Merge pull request #13173 from DefectDojo/release/2.50.2

Release: Merge release into master from: release/2.50.2

Author: rossops

Dockerfile.nginx-alpine

@@ -34,6 +34,7 @@ RUN CPUCOUNT=1 pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
 
 
 FROM build AS collectstatic
+ARG COLLECT_DJANGO_DEBUG_TOOLBAR_STATIC=false
 RUN apk add nodejs npm
 RUN npm install -g yarn --force
 
@@ -52,7 +53,7 @@ RUN \
   yarn
 COPY manage.py ./
 COPY dojo/ ./dojo/
-RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
+RUN env DD_SECRET_KEY='.' DD_DJANGO_DEBUG_TOOLBAR_ENABLED=${COLLECT_DJANGO_DEBUG_TOOLBAR_STATIC} python3 manage.py collectstatic --noinput --verbosity=2 && true
 
 FROM nginx:1.29.1-alpine3.22@sha256:42a516af16b852e33b7682d5ef8acbd5d13fe08fecadc7ed98605ba5e3b26ab8
 ARG uid=1001

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.50.1",
+  "version": "2.50.2",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docker-compose.override.dev.yml

@@ -7,6 +7,7 @@ services:
     environment:
       PYTHONWARNINGS: error  # We are strict about Warnings during development
       DD_DEBUG: 'True'
+      DD_DJANGO_DEBUG_TOOLBAR_ENABLED: 'True'
       DD_ADMIN_USER: "${DD_ADMIN_USER:-admin}"
       DD_ADMIN_PASSWORD: "${DD_ADMIN_PASSWORD:-admin}"
       DD_EMAIL_URL: "smtp://mailhog:1025"
@@ -33,6 +34,11 @@ services:
       DD_ADMIN_USER: "${DD_ADMIN_USER:-admin}"
       DD_ADMIN_PASSWORD: "${DD_ADMIN_PASSWORD:-admin}"
   nginx:
+    build:
+      args:
+        COLLECT_DJANGO_DEBUG_TOOLBAR_STATIC: 'True'
+    environment:
+      DD_DJANGO_DEBUG_TOOLBAR_ENABLED: 'True'
     volumes:
       - './dojo/static/dojo:/usr/share/nginx/html/static/dojo'
   postgres:

docs/content/en/about_defectdojo/contact_defectdojo_support.md

@@ -16,7 +16,7 @@ For Open-Source users, the quickest way to get help is through the [OWASP Slack
 
 To report a bug, issues can be raised on our [GitHub](https://github.com/DefectDojo/django-DefectDojo).
 
-See our [Community Site](https://defectdojo.com/community) for more information.
+See our [Community Site](https://defectdojo.com/open-source) for more information.
 
 ## DefectDojo Pro Support
 

docs/content/en/changelog/changelog.md

@@ -10,6 +10,11 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Sept 2025: v2.50
 
+### Sept 9, 2025: v2.50.1
+
+* **(Tools)** Removed CSV limit for Qualys HackerGuardian
+* **(SSO)** Removed Force Password Reset for users created via SSO
+
 ### Sept 2, 2025: v2.50.0
 
 * **(Pro UI)** "Date During" filter has been added to the UI, allowing users to filter by a range of dates

docs/content/en/connecting_your_tools/parsers/file/generic.md

@@ -1,10 +1,12 @@
 ---
-title: "Generic Findings Import"
+title: 'Generic Findings Import'
 toc_hide: true
 ---
+
 Import Generic findings in CSV or JSON format.
 
 Attributes supported for CSV:
+
 - Date: Date of the finding in mm/dd/yyyy format.
 - Title: Title of the finding
 - CweId: Cwe identifier, must be an integer value.
@@ -18,13 +20,79 @@ Attributes supported for CSV:
 - Verified: Indicator if the finding has been verified. Must be empty, TRUE, or FALSE
 - FalsePositive: Indicator if the finding is a false positive. Must be TRUE, or FALSE.
 - Duplicate:Indicator if the finding is a duplicate. Must be TRUE, or FALSE
-- IsMitigated: Indicator if the finding is mitigated.  Must be TRUE, or FALSE
+- IsMitigated: Indicator if the finding is mitigated. Must be TRUE, or FALSE
 - MitigatedDate: Date the finding was mitigated in mm/dd/yyyy format or ISO format
+- epss_score: Finding [EPSS score](https://www.first.org/epss/)
+- epss_percentile: Finding [EPSS percentile](https://www.first.org/epss/articles/prob_percentile_bins)
+- CVSSV3: CVSSv3 verctor of the finding
+- CVSSV3_score: CVSSv3 score of the finding
+- CVSSV4: CVSSv4 vector of the finding
+- CVSSV4_score: CVSSv4 score of the finding
+- known_exploited: Indicator if the finding is listed in Known Exploited List. Must be TRUE, or FALSE
+- ransomware_used: Indicator if the finding is used in Ransomware. Must be TRUE, or FALSE
+- fix_available: Indicator if fix available for the finding. Must be TRUE, or FALSE
+- kev_date: Date the finding was added to Known Exploited Vulnerabilities list in mm/dd/yyyy format or ISO format.
 
