Merge pull request #12962 from DefectDojo/release/2.49.1

Release: Merge release into master from: release/2.49.1

Author: rossops

README.md

@@ -87,6 +87,7 @@ Navigate to `http://localhost:8080` to see your new instance!
     * [OAuth2/SAML2](https://docs.defectdojo.com/en/open_source/archived_docs/integrations/social-authentication/)
     * [LDAP](https://docs.defectdojo.com/en/open_source/ldap-authentication/)
 * [Supported tools](https://docs.defectdojo.com/en/connecting_your_tools/parsers/)
+* [How to Write Documentation Locally](/docs/README.md)
 
 ## Supported Installation Options
 

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.49.0",
+  "version": "2.49.1",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docker/entrypoint-nginx.sh

@@ -20,6 +20,10 @@ else
   NGINX_CONFIG="/etc/nginx/nginx.conf"
 fi
 
+if ! ip -6 addr show dev lo | grep -q 'inet6 ::1'; then
+    sed -i '/listen \[::\]:/d' "$NGINX_CONFIG"
+fi
+
 if [ "${NGINX_METRICS_ENABLED}" = true ]; then
   sed -i "s/#stub_status/stub_status/g;" $NGINX_CONFIG
   echo "Nginx metrics are enabled"

docker/entrypoint-unit-tests-devDocker.sh

@@ -73,15 +73,15 @@ echo "Unit Tests"
 echo "------------------------------------------------------------"
 
 # Removing parallel and shuffle for now to maintain stability
-# python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag="non-parallel" || {
-#     exit 1;
-# }
-# python3 manage.py test unittests -v 3 --keepdb --no-input --tag="non-parallel" || {
-#     exit 1;
-# }
+python3 manage.py test unittests -v 3 --keepdb --no-input --exclude-tag="non-parallel" || {
+    exit 1;
+}
+python3 manage.py test unittests -v 3 --keepdb --no-input --tag="non-parallel" || {
+    exit 1;
+}
 
 # you can select a single file to "test" unit tests
-python3 manage.py test unittests.test_importers_performance.TestDojoImporterPerformance --keepdb -v 3 &> /app/dev2.log
+# python3 manage.py test unittests.test_importers_performance.TestDojoImporterPerformance --keepdb -v 3 &> /app/dev2.log
 
 # or even a single method
 # python3 manage.py test unittests.tools.test_npm_audit_scan_parser.TestNpmAuditParser.test_npm_audit_parser_many_vuln_npm7 --keepdb -v 3

docs/README.md

@@ -0,0 +1,64 @@
+# Guide to Writing Documentation
+
+When developing documentation, there are steps to take before submitting a pull request
+
+1. Writing your documentation with [hot reloading](#development-with-hot-reloading) live in your browser
+2. Verifying your changes with a [production build](#mimic-production-environment) to ensure Hugo will minify everything correctly
+
+## Development with Hot Reloading
+
+This method performs the following from the `django-DefectDojo/docs` directory:
+
+1. Remove any existing packages to perform a fresh install each time: `rm -rf public node_modules`
+2. Install all packages: `npm install`
+3. Start the server: `npm run dev`
+4. Access the [site in the browser at http://localhost:1313](http://localhost:1313)
+
+### Execution List
+
+```bash
+rm -rf public node_modules
+npm install
+npm run dev
+```
+
+or for a one liner:
+
+```bash
+rm -rf public node_modules && \
+npm install && \
+npm run dev
+```
+
+## Mimic Production Environment
+
+This method performs the following from the `django-DefectDojo/docs` directory:
+
+1. Remove any existing packages to perform a fresh install each time: `rm -rf public node_modules`
+2. Install all packages in CI mode to only install from `package-lock.json`: `npm ci`
+3. Run Hugo to build the site in the way the CI job does, but in development environment to point at `localhost` for integrity checks : `npm run build -- --environment development`
+4. Change directory to the new `public` directory to run the site locally: `cd public`
+5. Run a light weight webserver to server the files, and [access the site at http://localhost:8080](http://localhost:8080): `python3 -m http.server 8080`
+6. After killing the webserver process, navigate back to the `django-DefectDojo/docs` directory: `cd ../`
+
+### Execution List
+
+```bash
+rm -rf public node_modules
+npm ci
+npm run build -- --environment development
+cd public
+python3 -m http.server 8080
+cd ../
+```
+
+or for a one liner:
+
+```bash
+rm -rf public node_modules && \
+npm ci && \
+npm run build -- --environment development && \
+cd public && \
+python3 -m http.server 8080 && \
+cd ../
+```

docs/assets/scss/app.scss

@@ -1,62 +1,62 @@
 // Source: https://getbootstrap.com/docs/5.3/customize/sass/#importing
 
 // 1. Include functions first (so you can manipulate colors, SVGs, calc, etc)
-@import "bootstrap/scss/functions";
+@import "node_modules/bootstrap/scss/functions";
 
 // 2. Include any default variable overrides here
 @import "common/colors";
 @import "common/variables-overrides";
 @import "common/variables-custom";
 
 // 3. Include remainder of required Bootstrap stylesheets (including any separate color mode stylesheets)
-@import "bootstrap/scss/variables";
-@import "bootstrap/scss/variables-dark";
+@import "node_modules/bootstrap/scss/variables";
+@import "node_modules/bootstrap/scss/variables-dark";
 
 // 4. Include any default map overrides here
 
 // 5. Include remainder of required parts
-@import "bootstrap/scss/maps";
-@import "bootstrap/scss/mixins";
-@import "bootstrap/scss/root";
+@import "node_modules/bootstrap/scss/maps";
+@import "node_modules/bootstrap/scss/mixins";
+@import "node_modules/bootstrap/scss/root";
 
 // 6. Optionally include any other parts as needed
 
 // Layout & components
-@import "bootstrap/scss/utilities";
-@import "bootstrap/scss/reboot";
-@import "bootstrap/scss/type";
-@import "bootstrap/scss/images";
-@import "bootstrap/scss/containers";
-@import "bootstrap/scss/grid";
-@import "bootstrap/scss/helpers";
-@import "bootstrap/scss/tables";
-@import "bootstrap/scss/forms";
-@import "bootstrap/scss/buttons";
-@import "bootstrap/scss/transitions";
-@import "bootstrap/scss/dropdown";
-@import "bootstrap/scss/button-group";
-@import "bootstrap/scss/nav";
-@import "bootstrap/scss/navbar";
-@import "bootstrap/scss/card";
-@import "bootstrap/scss/accordion";
-@import "bootstrap/scss/breadcrumb";
-@import "bootstrap/scss/pagination";
-@import "bootstrap/scss/badge";
-@import "bootstrap/scss/alert";
-@import "bootstrap/scss/progress";
-@import "bootstrap/scss/list-group";
-@import "bootstrap/scss/close";
-@import "bootstrap/scss/toasts";
-@import "bootstrap/scss/modal";
-@import "bootstrap/scss/tooltip";
-@import "bootstrap/scss/popover";
-@import "bootstrap/scss/carousel";
-@import "bootstrap/scss/spinners";
-@import "bootstrap/scss/offcanvas";
-@import "bootstrap/scss/placeholders";
+@import "node_modules/bootstrap/scss/utilities";
+@import "node_modules/bootstrap/scss/reboot";
+@import "node_modules/bootstrap/scss/type";
+@import "node_modules/bootstrap/scss/images";
+@import "node_modules/bootstrap/scss/containers";
+@import "node_modules/bootstrap/scss/grid";
+@import "node_modules/bootstrap/scss/helpers";
+@import "node_modules/bootstrap/scss/tables";
+@import "node_modules/bootstrap/scss/forms";
+@import "node_modules/bootstrap/scss/buttons";
+@import "node_modules/bootstrap/scss/transitions";
+@import "node_modules/bootstrap/scss/dropdown";
+@import "node_modules/bootstrap/scss/button-group";
+@import "node_modules/bootstrap/scss/nav";
+@import "node_modules/bootstrap/scss/navbar";
+@import "node_modules/bootstrap/scss/card";
+@import "node_modules/bootstrap/scss/accordion";
+@import "node_modules/bootstrap/scss/breadcrumb";
+@import "node_modules/bootstrap/scss/pagination";
+@import "node_modules/bootstrap/scss/badge";
+@import "node_modules/bootstrap/scss/alert";
+@import "node_modules/bootstrap/scss/progress";
+@import "node_modules/bootstrap/scss/list-group";
+@import "node_modules/bootstrap/scss/close";
+@import "node_modules/bootstrap/scss/toasts";
+@import "node_modules/bootstrap/scss/modal";
+@import "node_modules/bootstrap/scss/tooltip";
+@import "node_modules/bootstrap/scss/popover";
+@import "node_modules/bootstrap/scss/carousel";
+@import "node_modules/bootstrap/scss/spinners";
+@import "node_modules/bootstrap/scss/offcanvas";
+@import "node_modules/bootstrap/scss/placeholders";
 
