Checkmarx cxflow xml support#15090
Draft
goutham-hari wants to merge 806 commits into
Draft
Conversation
…x/2.58.1-2.59.0-dev Release: Merge back 2.58.1 into bugfix from: master-into-bugfix/2.58.1-2.59.0-dev
….58.1-2.59.0-dev Release: Merge back 2.58.1 into dev from: master-into-dev/2.58.1-2.59.0-dev
…t.yaml) (DefectDojo#14813) * Update valkey Docker tag from 0.20.0 to v0.20.1 (helm/defectdojo/Chart.yaml) * update Helm documentation --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…hub/workflows/test-helm-chart.yml) (DefectDojo#14814) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…s/pr-labeler.yml) (DefectDojo#14815) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…3 (.github/workflows/test-helm-chart.yml) (DefectDojo#14816) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…tDojo#14817) Bumps [easymde](https://github.com/Ionaru/easy-markdown-editor) from 2.20.0 to 2.21.0. - [Changelog](https://github.com/Ionaru/easy-markdown-editor/blob/master/CHANGELOG.md) - [Commits](Ionaru/easy-markdown-editor@2.20.0...2.21.0) --- updated-dependencies: - dependency-name: easymde dependency-version: 2.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 26.1.0 to 26.2.0. - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](pyca/pyopenssl@26.1.0...26.2.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-version: 26.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…o#14821) Bumps [django-polymorphic](https://github.com/django-commons/django-polymorphic) from 4.11.2 to 4.11.3. - [Release notes](https://github.com/django-commons/django-polymorphic/releases) - [Commits](django-commons/django-polymorphic@v4.11.2...v4.11.3) --- updated-dependencies: - dependency-name: django-polymorphic dependency-version: 4.11.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [psycopg](https://github.com/psycopg/psycopg) from 3.3.3 to 3.3.4. - [Changelog](https://github.com/psycopg/psycopg/blob/master/docs/news.rst) - [Commits](psycopg/psycopg@3.3.3...3.3.4) --- updated-dependencies: - dependency-name: psycopg dependency-version: 3.3.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.49 to 3.1.50. - [Release notes](https://github.com/gitpython-developers/GitPython/releases) - [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES) - [Commits](gitpython-developers/GitPython@3.1.49...3.1.50) --- updated-dependencies: - dependency-name: gitpython dependency-version: 3.1.50 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…efectDojo#14825) Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2026.4.14 to 2026.5.1. - [Commits](tfranzel/drf-spectacular-sidecar@2026.4.14...2026.5.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-version: 2026.5.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ojo#14826) Bumps [social-auth-app-django](https://github.com/python-social-auth/social-app-django) from 5.8.0 to 5.9.0. - [Release notes](https://github.com/python-social-auth/social-app-django/releases) - [Changelog](https://github.com/python-social-auth/social-app-django/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-app-django@5.8.0...5.9.0) --- updated-dependencies: - dependency-name: social-auth-app-django dependency-version: 5.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Update changelog for May 2026 release (v2.58.0) with new features and improvements * Update changelog for v2.58.1 release with new features and bug fixes
…Dojo#14811) * test: pin query-count baselines for tag inheritance hot paths Adds unittests/test_tag_inheritance_perf.py with assertNumQueries baselines on the six hottest tag inheritance paths (Product tag add/remove propagating to N findings, child create under inheritance, sticky enforcement on child tag edits). Numbers are pinned against current `dev` behavior so subsequent optimization work shows up as concrete query-count reductions instead of relying on manual benchmarking. The class is intentionally temporary: pins move down as the redesign work lands and the file can be deleted once the targets are met. * test: add Endpoint (V2) and Location (V3) propagation baselines Extends the perf test class with two more pinned hot paths so all child models exercised by `propagate_tags_on_product_sync` are covered: product_tag_add -> 100 endpoints (V2) : 3958 product_tag_remove -> 100 endpoints (V2): 3740 product_tag_add -> 100 locations (V3) : 4532 product_tag_remove -> 100 locations (V3): 4307 Both V2 and V3 paths run regardless of the ambient `V3_FEATURE_LOCATIONS` setting via per-test `@override_settings(...)`. CI matrix runs the suite in both modes, so dynamic pin selection (`_pin(v2=..., v3=...)