Skip to content

Checkmarx cxflow xml support#15090

Draft
goutham-hari wants to merge 806 commits into
DefectDojo:release/2.55.2from
goutham-hari:checkmarx-cxflow-xml-support
Draft

Checkmarx cxflow xml support#15090
goutham-hari wants to merge 806 commits into
DefectDojo:release/2.55.2from
goutham-hari:checkmarx-cxflow-xml-support

Conversation

@goutham-hari

Copy link
Copy Markdown

⚠️ Pre-Approval check ⚠️

We don't want to waste your time, so if you're unsure whether your hypothetical enhancement meets the criteria for approval, please file an issue to get pre-approval before beginning work on a PR.
Learn more here: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md#submission-pre-approval

Description

Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is Ruff compliant (see ruff.toml).
  • Your code is python 3.13 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

  • Import Scans (for new scanners/importers)
  • enhancement
  • performance
  • feature
  • bugfix
  • maintenance (a.k.a chores)
  • dependencies
  • New Migration (when the PR introduces a DB migration)
  • settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev
  • Replace pick by fixup on the commits you want squashed out
  • Replace pick by reword on the first commit if you want to change the commit message
  • Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

Maffooch and others added 30 commits May 6, 2026 13:15
…x/2.58.1-2.59.0-dev

Release: Merge back 2.58.1 into bugfix from: master-into-bugfix/2.58.1-2.59.0-dev
….58.1-2.59.0-dev

Release: Merge back 2.58.1 into dev from: master-into-dev/2.58.1-2.59.0-dev
…t.yaml) (DefectDojo#14813)

* Update valkey Docker tag from 0.20.0 to v0.20.1 (helm/defectdojo/Chart.yaml)

* update Helm documentation

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…hub/workflows/test-helm-chart.yml) (DefectDojo#14814)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…s/pr-labeler.yml) (DefectDojo#14815)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…3 (.github/workflows/test-helm-chart.yml) (DefectDojo#14816)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…tDojo#14817)

Bumps [easymde](https://github.com/Ionaru/easy-markdown-editor) from 2.20.0 to 2.21.0.
- [Changelog](https://github.com/Ionaru/easy-markdown-editor/blob/master/CHANGELOG.md)
- [Commits](Ionaru/easy-markdown-editor@2.20.0...2.21.0)

---
updated-dependencies:
- dependency-name: easymde
  dependency-version: 2.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 26.1.0 to 26.2.0.
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](pyca/pyopenssl@26.1.0...26.2.0)

---
updated-dependencies:
- dependency-name: pyopenssl
  dependency-version: 26.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…o#14821)

Bumps [django-polymorphic](https://github.com/django-commons/django-polymorphic) from 4.11.2 to 4.11.3.
- [Release notes](https://github.com/django-commons/django-polymorphic/releases)
- [Commits](django-commons/django-polymorphic@v4.11.2...v4.11.3)

---
updated-dependencies:
- dependency-name: django-polymorphic
  dependency-version: 4.11.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [psycopg](https://github.com/psycopg/psycopg) from 3.3.3 to 3.3.4.
- [Changelog](https://github.com/psycopg/psycopg/blob/master/docs/news.rst)
- [Commits](psycopg/psycopg@3.3.3...3.3.4)

---
updated-dependencies:
- dependency-name: psycopg
  dependency-version: 3.3.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.49 to 3.1.50.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](gitpython-developers/GitPython@3.1.49...3.1.50)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-version: 3.1.50
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…efectDojo#14825)

Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2026.4.14 to 2026.5.1.
- [Commits](tfranzel/drf-spectacular-sidecar@2026.4.14...2026.5.1)

---
updated-dependencies:
- dependency-name: drf-spectacular-sidecar
  dependency-version: 2026.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ojo#14826)

