Merge pull request #12615 from DefectDojo/release/2.47.2

Release: Merge release into master from: release/2.47.2

Author: rossops

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.47.1",
+  "version": "2.47.2",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docs/content/en/open_source/upgrading/2.39.md

@@ -2,7 +2,114 @@
 title: 'Upgrading to DefectDojo Version 2.39.x'
 toc_hide: true
 weight: -20240903
-description: No special instructions.
+description: Major upgrade of Postgres 16 to 17
 exclude_search: true
 ---
-There are no special instructions for upgrading to 2.39.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.39.0) for the contents of the release.
+
+# PostgreSQL Major Version Upgrade in Docker Compose
+
+This release incorporates a major upgrade of Postgres. When using the default docker compose setup you'll need to upgrade the Postgres data folder before you can use Defect Dojo 2.39.0.
+
+There are lots of online guides to be found such as https://hub.docker.com/r/tianon/postgres-upgrade or https://github.com/pgautoupgrade/docker-pgautoupgrade.
+
+There's also the [official documentation on `pg_upgrade`](https://www.postgresql.org/docs/current/pgupgrade.html), but this doesn't work out of the box when using Docker containers.
+
+Sometimes it's easier to just perform the upgrade manually, which would look something like the steps below.
+It may need some tuning to your specific needs and docker compose setup. The guide is loosely based on https://simplebackups.com/blog/docker-postgres-backup-restore-guide-with-examples.
+If you already have a valid backup of the postgres 16 database, you can start at step 4.
+
+---
+
+## 0. Backup
+
+Always back up your data before starting and save it somewhere.
+Make sure the backup and restore is tested before continuing the steps below where the docker volume containing the database will be removed.
+
+## 1. Start the Old Postgres Container
+
+If you've acceidentally already updated your docker-compose.yml to the new versions, downgrade to postgres 16 for now:
+
+Edit your `docker-compose.yml` to use the old Postgres version (e.g., `postgres:16.4-alpine`):
+
+```yaml
+postgres:
+  image: postgres:16.4-alpine
+  ...
+```
+
+Start only the Postgres container which will now be 16.4:
+
+```bash
+docker compose up -d postgres
+```
+
+---
+
+## 2. Dump Your Database
+
+```bash
+docker compose exec -t postgres pg_dump -U defectdojo -Fc defectdojo -f /tmp/defectdojo.dump
+docker cp <postgres_container_name>:/tmp/defectdojo.dump defectdojo.dump
+```
+You can find the postgres_container_name via `docker container ls` or `docker ps`.
+
+---
+
+## 3. Stop Containers and Remove the Old Volume
+
+You can find the volume name via `docker volume ls`.
+
+```bash
+docker compose down
+docker volume rm <defectdojo_postgres_volume_name>
+```
+
+---
+
+## 4. Switch to the New Postgres Version
+
+Edit your `docker-compose.yml` to use the new version (e.g., `postgres:17.5-alpine`):
+
+```yaml
+postgres:
+  image: postgres:17.5-alpine
+  ...
+```
+
+---
+
+## 5. Start the New Postgres Container
+
+```bash
+docker compose up -d postgres
+```
+
+---
+
+## 6. Restore Your Database
+
+**Copy the dump file into the new container:**
+
+```bash
+docker cp defectdojo.dump <postgres_container_name>:/defectdojo.dump
+```
+
+**Restore inside the container:**
+
+```bash
+docker exec -it <postgres_container_name> bash
+pg_restore -U defectdojo -d defectdojo /defectdojo.dump
+```
+
+---
+
+## 7. Start the Rest of Your Services
+
+```bash
+docker compose up -d
+```
+
+---
+
+
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.39.0) for the contents of the release.

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.47.1"
+__version__ = "2.47.2"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/jira_link/helper.py

@@ -1674,19 +1674,24 @@ def process_resolution_from_jira(finding, resolution_id, resolution_name, assign
     jira_instance = get_jira_instance(finding)
 
     if resolved:
-        if jira_instance and resolution_name in jira_instance.accepted_resolutions:
+        if jira_instance and resolution_name in jira_instance.accepted_resolutions and (finding.test.engagement.product.enable_simple_risk_acceptance or finding.test.engagement.enable_full_risk_acceptance):
             if not finding.risk_accepted:
-                logger.debug(f"Marking related finding of {jira_issue.jira_key} as accepted. Creating risk acceptance.")
+                logger.debug(f"Marking related finding of {jira_issue.jira_key} as accepted.")
+                finding.risk_accepted = True
                 finding.active = False
                 finding.mitigated = None
                 finding.is_mitigated = False
                 finding.false_p = False
-                ra = Risk_Acceptance.objects.create(
-                    accepted_by=assignee_name,
-                    owner=finding.reporter,
-                )
-                finding.test.engagement.risk_acceptance.add(ra)
-                ra_helper.add_findings_to_risk_acceptance(User.objects.get_or_create(username="JIRA")[0], ra, [finding])
+
+                if finding.test.engagement.product.enable_full_risk_acceptance:
+                    logger.debug(f"Creating risk acceptance for finding linked to {jira_issue.jira_key}.")
+                    ra = Risk_Acceptance.objects.create(
+                        accepted_by=assignee_name,
+                        owner=finding.reporter,
+                        decision_details=f"Risk Acceptance automatically created from JIRA issue {jira_issue.jira_key} with resolution {resolution_name}",
+                    )
+                    finding.test.engagement.risk_acceptance.add(ra)
+                    ra_helper.add_findings_to_risk_acceptance(User.objects.get_or_create(username="JIRA")[0], ra, [finding])
                 status_changed = True
         elif jira_instance and resolution_name in jira_instance.false_positive_resolutions:
             if not finding.false_p:

dojo/metrics/views.py

@@ -185,7 +185,6 @@ def simple_metrics(request):
         total_medium = []
         total_low = []
         total_info = []
-        total_closed = []
         total_opened = []
         findings_broken_out = {}
 