`) handles the small per-mode count differences on the existing finding tests. * test: add ZAP import/reimport baselines + V2/V3 variants for every scenario Two additions: 1. New TagInheritanceImportPerfBaselines class pins query counts for the importer hot path (production's heaviest tag-inheritance scenario). Both first-import and no-change-reimport are covered, each with V2 and V3 method variants: zap_import_v2 : 1461 zap_import_v3 : 1319 zap_reimport_no_change_v2 : 77 zap_reimport_no_change_v3 : 95 2. Restructures the existing baseline class so every scenario has both a _v2 and _v3 method variant via per-test @override_settings. The whole suite now runs both modes in a single invocation; no need to run twice with different DD_V3_FEATURE_LOCATIONS env. Phase A leaves the importer numbers ~unchanged (importer hot loop is creation-driven, not the bulk-propagation path Phase A targets). Phase B's tag_inheritance.batch() context manager is the lever that lowers these numbers. * test: warm ContentType cache in tag inheritance perf baselines First V3 Location op in the class paid a one-time ContentType lookup, producing a matrix-dependent off-by-one (V3-default-on CI: 4531; V3-default-off CI + local: 4532). Match the warm-up pattern used in test_importers_performance and pin EXPECTED_PRODUCT_TAG_ADD_100_LOCATIONS to the post-warm value (4531).
…yml) (DefectDojo#14831) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…async_dupe_delete (DefectDojo#14797) Replace per-row Finding.delete() loop with bulk_delete_findings (raw SQL cascade) and move excess-duplicate selection fully into the DB via a correlated subquery that counts newer siblings per original. select_related + only() eliminate the N+1 product lookup.
Co-authored-by: Полищук Дмитрий Юрьевич <dmitriy.polishchuk@eltex.loc> Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
* test: add background param to import all unit tests command * endpoint: optimize __eq__ via product_id * perf(delete-preview): add preview mode to cascade walker and bulk_delete_findings cascade_delete_related_objects gains preview=False, counter=None params. When preview=True, COUNT(*) instead of DELETE, accumulate into counter. async_delete_task gains preview=False — dry-run mode returns a Counter. bulk_delete_findings gains preview=False — returns per_product dict without deleting or recording usage. Also fix Endpoint.__eq__ N+1: use product_id instead of self.product FK. * refactor(delete-preview): remove preview mode from async_delete_task Delete preview now goes through cascade_delete_related_objects(preview=True) directly from the mixin, so async_delete_task no longer needs a preview path. * perf(delete-preview): add preview_models param to skip untracked COUNT queries When preview_models is set, only COUNT models whose __name__ is in the set. Recursion still descends through all models to reach tracked descendants. * feat(delete-preview): add preview mode to prepare_duplicates_for_delete When preview=True, returns count of outside-scope findings that would be deleted (non-zero only when DUPLICATE_CLUSTER_CASCADE_DELETE=True). No data is modified in preview mode. * test(delete-preview): add preview mode tests for cascade walker and prepare_duplicates_for_delete - TestCascadeDeletePreviewModels: verifies preview_models filters COUNT queries while still recursing through all models - TestPrepareDuplicatesForDeletePreview: verifies preview=True returns correct outside-scope duplicate count without modifying any data * rename to preview_only
…efectDojo#14790) * Add 'Mitigation Available' filter to ApiFindingFilter and ReportFindingFilterHelper * Add unit tests for mitigation filters in Finding model * test: added mitigation filter unit tests & fix finding reporter setup : * Fix syntax by adding trailing commas in filter queries for consistency * fix: add descriptions to products in mitigation filter tests --------- Co-authored-by: YBG Ben <benedictnema@gmail.com> Co-authored-by: Phasakorn <pchivatx@andrew.cmu.edu>
…reate (DefectDojo#14812) Replaces the per-row `.save()` loop in `propagate_tags_on_product_sync` with bulk SQL through the existing tag-utils helpers. For every child model (Engagement/Test/Finding/Endpoint/Location), reads current inherited_tags in one query, computes the per-child diff against the Product's tags, and applies adds/removes via `bulk_add_tag_mapping` and the new `bulk_remove_tags_from_instances` helper. Both `tags` and `inherited_tags` fields are kept in sync. Also gates the per-child `inherit_tags_on_instance` post_save handler on `created=True`. The previous behavior fired on every save (create OR update), repeatedly re-applying inherited tags to children whose tag state had not changed. Sticky enforcement on user-driven tag edits is unchanged (still handled by `make_inherited_tags_sticky` on m2m_changed). Pinned query-count baselines from PR DefectDojo#14811 drop accordingly: product_tag_add -> 100 findings : 4758 -> 91 (~52x fewer queries) product_tag_remove -> 100 findings : 4540 -> 53 (~85x fewer queries) Sticky and child-creation paths are unchanged in this PR. Phase B targets those (centralized inheritance module + drop the duplicate `inherited_tags` TagField).
