart DefectDojo. Log In With OIDC should now be added to the DefectDojo login page.
+
 ## SAML Configuration
 
 <span style="background-color:rgba(242, 86, 29, 0.3)">DefectDojo Pro</span> users can follow this guide to set up a SAML configuration using the DefectDojo UI. Open-Source users can set up SAML via environment variables, using the following [guide](./#open-source-saml).