 // 7. Optionally include utilities API last to generate classes based on the Sass map in `_utilities.scss`
-@import "bootstrap/scss/utilities/api";
+@import "node_modules/bootstrap/scss/utilities/api";
 
 // 8. Add additional custom code here
 @import "common/fonts";
@@ -96,4 +96,4 @@ body {
 
 // 10. DocSearch
 @import "common/variables-docsearch";
-@import "@docsearch/css/dist/modal";
+@import "node_modules/@docsearch/css/dist/modal";

docs/config/development/hugo.toml

@@ -0,0 +1,2 @@
+# Overrides for production environment
+baseurl = "http://localhost/"

docs/config/production/hugo.toml

@@ -1,3 +1,2 @@
 # Overrides for production environment
-# baseurl = "https://documentation.defectdojo.com/"
-baseurl = "https://docs.defectdojo.com"
+baseurl = "https://docs.defectdojo.com"

docs/content/en/connecting_your_tools/parsers/file/snyk_issue_api.md

@@ -0,0 +1,63 @@
+---
+title: "Snyk Issue API"
+toc_hide: true
+---
+The Snyk Issue API parser supports importing vulnerability data from the Snyk Issue API in JSON format. Currently only parsing issues of type `code` is supported. Samples of ther issue types are welcome.
+
+For more information about the Snyk Issue API, refer to the [official Snyk API documentation](https://docs.snyk.io/snyk-api/reference/issues#get-orgs-org_id-issues).
+
+### API request
+Example API request to get only code issues:
+```
+GET https://api.snyk.io/rest/orgs/{org_id}/issues?version=2025-08-02&type=code
+```
+
+For more details see: https://docs.snyk.io/snyk-api/reference/issues#get-orgs-org_id-issues
+
+### Sample Scan Data
+Sample Snyk Issue API scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/snyk_issue_api).
+
+### Field Mapping
+The parser maps fields from the Snyk Issue API response to DefectDojo's Finding model as follows:
+
+| Finding Field | Snyk Issue API Field | Notes |
+|--------------|---------------------|-------|
+| title | attributes.title | |
+| severity | attributes.effective_severity_level | Mapped to Critical/High/Medium/Low/Info |
+| description | attributes.description | |
+| unique_id_from_tool | id | Top-level issue ID |
+| file_path | coordinates[].representations[].sourceLocation.file | First occurrence |
+| line | coordinates[].representations[].sourceLocation.region.start.line | Line where the issue starts |
+| date | attributes.created_at | ISO format date |
+| cwe | classes[].id | First CWE class found |
+| active | attributes.status == "open" AND NOT attributes.ignored | Inactive if ignored or not open |
+| verified | true | Always set to true |
+| static_finding | true | Always set to true |
+| dynamic_finding | false | Always set to false |
+| out_of_scope | attributes.ignored | Set to true if issue is ignored |
+| fix_available* | coordinates[].is_fixable_* | True if any fixability flag is true.  |
+
+#### Impact Field
+The impact field combines multiple pieces of information:
+1. Problem details:
+   - Source (e.g., "SNYK")
+   - Type (e.g., "vulnerability")
+   - Last update timestamp
+   - Severity level
+2. All source locations, each containing:
+   - File path
+   - Commit ID
+   - Line range (start-end)
+   - Column range (start-end)
+
+#### Additional Processing
+- Multiple CWEs are handled by using the first one as the primary CWE and listing additional ones in the references field
+- Risk scores are included in the severity_justification field when available
+- Only issues with type="code" are processed
+- Line numbers: Only the starting line is stored in the Finding model, but both start and end lines are included in the impact field for reference
+
+### Default Deduplication Hashcode Fields
+By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
+
+- unique id from tool
+- file path

docs/content/en/open_source/notification_webhooks/engagement_added.md

@@ -34,6 +34,14 @@ X-DefectDojo-Event: engagement_added
     },
     "url_api": "http://localhost:8080/api/v2/engagements/7/",
     "url_ui": "http://localhost:8080/engagement/7",
-    "user": null
+    "user": {
+        "id": 1,
+        "email": "[email protected]",
+        "first_name": "Admin",
+        "last_name": "User",
+        "username": "admin",
+        "url_api": "http://localhost:8080/api/v2/users/1/",
+        "url_ui": "http://localhost:8080/user/1"
+    }
 }
 ```