 The CSV expects a header row with the names of the attributes.
 
 Date fields are parsed using [dateutil.parse](https://dateutil.readthedocs.io/en/stable/parser.html) supporting a variety of formats such a YYYY-MM-DD or ISO-8601.
 
+The list of supported fields in JSON format:
+
+- title: **Required.** String
+- severity: **Required.** One of the "Critical", "High", "Medium", "Low", "Info"
+- description: **Required.** String
+- date: Date
+- cwe: Int
+- cve: String
+- epss_score: Float
+- epss_percentile: Float
+- cvssv3: String
+- cvssv3_score: Float
+- cvssv4: String
+- cvssv4_score: Float
+- mitigation: String
+- impact: String
+- steps_to_reproduce: String
+- severity_justification: String
+- references: String
+- active: Bool
+- verified: Bool
+- false_p: Bool
+- out_of_scope: Bool
+- risk_accepted: Bool
+- under_review: Bool
+- is_mitigated: Bool
+- thread_id: String
+- mitigated: Bool
+- numerical_severity: Int
+- param: String
+- payload: String
+- line: Int
+- file_path: String
+- component_name: String
+- component_version: String
+- static_finding: Bool
+- dynamic_finding: Bool
+- scanner_confidence: Int
+- unique_id_from_tool: String
+- vuln_id_from_tool: String
+- sast_source_object: String
+- sast_sink_object: String
+- sast_source_line: Int
+- sast_source_file_path: String
+- nb_occurences: Int
+- publish_date: Date
+- service: String
+- planned_remediation_date: Date
+- planned_remediation_version: String
+- effort_for_fixing: One of the "High", "Medium", "Low"
+- tags: List of Strings
+- kev_date: Date
+- known_exploited: Bool
+- ransomware_used: Bool
+- fix_available: Bool
+
 Example of JSON format:
 
 ```JSON
@@ -39,13 +107,23 @@ Example of JSON format:
             "cve": "CVE-2020-36234",
             "cwe": 261,
             "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
+            "cvssv4": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
+            "cvssv4_score": 7.3,
+            "known_exploited": true,
+            "ransomware_used": true,
+            "fix_available": true,
+            "kev_date": "2024-05-01",
             "file_path": "src/first.cpp",
             "line": 13,
             "endpoints": [
                 {
                     "host": "exemple.com"
                 }
-            ]
+            ],
+            "tags": [
+                "security",
+                "myTag"
+            ],
         },
         {
             "title": "test title with endpoints as strings",
@@ -144,9 +222,11 @@ Example:
 ```
 
 ### Sample Scan Data
+
 Sample Generic Findings Import scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/generic).
 
 ### Default Deduplication Hashcode Fields
+
 By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
 
 - title

docs/content/en/connecting_your_tools/parsers/file/github_vulnerability.md

@@ -183,8 +183,8 @@ def get_dependabot_alerts_repository(repo, owner):
         )
 
         result = request.json()
-        output_result["data"]["repository"]["name"] = result["data"]["repository"][
-            "name"
+        output_result["data"]["repository"]["nameWithOwner"] = result["data"]["repository"][
+            "nameWithOwner"
         ]
         output_result["data"]["repository"]["url"] = result["data"]["repository"]["url"]
         if result["data"]["repository"]["vulnerabilityAlerts"]["totalCount"] == 0:

docs/content/en/customize_dojo/user_management/configure_sso.md

@@ -564,6 +564,7 @@ You can also optionally set the following variables:
     DD_SOCIAL_AUTH_OIDC_AUTHORIZATION_URL=(str, ''),
     DD_SOCIAL_AUTH_OIDC_USERINFO_URL=(str, ''),
     DD_SOCIAL_AUTH_OIDC_JWKS_URI=(str, ''),
+    DD_SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT=(str, "Login with OIDC"),
     {{< /highlight >}}
 
 Once these variables have been set, restart DefectDojo. Log In With OIDC should now be added to the DefectDojo login page.

docs/layouts/index.html

@@ -44,7 +44,7 @@ <h2 class="h4">Create Reports</h2>
       <div class="row justify-content-center text-center">
         <div class="col-lg-5">
           <h2 class="h4">Join the Dojo community</h2>
-          <p>Check out live events, upcoming features and connect with other security professionals on our <a href="https://defectdojo.com/community">Community Page</a>.</p>
+          <p>Check out live events, upcoming features and connect with other security professionals on our <a href="https://defectdojo.com/open-source">Community Page</a>.</p>
         </div>
         <div class="col-lg-5">
           <h2 class="h4">Sign up for a trial</h2>

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.50.1"
+__version__ = "2.50.2"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"