Bumps [social-auth-app-django](https://github.com/python-social-auth/social-app-django) from 5.8.0 to 5.9.0.
- [Release notes](https://github.com/python-social-auth/social-app-django/releases)
- [Changelog](https://github.com/python-social-auth/social-app-django/blob/master/CHANGELOG.md)
- [Commits](python-social-auth/social-app-django@5.8.0...5.9.0)

---
updated-dependencies:
- dependency-name: social-auth-app-django
  dependency-version: 5.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Update changelog for May 2026 release (v2.58.0) with new features and improvements

* Update changelog for v2.58.1 release with new features and bug fixes
…Dojo#14811)

* test: pin query-count baselines for tag inheritance hot paths

Adds unittests/test_tag_inheritance_perf.py with assertNumQueries baselines
on the six hottest tag inheritance paths (Product tag add/remove propagating
to N findings, child create under inheritance, sticky enforcement on child
tag edits). Numbers are pinned against current `dev` behavior so subsequent
optimization work shows up as concrete query-count reductions instead of
relying on manual benchmarking.

The class is intentionally temporary: pins move down as the redesign work
lands and the file can be deleted once the targets are met.

* test: add Endpoint (V2) and Location (V3) propagation baselines

Extends the perf test class with two more pinned hot paths so all child
models exercised by `propagate_tags_on_product_sync` are covered:

  product_tag_add  -> 100 endpoints (V2) : 3958
  product_tag_remove -> 100 endpoints (V2): 3740
  product_tag_add  -> 100 locations (V3) : 4532
  product_tag_remove -> 100 locations (V3): 4307

Both V2 and V3 paths run regardless of the ambient `V3_FEATURE_LOCATIONS`
setting via per-test `@override_settings(...)`. CI matrix runs the suite
in both modes, so dynamic pin selection (`_pin(v2=..., v3=...)`) handles
the small per-mode count differences on the existing finding tests.

* test: add ZAP import/reimport baselines + V2/V3 variants for every scenario

Two additions:

1. New TagInheritanceImportPerfBaselines class pins query counts for the
   importer hot path (production's heaviest tag-inheritance scenario).
   Both first-import and no-change-reimport are covered, each with V2
   and V3 method variants:

     zap_import_v2                : 1461
     zap_import_v3                : 1319
     zap_reimport_no_change_v2    : 77
     zap_reimport_no_change_v3    : 95

2. Restructures the existing baseline class so every scenario has both
   a _v2 and _v3 method variant via per-test @override_settings. The
   whole suite now runs both modes in a single invocation; no need to
   run twice with different DD_V3_FEATURE_LOCATIONS env.

Phase A leaves the importer numbers ~unchanged (importer hot loop is
creation-driven, not the bulk-propagation path Phase A targets). Phase
B's tag_inheritance.batch() context manager is the lever that lowers
these numbers.

* test: warm ContentType cache in tag inheritance perf baselines

First V3 Location op in the class paid a one-time ContentType lookup,
producing a matrix-dependent off-by-one (V3-default-on CI: 4531;
V3-default-off CI + local: 4532). Match the warm-up pattern used in
test_importers_performance and pin EXPECTED_PRODUCT_TAG_ADD_100_LOCATIONS
to the post-warm value (4531).
…yml) (DefectDojo#14831)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…async_dupe_delete (DefectDojo#14797)

Replace per-row Finding.delete() loop with bulk_delete_findings (raw SQL
cascade) and move excess-duplicate selection fully into the DB via a
correlated subquery that counts newer siblings per original.
select_related + only() eliminate the N+1 product lookup.
Co-authored-by: Полищук Дмитрий Юрьевич <dmitriy.polishchuk@eltex.loc>
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
* test: add background param to import all unit tests command

* endpoint: optimize __eq__ via product_id

* perf(delete-preview): add preview mode to cascade walker and bulk_delete_findings

cascade_delete_related_objects gains preview=False, counter=None params.
When preview=True, COUNT(*) instead of DELETE, accumulate into counter.
async_delete_task gains preview=False — dry-run mode returns a Counter.
bulk_delete_findings gains preview=False — returns per_product dict without
deleting or recording usage.
Also fix Endpoint.__eq__ N+1: use product_id instead of self.product FK.

* refactor(delete-preview): remove preview mode from async_delete_task

Delete preview now goes through cascade_delete_related_objects(preview=True)
directly from the mixin, so async_delete_task no longer needs a preview path.

* perf(delete-preview): add preview_models param to skip untracked COUNT queries

When preview_models is set, only COUNT models whose __name__ is in the set.
Recursion still descends through all models to reach tracked descendants.

* feat(delete-preview): add preview mode to prepare_duplicates_for_delete

When preview=True, returns count of outside-scope findings that would be
deleted (non-zero only when DUPLICATE_CLUSTER_CASCADE_DELETE=True).
No data is modified in preview mode.

* test(delete-preview): add preview mode tests for cascade walker and prepare_duplicates_for_delete

- TestCascadeDeletePreviewModels: verifies preview_models filters COUNT queries
  while still recursing through all models
- TestPrepareDuplicatesForDeletePreview: verifies preview=True returns correct
  outside-scope duplicate count without modifying any data

* rename to preview_only
…efectDojo#14790)

* Add 'Mitigation Available' filter to ApiFindingFilter and ReportFindingFilterHelper

* Add unit tests for mitigation filters in Finding model

* test: added mitigation filter unit tests & fix finding reporter setup
:

* Fix syntax by adding trailing commas in filter queries for consistency

* fix: add descriptions to products in mitigation filter tests

---------

Co-authored-by: YBG Ben <benedictnema@gmail.com>
Co-authored-by: Phasakorn <pchivatx@andrew.cmu.edu>
…reate (DefectDojo#14812)

Replaces the per-row `.save()` loop in `propagate_tags_on_product_sync`
with bulk SQL through the existing tag-utils helpers. For every child
model (Engagement/Test/Finding/Endpoint/Location), reads current
inherited_tags in one query, computes the per-child diff against the
Product's tags, and applies adds/removes via `bulk_add_tag_mapping` and
the new `bulk_remove_tags_from_instances` helper. Both `tags` and
`inherited_tags` fields are kept in sync.

Also gates the per-child `inherit_tags_on_instance` post_save handler on
`created=True`. The previous behavior fired on every save (create OR
update), repeatedly re-applying inherited tags to children whose tag
state had not changed. Sticky enforcement on user-driven tag edits is
unchanged (still handled by `make_inherited_tags_sticky` on m2m_changed).

Pinned query-count baselines from PR DefectDojo#14811 drop accordingly:

  product_tag_add  -> 100 findings : 4758 -> 91   (~52x fewer queries)
  product_tag_remove -> 100 findings : 4540 -> 53 (~85x fewer queries)

Sticky and child-creation paths are unchanged in this PR. Phase B
targets those (centralized inheritance module + drop the duplicate
`inherited_tags` TagField).
…th batch context manager (Phase B) (DefectDojo#14827)

* perf(tags): bulk-propagate inherited tags + gate child post_save on create

Replaces the per-row `.save()` loop in `propagate_tags_on_product_sync`
with bulk SQL through the existing tag-utils helpers. For every child
model (Engagement/Test/Finding/Endpoint/Location), reads current
inherited_tags in one query, computes the per-child diff against the
Product's tags, and applies adds/removes via `bulk_add_tag_mapping` and
the new `bulk_remove_tags_from_instances` helper. Both `tags` and
`inherited_tags` fields are kept in sync.

Also gates the per-child `inherit_tags_on_instance` post_save handler on
`created=True`. The previous behavior fired on every save (create OR
update), repeatedly re-applying inherited tags to children whose tag
state had not changed. Sticky enforcement on user-driven tag edits is
unchanged (still handled by `make_inherited_tags_sticky` on m2m_changed).

Pinned query-count baselines from PR DefectDojo#14811 drop accordingly:

  product_tag_add  -> 100 findings : 4758 -> 91   (~52x fewer queries)
  product_tag_remove -> 100 findings : 4540 -> 53 (~85x fewer queries)

Sticky and child-creation paths are unchanged in this PR. Phase B
targets those (centralized inheritance module + drop the duplicate
`inherited_tags` TagField).

* perf(tags): replace process-global signal disconnect with thread-local batch context

Adds dojo/tag_inheritance.py with a thread-local batch() context manager
and is_in_batch() predicate. While the calling thread is inside a batch,
make_inherited_tags_sticky (m2m_changed) early-returns; the calling code
takes responsibility for applying inheritance in bulk.

Replaces the previous pattern in dojo/importers/location_manager.py:556:

    disconnected = signals.m2m_changed.disconnect(
        make_inherited_tags_sticky, sender=Location.tags.through,
    )
    try:
        ...
    finally:
        if disconnected:
            signals.m2m_changed.connect(...)

Signal.disconnect mutates Django's process-global receiver list and is
not thread-safe. While disconnected, every thread/greenlet in the same
process loses sticky enforcement. Safe only under Celery --pool=prefork
and single-threaded gunicorn; broken under --pool=threads|gevent|eventlet,
gunicorn --threads >1, or ASGI threadpools. Also fragile on hard process
exit mid-import (handler stays disconnected for the rest of the process
lifetime).

The new batch context lives in threading.local(): each thread has its
own depth counter, the signal handler stays globally connected, and the
suppression decision is per-thread. No global mutation, no reconnect
hazard.

This is Phase B Stage 1. Subsequent stages will wrap the broader importer
orchestration in batch(), replace the duplicate inherited_tags TagField
with a JSON column, and drop _manage_inherited_tags / per-model
inherit_tags().

Pinned perf-test note: V3 zap_scan_import baseline rises 1243 -> 1263
(~1.6%). The previous process-global disconnect was narrower in scope
(Location.tags.through only); the batch context covers all child-tag
through-tables. Net trade is positive given the threading bug fix; full
Phase B reductions arrive in later stages.

* variable naming
…o#14769)

* feat(parsers): add Xygeni JSON parser (SAST, SCA, Secrets)

Add a single first-party parser at dojo/tools/xygeni/ that handles three
Xygeni JSON report kinds (SAST, SCA, Secrets) by dispatching on
metadata.scanType. Mirrors the multi-scan-type pattern of rusty_hog,
anchore_grype, checkmarx and sonarqube.

Pre-approval: DefectDojo#14755

* feat(parsers): configure Xygeni deduplication algorithms

Wire the three Xygeni scan types into DEDUPLICATION_ALGORITHM_PER_PARSER
in settings.dist.py so re-imports dedup against the vendor-stable
uniqueHash instead of the legacy heuristic:

- Xygeni SAST Scan, Xygeni Secrets Scan: DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL.
- Xygeni SCA Scan: DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE with
  HASHCODE_FIELDS_PER_SCANNER set to (vulnerability_ids, component_name,
  component_version) and HASHCODE_ALLOWS_NULL_CWE: True, enabling
  cross-tool dedup with other SCA parsers when a CVE matches a package
  at the same version.

Document the per-scan-type algorithm in the parser docs page.

Refs: DefectDojo#14755
…ectDojo#14835)

* remove: questionnaire API endpoints (announced 2.56, EOL in 2.59)

Removes the five deprecated questionnaire REST endpoints and their
backing viewsets/serializers. The questionnaire UI feature itself
(under dojo/survey/) and all underlying models stay untouched — this
PR only removes the API surface that was announced for removal in
DefectDojo 2.56.0 and is now end-of-life per the 2.59 release notes.

Endpoints removed:
- /api/v2/questionnaire_answered_questionnaires/
- /api/v2/questionnaire_answers/
- /api/v2/questionnaire_engagement_questionnaires/
- /api/v2/questionnaire_general_questionnaires/
- /api/v2/questionnaire_questions/

Drops the corresponding ViewSets, serializers, and the
QuestionSubClassFieldsMixin / AnswerSubClassFieldsMixin helpers that
existed solely to support these viewsets. Removes the matching
endpoint registrations in dojo/urls.py and prunes the corresponding
test classes from unittests/test_rest_framework.py and the
expected-endpoint list in unittests/test_apiv2_methods_and_endpoints.py.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: add questionnaire models to no_api_models exclusion list

The questionnaire UI feature stays but the API surface is gone, so the
Question / Answer / *_Survey models no longer have a serializer. The
test_is_defined check requires every model to be either covered by a
serializer or explicitly listed as no_api_models — add them there.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* remove: Stub Findings (announced 2.57, EOL in 2.59)

Per the 2.59 release notes, retires the Stub Findings feature in its
entirety: UI, API, model, and DB table. Stub_Finding has no inbound
foreign keys, so the deletion is self-contained.

Endpoint removed (now `404`):
- /api/v2/stub_findings/

UI removed:
- /finding/<id>/promote, /stub_finding/<id>/add, /stub_finding/<id>/delete
- "Potential Findings" table on the test detail page (view_test.html)
- The quick-add-form JS handler that powered it
- The promote_to_finding.html template

Code deleted:
- `StubFindingsViewSet`, `StubFindingSerializer`, `StubFindingCreateSerializer`
- `add_stub_finding`, `delete_stub_finding`, `promote_to_finding` views
- `StubFindingForm`, `DeleteStubFindingForm`
- `get_authorized_stub_findings` query helper
- `get_stub_findings` method and call site in `dojo/test/views.py`
- `Stub_Finding` admin registration and model class
- The `Stub_Finding` branch in `dojo/authorization/authorization.py`
  (now just `Finding` instead of `Finding | Stub_Finding`)
- The `Stub_Finding` early-return and union check in `dojo/jira/helper.py`
- Unit tests: `StubFindingsTest` (REST), `TestGetAuthorizedStubFindings`,
  the two `test_user_has_permission_stub_finding_*` tests, and the three
  Selenium tests in `tests/test_test.py`
- Dead `#stub_findings` JS in `view_objects.html` / `view_objects_eng.html`

Schema dropped via 0265_remove_stub_finding:
- `DeleteModel('Stub_Finding')`

The 2.59 upgrade doc already documents the removal; no doc update.

Note: PR 2 also adds a 0265_* migration. Whichever PR merges second
must rebase the migration filename and `dependencies` tuple accordingly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: ruff F401 + drop stub_finding refs from fixtures

- dojo/finding/views.py: drop now-unused `json` and `formats` imports
  (the only callers were in the deleted stub-finding views).
- tests/test_test.py: drop the now-unused `on_exception_html_source_logger`
  import.
- Remove dojo.stub_finding rows and watson.searchentry rows pointing at
  that content type from all four data fixtures so loaddata stops
  faulting.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: adjust deleted_objects count + drop dependent merge UI test

- unittests/test_rest_framework.py: EngagementTest.deleted_objects went
  from 23 -> 21 because the cascading delete no longer pulls 2
  Stub_Finding rows.
- tests/test_test.py: drop test_merge_findings (the integration test
  needed two findings; the second one used to come from the stub
  finding promote flow which is now gone). The merge functionality is
  still covered by the unit tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…efectDojo#14838)

* Use a dedicated permission class for BurpRawRequestResponseViewSet

The top-level /api/v2/request_response_pairs/ viewset reused
UserHasFindingRelatedObjectPermission, which is shaped for
@action(detail=True) endpoints where DRF resolves the parent finding
from the URL. On a top-level POST there is no parent object resolved
yet, so the create flow only ran has_object_permission against the
not-yet-saved row and effectively skipped any check on the
client-supplied "finding" foreign key.

Introduce UserHasBurpRawRequestResponsePermission, which validates
the parent finding against Finding_Edit on POST via
check_post_permission, mirroring the pattern already used by
UserHasFindingPermission, UserHasProductPermission, and the other
parent-keyed viewsets. has_object_permission dereferences obj.finding
for retrieve/update/delete so list/detail/PUT/PATCH/DELETE behavior
is unchanged.

Add regression coverage in unittests/test_rest_framework.py asserting
the positive control still works, that an authenticated user without
membership cannot create a pair on a hidden finding, and that POSTs
missing the finding key are rejected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Use versioned_fixtures for RequestResponsePairsAuthzTest

The dojo_testdata.json fixture contains Endpoint rows, which raise
NotImplementedError in Endpoint.__init__ when V3_FEATURE_LOCATIONS is
enabled. Mirror the surrounding API test classes by applying the
@versioned_fixtures decorator so the locations-aware fixture is loaded
on the V3 matrix leg.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…4836)

* remove: Credential Manager (announced 2.57, EOL in 2.59)

Per the 2.59 release notes, retires the Credential Manager feature in
its entirety: UI, API, models, DB tables, and the system-settings
toggle that gated it.

Endpoints removed (now `404`):
- /api/v2/credentials/
- /api/v2/credential_mappings/

UI removed:
- All `/cred/*`, `/product/<id>/cred/*`, `/engagement/<id>/cred/*`,
  `/test/<id>/cred/*`, `/finding/<id>/cred/*` routes
- "Credential Manager" sidebar entry and per-product Add/View
  Credentials shortcuts in the navbar
- Credential sections from view_test, view_eng, and view_finding

Code deleted:
- The entire `dojo/cred/` module (views, urls, signals, queries)
- All `*cred*.html` templates
- `CredMappingForm`, `CredMappingFormProd`, `CredUserForm` in forms.py
- `ApiCredentialsFilter` in filters.py
- `CredentialsViewSet`, `CredentialsMappingViewSet`,
  `CredentialSerializer`, `CredentialMappingSerializer`,
  `UserHasCredentialPermission`
- Selenium tests `tests/credential_test.py` and
  `tests/product_credential_test.py`
- The four `Credential_*` permissions and
  `Permissions.get_credential_permissions()`, plus their entries in
  every role's permission set
- The `Cred_Mapping` reverse-lookup blocks in test/finding/engagement
  views (and the `cred_form` plumbing in the import-scan flow)
- `Cred_User` from audit-log and pghistory tracking lists, including
  the `Cred_UserEvent` history table

Schema dropped via 0265_remove_credential_manager:
- `system_settings.enable_credentials` (no longer gates anything)
- `Cred_Mapping`, `Cred_User`, `Cred_UserEvent` models, with their
  pghistory triggers cleared first

The 2.59 upgrade doc already documents the removal; nothing to update
in `docs/`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: ruff E302 + drop cred refs from fixtures

- dojo/authorization/roles_permissions.py: add the second blank line
  before get_roles_with_permissions() that ruff's E302 demands.
- Remove the now-orphan dojo.cred_user / dojo.cred_mapping entries from
  the three test fixtures, drop watson.searchentry rows pointing at
  those content types, and strip the gone enable_credentials field
  from System_Settings entries (the loaddata test was failing on it).

The fixture normalization picks up small indentation diffs in
unrelated sections (Python's json.dump uses one consistent indent)
but the data is unchanged otherwise.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: drop credential_manager refs from sample_data_locations fixture + matrix

- dojo/fixtures/defect_dojo_sample_data_locations.json: missed in the
  previous fixture sweep — strip enable_credentials, cred_user /
  cred_mapping rows, and the matching watson.searchentry rows so
  loaddata stops failing.
- .github/workflows/integration-tests.yml: drop the credential_test.py
  and product_credential_test.py entries from the UI test matrix; both
  files were deleted in this PR and CI was failing trying to run them.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: drop cred_user from configuration permissions list

dojo/user/utils.py left a Permission_Helper(name="cred user", ...) in
the configuration-permissions form that drives /user/<id>/edit_permissions
and /group/<id>/edit_permissions. With Cred_User gone, the underlying
view_cred_user / add_cred_user / change_cred_user / delete_cred_user
django auth permissions no longer exist and the form 500s on save —
which is what was breaking the group_test and user_test UI integration
tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: drop malformed watson.searchentry rows left by bad merge

The merge of dev into this branch (2f8f682) collided on the watson
search-entry rows: dev removed stub_finding entries while this branch
removed cred_user entries, and the three-way merge dropped only the
model name from each conflicting row, leaving six entries per fixture
with content_type set to ['dojo'] (a one-element natural key).

loaddata then failed with:

    ContentTypeManager.get_by_natural_key() missing 1 required
    positional argument: 'model' ... (watson.searchentry:pk=4)
    field_value was '['dojo']'

These rows pointed at the now-removed cred_user content type and were
already supposed to be deleted (see 12d749f). Remove them from both
fixture files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
renovate Bot and others added 14 commits June 24, 2026 17:03
…ithub/workflows/test-helm-chart.yml) (DefectDojo#15067)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…github/workflows/k8s-tests.yml) (DefectDojo#15068)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ile.integration-tests-debian) (DefectDojo#15069)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… v3.0.1 (.github/workflows/release-x-manual-helm-chart.yml) (DefectDojo#15070)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…tDojo#15071)

Bumps [django-debug-toolbar](https://github.com/django-commons/django-debug-toolbar) from 6.3.0 to 7.0.0.
- [Release notes](https://github.com/django-commons/django-debug-toolbar/releases)
- [Changelog](https://github.com/django-commons/django-debug-toolbar/blob/main/docs/changes.rst)
- [Commits](django-commons/django-debug-toolbar@6.3.0...7.0.0)

---
updated-dependencies:
- dependency-name: django-debug-toolbar
  dependency-version: 7.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.16 to 0.15.19.
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.16...0.15.19)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.15.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
)

Bumps [django-environ](https://github.com/joke2k/django-environ) from 0.13.0 to 0.14.0.
- [Release notes](https://github.com/joke2k/django-environ/releases)
- [Changelog](https://github.com/joke2k/django-environ/blob/v0.14.0/CHANGELOG.rst)
- [Commits](joke2k/django-environ@v0.13.0...v0.14.0)

---
updated-dependencies:
- dependency-name: django-environ
  dependency-version: 0.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [redis](https://github.com/redis/redis-py) from 8.0.0 to 8.0.1.
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](redis/redis-py@v8.0.0...v8.0.1)

---
updated-dependencies:
- dependency-name: redis
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…tDojo#15075)

Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.3.10 to 0.3.11.
- [Release notes](https://github.com/bpampuch/pdfmake/releases)
- [Changelog](https://github.com/bpampuch/pdfmake/blob/master/CHANGELOG.md)
- [Commits](bpampuch/pdfmake@0.3.10...0.3.11)

---
updated-dependencies:
- dependency-name: pdfmake
  dependency-version: 0.3.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… (.github/workflows/test-helm-chart.yml) (DefectDojo#15076)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…/workflows/validate_docs_build.yml) (DefectDojo#15077)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….23.1 (docker-compose.override.integration_tests.yml) (DefectDojo#15078)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…m v7.22.0 to v7.23.0 (dockerfile.integration-tests-debian) (DefectDojo#15079)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@github-actions github-actions Bot added docker New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests ui parser helm localization lint labels Jun 26, 2026

@Maffooch Maffooch left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase against dev branch

@Maffooch Maffooch marked this pull request as draft June 26, 2026 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

apiv2 docker docs helm integration_tests lint localization New Migration Adding a new migration file. Take care when merging. parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests

Projects

None yet

Development

Successfully merging this pull request may close these issues.