…th batch context manager (Phase B) (DefectDojo#14827) * perf(tags): bulk-propagate inherited tags + gate child post_save on create Replaces the per-row `.save()` loop in `propagate_tags_on_product_sync` with bulk SQL through the existing tag-utils helpers. For every child model (Engagement/Test/Finding/Endpoint/Location), reads current inherited_tags in one query, computes the per-child diff against the Product's tags, and applies adds/removes via `bulk_add_tag_mapping` and the new `bulk_remove_tags_from_instances` helper. Both `tags` and `inherited_tags` fields are kept in sync. Also gates the per-child `inherit_tags_on_instance` post_save handler on `created=True`. The previous behavior fired on every save (create OR update), repeatedly re-applying inherited tags to children whose tag state had not changed. Sticky enforcement on user-driven tag edits is unchanged (still handled by `make_inherited_tags_sticky` on m2m_changed). Pinned query-count baselines from PR DefectDojo#14811 drop accordingly: product_tag_add -> 100 findings : 4758 -> 91 (~52x fewer queries) product_tag_remove -> 100 findings : 4540 -> 53 (~85x fewer queries) Sticky and child-creation paths are unchanged in this PR. Phase B targets those (centralized inheritance module + drop the duplicate `inherited_tags` TagField). * perf(tags): replace process-global signal disconnect with thread-local batch context Adds dojo/tag_inheritance.py with a thread-local batch() context manager and is_in_batch() predicate. While the calling thread is inside a batch, make_inherited_tags_sticky (m2m_changed) early-returns; the calling code takes responsibility for applying inheritance in bulk. Replaces the previous pattern in dojo/importers/location_manager.py:556: disconnected = signals.m2m_changed.disconnect( make_inherited_tags_sticky, sender=Location.tags.through, ) try: ... finally: if disconnected: signals.m2m_changed.connect(...) Signal.disconnect mutates Django's process-global receiver list and is not thread-safe. While disconnected, every thread/greenlet in the same process loses sticky enforcement. Safe only under Celery --pool=prefork and single-threaded gunicorn; broken under --pool=threads|gevent|eventlet, gunicorn --threads >1, or ASGI threadpools. Also fragile on hard process exit mid-import (handler stays disconnected for the rest of the process lifetime). The new batch context lives in threading.local(): each thread has its own depth counter, the signal handler stays globally connected, and the suppression decision is per-thread. No global mutation, no reconnect hazard. This is Phase B Stage 1. Subsequent stages will wrap the broader importer orchestration in batch(), replace the duplicate inherited_tags TagField with a JSON column, and drop _manage_inherited_tags / per-model inherit_tags(). Pinned perf-test note: V3 zap_scan_import baseline rises 1243 -> 1263 (~1.6%). The previous process-global disconnect was narrower in scope (Location.tags.through only); the batch context covers all child-tag through-tables. Net trade is positive given the threading bug fix; full Phase B reductions arrive in later stages. * variable naming
…o#14769) * feat(parsers): add Xygeni JSON parser (SAST, SCA, Secrets) Add a single first-party parser at dojo/tools/xygeni/ that handles three Xygeni JSON report kinds (SAST, SCA, Secrets) by dispatching on metadata.scanType. Mirrors the multi-scan-type pattern of rusty_hog, anchore_grype, checkmarx and sonarqube. Pre-approval: DefectDojo#14755 * feat(parsers): configure Xygeni deduplication algorithms Wire the three Xygeni scan types into DEDUPLICATION_ALGORITHM_PER_PARSER in settings.dist.py so re-imports dedup against the vendor-stable uniqueHash instead of the legacy heuristic: - Xygeni SAST Scan, Xygeni Secrets Scan: DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL. - Xygeni SCA Scan: DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE with HASHCODE_FIELDS_PER_SCANNER set to (vulnerability_ids, component_name, component_version) and HASHCODE_ALLOWS_NULL_CWE: True, enabling cross-tool dedup with other SCA parsers when a CVE matches a package at the same version. Document the per-scan-type algorithm in the parser docs page. Refs: DefectDojo#14755
