Merge pull request #13008 from DefectDojo/release/2.49.2

Release: Merge release into master from: release/2.49.2

Author: rossops

README.md

@@ -24,18 +24,18 @@
     </tr>
  </table>
 
-![Screenshot of DefectDojo](https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/dev/docs/assets/images/screenshot1.png)
-
 [DefectDojo](https://www.defectdojo.com/) is a DevSecOps, ASPM (application security posture management), and
 vulnerability management tool.  DefectDojo orchestrates end-to-end security testing, vulnerability tracking,
 deduplication, remediation, and reporting.
 
 ## Demo
 
-Try out DefectDojo on our demo server at [demo.defectdojo.org](https://demo.defectdojo.org)
+Pro Edition: [pro.demo.defectdojo.com](https://pro.demo.defectdojo.com)
+
+Community Edition: [demo.defectdojo.org](https://demo.defectdojo.org)
 
-Log in with username `admin` and password `1Defectdojo@demo#appsec`. Please note that the demo is publicly accessible
-and regularly reset. Do not put sensitive data in the demo. An easy way to test Defect Dojo is to upload some [sample scan reports](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans).
+Either demo enviornment can be logged into with username `admin` and password `1Defectdojo@demo#appsec`. Please note that the demos are publicly accessible
+and reset every day. Do not put sensitive data in the demo. An easy way to test DefectDojo is to upload some [sample scan reports](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans).
 
 ## Quick Start for Compose V2
 
@@ -91,8 +91,9 @@ Navigate to `http://localhost:8080` to see your new instance!
 
 ## Supported Installation Options
 
+* [SaaS](https://cloud.defectdojo.com/accounts/onboarding/plg_step_1) - New UI, addittional features, includes support & supports the project
 * [Docker / Docker Compose](readme-docs/DOCKER.md)
-* [SaaS](https://www.defectdojo.com/) - Includes Support & Supports the Project
+
 
 ## Community, Getting Involved, and Updates
 
@@ -101,22 +102,20 @@ Navigate to `http://localhost:8080` to see your new instance!
 [<img src="https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/dev/docs/assets/images/Twitter_Logo.png" alt="Twitter" height="50"/>](https://twitter.com/defectdojo)
 [<img src="https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/dev/docs/assets/images/YouTube-Emblem.png" alt="Youtube" height="50"/>](https://www.youtube.com/channel/UCWw9qzqptiIvTqSqhOFuCuQ)
 
-[Join the OWASP Slack community](https://owasp.org/slack/invite) and participate in the discussion! You can find us in
+[Join the OWASP Slack Community](https://owasp.org/slack/invite) and participate in the discussion! You can find us in
 our channel there, [#defectdojo](https://owasp.slack.com/channels/defectdojo). Follow DefectDojo on
 [Twitter](https://twitter.com/defectdojo), [LinkedIn](https://www.linkedin.com/company/defectdojo), and
 [YouTube](https://www.youtube.com/channel/UCWw9qzqptiIvTqSqhOFuCuQ) for project updates!
 
 ## Contributing
 
-Please see our [contributing guidelines](readme-docs/CONTRIBUTING.md) for more
-information.
+Please see our [contributing guidelines](readme-docs/CONTRIBUTING.md) for details and standards on contributing __before__ considering or submitting a pull request.
 
 ## Pro Edition
-[Upgrade to DefectDojo Pro](https://www.defectdojo.com/) today to take your DevSecOps to 11. DefectDojo Pro is
-designed to meet you wherever you are on your security journey and help you scale, with enhanced dashboards, additional
-smart features, tunable deduplication, and support from DevSecOps experts.
 
-Alternatively, for information please email [email protected]
+[Upgrade to DefectDojo Pro!](https://defectdojo.com/pricing) Pro transcends the do-it-yourself approach of open-source: A new UI, incredibile scalability, API connectors, ServiceNow, GitHub, GitLab, Azure DevOps, automatic data enrichment, prioritization, and more! See all the differentiators at the bottom of our pricing page: [defectdojo.com/pricing](https://defectdojo.com/pricing).
+
+Alternatively, for information please email [email protected]
 
 ## About Us
 

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.49.1",
+  "version": "2.49.2",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

docs/assets/images/findings_kev.png

@@ -8,6 +8,32 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/en/open_source/upgrading/upgrading_guide/).
 
+## July 2025: v2.48
+
+### July 21/22/28, 2025: v2.48.3 / v2.48.4 / v2.48.5
+
+- No significant UI/UX changes.
+
+### July 14, 2025: v2.48.2
+
+- **(Findings)** KEV ([Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)) related data can now be added as metadata to Findings. 
+![image](images/findings_kev.png)
+
+### July 8, 2025: v2.48.1
+
+- **(Permissions)** Users with "Edit Users" configuration permission can now force password resets for other users.
+- **(Pro UI)** The Users listing now includes pre-filtered views for All, Active, Inactive, Superuser, and Global Owner users. The default view has been set to Active.
+- **(Pro UI)** Request/Response pairs are now displayed on Finding View.
+- **(Pro UI)** Product Technologies are now visible and can be created, edited and deleted from the View Product page, within the Product Overview’s “Technologies” section.
+- **(Pro UI)** Finding peer-review now supports the assignment of both Users and Groups, as well as an “Allow All Eligible Reviewers” (all users with access to the Finding) option.
+
+### July 1, 2025: v2.48
+
+- **(Pro UI)** Helptext has been added to the Private Note checkbox to better explain this feature.  Private Notes are Notes that will not appear in Generated Reports - only in the DefectDojo UI.  This feature can be used for internal communication that you don't want to include in a Report.
+
+- **(Pro UI)** Pro UI is now set as the default user interface. All new and existing users/instances will be directed to the Pro UI by default. Users can still opt-out of this UI by unchecking this checkbox:
+
+![image](images/pro_ui_default.png)
 
 ## June 2025: v2.47
 

docs/assets/images/integrators_1.png

@@ -201,7 +201,7 @@ defectdojo-cli import \
 #### Options
 
 `--active, -a` 
-* Dictates whether findings should be active on import. (default: true) `[$DD_CLI_ACTIVE]`
+* Dictates whether Findings should be forced to Active or Inactive on import.  A value of True forces Findings to Active, while a value of False forces all Findings to Inactive.  If no value is set, Active status will instead rely on the incoming report file. (default: unset) `[$DD_CLI_ACTIVE]`
 
 `--api-scan-configuration value, --asc value`
 * The ID of the API Scan Configuration object to use when importing or reimporting. (default: 0) `[$DD_CLI_API_SCAN_CONFIGURATION]`
@@ -216,6 +216,12 @@ defectdojo-cli import \
 `--auto-create-context, --acc`
 * If set to true, the importer automatically creates Engagements, Products, and Product_Types (default: false) `[$DD_CLI_AUTO_CREATE_CONTEXT]`
 
+`--close-old-findings, --cof`
+* If True, old Findings no longer present in the report will be Closed as Mitigated when importing. If Service has been set, only the Findings for this Service will be closed. [$DD_CLI_CLOSE_OLD_FINDINGS]
+
+`--close-old-findings-product-scope, --cofps`
+* Select if --close-old-findings applies to **all** Findings of the same type in the Product. By default, this is set to false, meaning that only old Findings of the same type in the Engagement are in scope (and will be closed by Close Old Findings). [$DD_CLI_CLOSE_OLD_FINDINGS_PRODUCT_SCOPE]
+
 `--deduplication-on-engagement, --doe`
 * If set to true, the importer restricts deduplication for imported findings to the newly created Engagement. (default: false) `[$DD_CLI_DEDUPLICATION_ON_ENGAGEMENT]`
 
@@ -250,7 +256,7 @@ defectdojo-cli import \
 * The version of the test. `[$DD_CLI_TEST_VERSION]`
 
 `--verified, -v`
-* Dictates whether findings should be verified on import. (default: false) `[$DD_CLI_VERIFIED]`
+* Dictates whether Findings should be set to Verified on import. A value of True forces Findings to Verified. If no value is set, Verified status will instead rely on the incoming report file. `[$DD_CLI_VERIFIED]`
 
 **Settings:**
 
@@ -320,7 +326,7 @@ example, x  Shows an example of required and optional flags for reimport operati
 #### Options
 
 `--active, -a`                                    
-* Dictates whether findings should be active on import. (default: true) `[$DD_CLI_ACTIVE]`
+* Dictates whether Findings should be forced to Active or Inactive on import.  A value of True forces Findings to Active, while a value of False forces all Findings to Inactive.  If no value is set, Active status will instead rely on the incoming report file. `[$DD_CLI_ACTIVE]`
 
 `--api-scan-configuration value, --asc value`
 
@@ -335,6 +341,12 @@ example, x  Shows an example of required and optional flags for reimport operati
 `--auto-create-context, --acc`                 
 * If set to true, the importer automatically creates Engagements, Products, and Product_Types (default: false) `[$DD_CLI_AUTO_CREATE_CONTEXT]`
 
+`--close-old-findings, --cof`
+* If True, old Findings no longer present in the report will be Closed as Mitigated when importing. If Service has been set, only the findings for this Service will be closed.[$DD_CLI_CLOSE_OLD_FINDINGS]
+
+`--close-old-findings-product-scope, --cofps`
+* Select if --close-old-findings applies to **all** Findings of the same type in the Product. By default, this is set to false, meaning that only old Findings of the same type in the Engagement are in scope (and will be closed by Close Old Findings). [$DD_CLI_CLOSE_OLD_FINDINGS_PRODUCT_SCOPE]
+
 `--deduplication-on-engagement, --doe`          
 * If set to true, the importer restricts deduplication for imported findings to the newly created Engagement. (default: false) `[$DD_CLI_DEDUPLICATION_ON_ENGAGEMENT]`
 
@@ -369,7 +381,7 @@ example, x  Shows an example of required and optional flags for reimport operati
 * The version of the test. `[$DD_CLI_TEST_VERSION]`
 