@@ -197,10 +196,20 @@ def simple_metrics(request):
                                        date__year=now.year,
                                        )
 
+        closed = Finding.objects.filter(test__engagement__product__prod_type=pt,
+                                       false_p=False,
+                                       duplicate=False,
+                                       out_of_scope=False,
+                                       mitigated__month=now.month,
+                                       mitigated__year=now.year,
+                                       )
+
         if get_system_setting("enforce_verified_status", True) or get_system_setting("enforce_verified_status_metrics", True):
             total = total.filter(verified=True)
+            closed = closed.filter(verified=True)
 
         total = total.distinct()
+        closed = closed.distinct()
 
         for f in total:
             if f.severity == "Critical":
@@ -214,9 +223,6 @@ def simple_metrics(request):
             else:
                 total_info.append(f)
 
-            if f.mitigated and f.mitigated.year == now.year and f.mitigated.month == now.month:
-                total_closed.append(f)
-
             if f.date.year == now.year and f.date.month == now.month:
                 total_opened.append(f)
 
@@ -228,7 +234,7 @@ def simple_metrics(request):
         findings_broken_out["S4"] = len(total_info)
 
         findings_broken_out["Opened"] = len(total_opened)
-        findings_broken_out["Closed"] = len(total_closed)
+        findings_broken_out["Closed"] = len(closed)
 
         findings_by_product_type[pt] = findings_broken_out
 

dojo/settings/settings.dist.py

@@ -1827,10 +1827,12 @@ def saml2_attrib_map_format(din):
     "ELA-": "https://www.freexian.com/lts/extended/updates/",  # e.g. https://www.freexian.com/lts/extended/updates/ela-1387-1-erlang
     "ELBA-": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
     "ELSA-": "https://linux.oracle.com/errata/&&.html",  # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
+    "EUVD-": "https://euvd.enisa.europa.eu/vulnerability/",  # e.g. https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-17599
     "FEDORA-": "https://bodhi.fedoraproject.org/updates/",  # e.g. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-06aa7dc422
     "FG-IR-": "https://www.fortiguard.com/psirt/",  # e.g. https://www.fortiguard.com/psirt/FG-IR-24-373
     "GHSA-": "https://github.com/advisories/",  # e.g. https://github.com/advisories/GHSA-58vj-cv5w-v4v6
     "GLSA": "https://security.gentoo.org/",  # e.g. https://security.gentoo.org/glsa/202409-32
+    "GO-": "https://pkg.go.dev/vuln/",  # e.g. https://pkg.go.dev/vuln/GO-2025-3703
     "JSDSERVER-": "https://jira.atlassian.com/browse/",  # e.g. https://jira.atlassian.com/browse/JSDSERVER-14872
     "KB": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=",  # e.g. https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0108401
     "KHV": "https://avd.aquasec.com/misconfig/kubernetes/",  # e.g. https://avd.aquasec.com/misconfig/kubernetes/khv045

dojo/tools/nmap/parser.py

@@ -43,11 +43,10 @@ def get_findings(self, file, test):
                 if host.find("hostnames/hostname[@type='PTR']") is not None
                 else None
             )
-            if fqdn is not None:
-                host_info += f"**FQDN:** {fqdn}\n"
+            for hosts in host.find("hostnames"):
+                host_info += "**" + hosts.attrib["type"] + ":** " + hosts.attrib["name"] + "\n"
 
             host_info += "\n\n"
-
             for os in host.iter("os"):
                 for os_match in os.iter("osmatch"):
                     if "name" in os_match.attrib:

helm/defectdojo/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.47.1"
+appVersion: "2.47.2"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.191
+version: 1.6.192
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap

requirements.txt

@@ -36,7 +36,7 @@ cryptography==45.0.3
 python-dateutil==2.9.0.post0
 pytz==2025.1
 redis==5.2.1
-requests==2.32.3
+requests==2.32.4
 sqlalchemy==2.0.41  # Required by Celery broker transport
 urllib3==2.4.0
 uWSGI==2.0.29

unittests/scans/cargo_audit/no_findings.json

@@ -1 +1,26 @@
-{"database":{"advisory-count":302,"last-commit":"7e4cbf6107145306ebb5002d66bcb98606a757fe","last-updated":"2021-05-12T01:59:58Z"},"lockfile":{"dependency-count":1},"settings":{"target_arch":null,"target_os":null,"severity":null,"ignore":[],"informational_warnings":["unmaintained"],"package_scope":null},"vulnerabilities":{"found":false,"count":0,"list":[]},"warnings":{}}
+{
+  "database": {
+    "advisory-count": 302,
+    "last-commit": "7e4cbf6107145306ebb5002d66bcb98606a757fe",
+    "last-updated": "2021-05-12T01:59:58Z"
+  },
+  "lockfile": {
+    "dependency-count": 1
+  },
+  "settings": {
+    "target_arch": null,
+    "target_os": null,
+    "severity": null,
+    "ignore": [],
+    "informational_warnings": [
+      "unmaintained"
+    ],
+    "package_scope": null
+  },
+  "vulnerabilities": {
+    "found": false,
+    "count": 0,
+    "list": []
+  },
+  "warnings": {}
+}