…ectDojo#14835) * remove: questionnaire API endpoints (announced 2.56, EOL in 2.59) Removes the five deprecated questionnaire REST endpoints and their backing viewsets/serializers. The questionnaire UI feature itself (under dojo/survey/) and all underlying models stay untouched — this PR only removes the API surface that was announced for removal in DefectDojo 2.56.0 and is now end-of-life per the 2.59 release notes. Endpoints removed: - /api/v2/questionnaire_answered_questionnaires/ - /api/v2/questionnaire_answers/ - /api/v2/questionnaire_engagement_questionnaires/ - /api/v2/questionnaire_general_questionnaires/ - /api/v2/questionnaire_questions/ Drops the corresponding ViewSets, serializers, and the QuestionSubClassFieldsMixin / AnswerSubClassFieldsMixin helpers that existed solely to support these viewsets. Removes the matching endpoint registrations in dojo/urls.py and prunes the corresponding test classes from unittests/test_rest_framework.py and the expected-endpoint list in unittests/test_apiv2_methods_and_endpoints.py. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add questionnaire models to no_api_models exclusion list The questionnaire UI feature stays but the API surface is gone, so the Question / Answer / *_Survey models no longer have a serializer. The test_is_defined check requires every model to be either covered by a serializer or explicitly listed as no_api_models — add them there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* remove: Stub Findings (announced 2.57, EOL in 2.59)
Per the 2.59 release notes, retires the Stub Findings feature in its
entirety: UI, API, model, and DB table. Stub_Finding has no inbound
foreign keys, so the deletion is self-contained.
Endpoint removed (now `404`):
- /api/v2/stub_findings/
UI removed:
- /finding/<id>/promote, /stub_finding/<id>/add, /stub_finding/<id>/delete
- "Potential Findings" table on the test detail page (view_test.html)
- The quick-add-form JS handler that powered it
- The promote_to_finding.html template
Code deleted:
- `StubFindingsViewSet`, `StubFindingSerializer`, `StubFindingCreateSerializer`
- `add_stub_finding`, `delete_stub_finding`, `promote_to_finding` views
- `StubFindingForm`, `DeleteStubFindingForm`
- `get_authorized_stub_findings` query helper
- `get_stub_findings` method and call site in `dojo/test/views.py`
- `Stub_Finding` admin registration and model class
- The `Stub_Finding` branch in `dojo/authorization/authorization.py`
(now just `Finding` instead of `Finding | Stub_Finding`)
- The `Stub_Finding` early-return and union check in `dojo/jira/helper.py`
- Unit tests: `StubFindingsTest` (REST), `TestGetAuthorizedStubFindings`,
the two `test_user_has_permission_stub_finding_*` tests, and the three
Selenium tests in `tests/test_test.py`
- Dead `#stub_findings` JS in `view_objects.html` / `view_objects_eng.html`
Schema dropped via 0265_remove_stub_finding:
- `DeleteModel('Stub_Finding')`
The 2.59 upgrade doc already documents the removal; no doc update.
Note: PR 2 also adds a 0265_* migration. Whichever PR merges second
must rebase the migration filename and `dependencies` tuple accordingly.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix: ruff F401 + drop stub_finding refs from fixtures
- dojo/finding/views.py: drop now-unused `json` and `formats` imports
(the only callers were in the deleted stub-finding views).
- tests/test_test.py: drop the now-unused `on_exception_html_source_logger`
import.
- Remove dojo.stub_finding rows and watson.searchentry rows pointing at
that content type from all four data fixtures so loaddata stops
faulting.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix: adjust deleted_objects count + drop dependent merge UI test
- unittests/test_rest_framework.py: EngagementTest.deleted_objects went
from 23 -> 21 because the cascading delete no longer pulls 2
Stub_Finding rows.