 `--verified, -v`                                   
-* Dictates whether findings should be set to Verified on import. (default: false) `[$DD_CLI_VERIFIED]`
+* Dictates whether Findings should be set to Verified on import. A value of True forces Findings to Verified.  If no value is set, Verified status will instead rely on the incoming report file. `[$DD_CLI_VERIFIED]`
 
 **Settings:**
 
@@ -687,7 +699,7 @@ universal-importer import \
 #### Options
 
 `--active, -a` 
-* Dictates whether findings should be active on import. (default: true) `[$DD_IMPORTER_ACTIVE]`
+* Dictates whether Findings should be forced to Active or Inactive on import.  A value of True forces Findings to Active, while a value of False forces all Findings to Inactive.  If no value is set, Active status will instead rely on the incoming report file. `[$DD_IMPORTER_ACTIVE]`
 
 `--api-scan-configuration value, --asc value`
 * The ID of the API Scan Configuration object to use when importing or reimporting. (default: 0) `[$DD_IMPORTER_API_SCAN_CONFIGURATION]`
@@ -702,6 +714,12 @@ universal-importer import \
 `--auto-create-context, --acc`
 * If set to true, the importer automatically creates Engagements, Products, and Product_Types (default: false) `[$DD_IMPORTER_AUTO_CREATE_CONTEXT]`
 
+`--close-old-findings, --cof`
+* If True, old Findings no longer present in the report will be Closed as Mitigated when importing. If Service has been set, only the findings for this Service will be closed. [$DD_IMPORTER_CLOSE_OLD_FINDINGS]
+
+`--close-old-findings-product-scope, --cofps`
+* Select if --close-old-findings applies to **all** Findings of the same type in the Product. By default, this is set to false, meaning that only old Findings of the same type in the Engagement are in scope (and will be closed by Close Old Findings). [$DD_IMPORTER_CLOSE_OLD_FINDINGS_PRODUCT_SCOPE]
+
 `--deduplication-on-engagement, --doe`
 * If set to true, the importer restricts deduplication for imported findings to the newly created Engagement. (default: false) `[$DD_IMPORTER_DEDUPLICATION_ON_ENGAGEMENT]`
 
@@ -736,7 +754,7 @@ universal-importer import \
 * The version of the test. `[$DD_IMPORTER_TEST_VERSION]`
 
 `--verified, -v`
-* Dictates whether findings should be verified on import. (default: false) `[$DD_IMPORTER_VERIFIED]`
+* Dictates whether Findings should be set to Verified on import. A value of True forces Findings to Verified.  If no value is set, Verified status will instead rely on the incoming report file. `[$DD_IMPORTER_VERIFIED]`
 
 **Settings:**
 
@@ -806,7 +824,7 @@ example, x  Shows an example of required and optional flags for reimport operati
 #### Options
 
 `--active, -a`                                    
-* Dictates whether findings should be active on import. (default: true) `[$DD_IMPORTER_ACTIVE]`
+* Dictates whether Findings should be forced to Active or Inactive on import.  A value of True forces Findings to Active, while a value of False forces all Findings to Inactive.  If no value is set, Active status will instead rely on the incoming report file. `[$DD_IMPORTER_ACTIVE]`
 
 `--api-scan-configuration value, --asc value`
 * The ID of the API Scan Configuration object to use when importing or reimporting. (default: 0) `[$DD_IMPORTER_API_SCAN_CONFIGURATION]`
@@ -820,6 +838,12 @@ example, x  Shows an example of required and optional flags for reimport operati
 `--auto-create-context, --acc`                 
 * If set to true, the importer automatically creates Engagements, Products, and Product_Types (default: false) `[$DD_IMPORTER_AUTO_CREATE_CONTEXT]`
 
+`--close-old-findings, --cof`
+* If True, old Findings no longer present in the report will be Closed as Mitigated when importing. If Service has been set, only the Findings for this Service will be closed. [$DD_IMPORTER_CLOSE_OLD_FINDINGS]
+
+`--close-old-findings-product-scope, --cofps`
+* Select if --close-old-findings applies to **all** Findings of the same type in the Product. By default, this is set to false, meaning that only old Findings of the same type in the Engagement are in scope (and will be closed by Close Old Findings). [$DD_IMPORTER_CLOSE_OLD_FINDINGS_PRODUCT_SCOPE]
+
 `--deduplication-on-engagement, --doe`          
 * If set to true, the importer restricts deduplication for imported findings to the newly created Engagement. (default: false) `[$DD_IMPORTER_DEDUPLICATION_ON_ENGAGEMENT]`
 
@@ -854,7 +878,7 @@ example, x  Shows an example of required and optional flags for reimport operati
 * The version of the test. `[$DD_IMPORTER_TEST_VERSION]`
 
 `--verified, -v`                                   
-* Dictates whether findings should be set to Verified on import. (default: false) `[$DD_IMPORTER_VERIFIED]`
+* Dictates whether Findings should be set to Verified on import. A value of True forces Findings to Verified. If no value is set, Verified status will instead rely on the incoming report file. (default: unset) `[$DD_IMPORTER_VERIFIED]`
 
 **Settings:**