- tests/test_test.py: drop test_merge_findings (the integration test
needed two findings; the second one used to come from the stub
finding promote flow which is now gone). The merge functionality is
still covered by the unit tests.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…efectDojo#14838) * Use a dedicated permission class for BurpRawRequestResponseViewSet The top-level /api/v2/request_response_pairs/ viewset reused UserHasFindingRelatedObjectPermission, which is shaped for @action(detail=True) endpoints where DRF resolves the parent finding from the URL. On a top-level POST there is no parent object resolved yet, so the create flow only ran has_object_permission against the not-yet-saved row and effectively skipped any check on the client-supplied "finding" foreign key. Introduce UserHasBurpRawRequestResponsePermission, which validates the parent finding against Finding_Edit on POST via check_post_permission, mirroring the pattern already used by UserHasFindingPermission, UserHasProductPermission, and the other parent-keyed viewsets. has_object_permission dereferences obj.finding for retrieve/update/delete so list/detail/PUT/PATCH/DELETE behavior is unchanged. Add regression coverage in unittests/test_rest_framework.py asserting the positive control still works, that an authenticated user without membership cannot create a pair on a hidden finding, and that POSTs missing the finding key are rejected. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use versioned_fixtures for RequestResponsePairsAuthzTest The dojo_testdata.json fixture contains Endpoint rows, which raise NotImplementedError in Endpoint.__init__ when V3_FEATURE_LOCATIONS is enabled. Mirror the surrounding API test classes by applying the @versioned_fixtures decorator so the locations-aware fixture is loaded on the V3 matrix leg. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…4836) * remove: Credential Manager (announced 2.57, EOL in 2.59) Per the 2.59 release notes, retires the Credential Manager feature in its entirety: UI, API, models, DB tables, and the system-settings toggle that gated it. Endpoints removed (now `404`): - /api/v2/credentials/ - /api/v2/credential_mappings/ UI removed: - All `/cred/*`, `/product/<id>/cred/*`, `/engagement/<id>/cred/*`, `/test/<id>/cred/*`, `/finding/<id>/cred/*` routes - "Credential Manager" sidebar entry and per-product Add/View Credentials shortcuts in the navbar - Credential sections from view_test, view_eng, and view_finding Code deleted: - The entire `dojo/cred/` module (views, urls, signals, queries) - All `*cred*.html` templates - `CredMappingForm`, `CredMappingFormProd`, `CredUserForm` in forms.py - `ApiCredentialsFilter` in filters.py - `CredentialsViewSet`, `CredentialsMappingViewSet`, `CredentialSerializer`, `CredentialMappingSerializer`, `UserHasCredentialPermission` - Selenium tests `tests/credential_test.py` and `tests/product_credential_test.py` - The four `Credential_*` permissions and `Permissions.get_credential_permissions()`, plus their entries in every role's permission set - The `Cred_Mapping` reverse-lookup blocks in test/finding/engagement views (and the `cred_form` plumbing in the import-scan flow) - `Cred_User` from audit-log and pghistory tracking lists, including the `Cred_UserEvent` history table Schema dropped via 0265_remove_credential_manager: - `system_settings.enable_credentials` (no longer gates anything) - `Cred_Mapping`, `Cred_User`, `Cred_UserEvent` models, with their pghistory triggers cleared first The 2.59 upgrade doc already documents the removal; nothing to update in `docs/`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: ruff E302 + drop cred refs from fixtures - dojo/authorization/roles_permissions.py: add the second blank line before get_roles_with_permissions() that ruff's E302 demands. - Remove the now-orphan dojo.cred_user / dojo.cred_mapping entries from the three test fixtures, drop watson.searchentry rows pointing at those content types, and strip the gone enable_credentials field from System_Settings entries (the loaddata test was failing on it). The fixture normalization picks up small indentation diffs in unrelated sections (Python's json.dump uses one consistent indent) but the data is unchanged otherwise. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: drop credential_manager refs from sample_data_locations fixture + matrix - dojo/fixtures/defect_dojo_sample_data_locations.json: missed in the previous fixture sweep — strip enable_credentials, cred_user / cred_mapping rows, and the matching watson.searchentry rows so loaddata stops failing. - .github/workflows/integration-tests.yml: drop the credential_test.py and product_credential_test.py entries from the UI test matrix; both files were deleted in this PR and CI was failing trying to run them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: drop cred_user from configuration permissions list dojo/user/utils.py left a Permission_Helper(name="cred user", ...) in the configuration-permissions form that drives /user/<id>/edit_permissions and /group/<id>/edit_permissions. With Cred_User gone, the underlying view_cred_user / add_cred_user / change_cred_user / delete_cred_user django auth permissions no longer exist and the form 500s on save — which is what was breaking the group_test and user_test UI integration tests. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: drop malformed watson.searchentry rows left by bad merge The merge of dev into this branch (2f8f682) collided on the watson search-entry rows: dev removed stub_finding entries while this branch removed cred_user entries, and the three-way merge dropped only the model name from each conflicting row, leaving six entries per fixture with content_type set to ['dojo'] (a one-element natural key). loaddata then failed with: ContentTypeManager.get_by_natural_key() missing 1 required positional argument: 'model' ... (watson.searchentry:pk=4) field_value was '['dojo']' These rows pointed at the now-removed cred_user content type and were already supposed to be deleted (see 12d749f). Remove them from both fixture files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ithub/workflows/test-helm-chart.yml) (DefectDojo#15067) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…github/workflows/k8s-tests.yml) (DefectDojo#15068) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ile.integration-tests-debian) (DefectDojo#15069) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… v3.0.1 (.github/workflows/release-x-manual-helm-chart.yml) (DefectDojo#15070) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…tDojo#15071) Bumps [django-debug-toolbar](https://github.com/django-commons/django-debug-toolbar) from 6.3.0 to 7.0.0. - [Release notes](https://github.com/django-commons/django-debug-toolbar/releases) - [Changelog](https://github.com/django-commons/django-debug-toolbar/blob/main/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@6.3.0...7.0.0) --- updated-dependencies: - dependency-name: django-debug-toolbar dependency-version: 7.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.16 to 0.15.19. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.16...0.15.19) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.19 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [django-environ](https://github.com/joke2k/django-environ) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/joke2k/django-environ/releases) - [Changelog](https://github.com/joke2k/django-environ/blob/v0.14.0/CHANGELOG.rst) - [Commits](joke2k/django-environ@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: django-environ dependency-version: 0.14.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [redis](https://github.com/redis/redis-py) from 8.0.0 to 8.0.1. - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@v8.0.0...v8.0.1) --- updated-dependencies: - dependency-name: redis dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…tDojo#15075) Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.3.10 to 0.3.11. - [Release notes](https://github.com/bpampuch/pdfmake/releases) - [Changelog](https://github.com/bpampuch/pdfmake/blob/master/CHANGELOG.md) - [Commits](bpampuch/pdfmake@0.3.10...0.3.11) --- updated-dependencies: - dependency-name: pdfmake dependency-version: 0.3.11 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… (.github/workflows/test-helm-chart.yml) (DefectDojo#15076) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…/workflows/validate_docs_build.yml) (DefectDojo#15077) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….23.1 (docker-compose.override.integration_tests.yml) (DefectDojo#15078) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…m v7.22.0 to v7.23.0 (dockerfile.integration-tests-debian) (DefectDojo#15079) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Maffooch
requested changes
Jun 26, 2026
Maffooch
left a comment
Contributor
There was a problem hiding this comment.
Please rebase against dev branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We don't want to waste your time, so if you're unsure whether your hypothetical enhancement meets the criteria for approval, please file an issue to get pre-approval before beginning work on a PR.
Learn more here: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md#submission-pre-approval
Description
Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.
Test results
Ideally you extend the test suite in
tests/anddojo/unitteststo cover the changed in this PR.Alternatively, describe what you have and haven't tested.
Documentation
Please update any documentation when needed in the documentation folder)
Checklist
This checklist is for your information.
dev.dev.bugfixbranch.Extra information
Please clear everything below when submitting your pull request, it's here purely for your information.
Moderators: Labels currently accepted for PRs:
Contributors: Git Tips
Rebase on dev branch
If the dev branch has changed since you started working on it, please rebase your work after the current dev.
On your working branch
mybranch:In case of conflict:
When everything's fine on your local branch, force push to your
myOriginremote:To cancel everything:
Squashing commits
pickbyfixupon the commits you want squashed outpickbyrewordon the first commit if you want to change the commit messageForce push to your
myOriginremote: