Merge pull request #14643 from DefectDojo/bugfix

Release 2.57.0: Merge Bugfix into Dev

Author: rossops

docs/assets/images/Product_Hierarchy_Overview.png

@@ -23,6 +23,6 @@ This is the essence of DefectDojo - import security data, organize it, and prese
 All of these features can be automated, and because DefectDojo can handle over 200 tools (at time of writing) you should be all set to create a functional security inventory of your entire organizational output.
 
 ### Open-Source Features
-- Does your organization use Jira? Learn how to use our [Jira integration](/issue_tracking/jira/jira_guide/) to create Jira tickets from the data you ingest.
+- Does your organization use Jira? Learn how to use our [Jira integration](/issue_tracking/jira/os__jira_guide/) to create Jira tickets from the data you ingest.
 - Are you expecting to share DefectDojo with many users in your organization? Check out our guides to [user management](/admin/user_management/about_perms_and_roles/) and set up role-based access control (RBAC).
 - Ready to dive into automation? Learn how to use the [DefectDojo API](/import_data/import_scan_files/api_pipeline_modelling/) to automatically import new data, and build a robust CI/CD pipeline.

docs/assets/images/Product_Hierarchy_Overview_2.png

@@ -21,7 +21,7 @@ DefectDojo is meant to be the central source of truth for your organization's se
 
 - Allowing users to identify duplicate findings across scans and tools, minimizing alert fatigue.
 - Enforcing SLAs on vulnerabilities, ensuring that your organization handles each Finding within an appropriate timeframe.
-- Sending tickets to [Jira](/issue_tracking/jira/jira_guide/), ServiceNow or other Project Tracking software, allowing your development team to integrate issue remediation into their standard release process without requiring them to learn another project management tool.
+- [Sending tickets](/issue_tracking/intro/intro/) to Jira, ServiceNow or other Project Tracking software, allowing your development team to integrate issue remediation into their standard release process without requiring them to learn another project management tool.
 - Integrating into automated [CI/CD pipelines](/import_data/import_scan_files/api_pipeline_modelling/) to automatically ingest report data from repositories, even down to the branch level.
 - Creating [reports](/metrics_reports/reports/using_the_report_builder/) on any set of vulnerabilities or software context, to quickly share scan results or status updates with stakeholders.
 - Establishing acceptance and mitigation workflows, supporting formal risk-management tracking.
@@ -129,6 +129,6 @@ DefectDojo Pro users also have access to [executive-level Metrics dashboards](/g
 
 ### How can I integrate a project management tool with DefectDojo?
 
-In both Pro and Open-Source editions of DefectDojo, Findings in DefectDojo can be pushed to Jira as Issues, which allows you to integrate issue remediation with your development team.  We have a [complete guide to Jira](/issue_tracking/jira/jira_guide/) written which describes the process in detail.
+In both Pro and Open-Source editions of DefectDojo, Findings in DefectDojo can be pushed to Jira as Issues, which allows you to integrate issue remediation with your development team.
 
 DefectDojo Pro adds support for [Additional Project Tracking Integrations](/issue_tracking/intro/intro/)**: ServiceNow, Azure DevOps, GitHub and GitLab.

docs/content/get_started/about/OS__new_user_checklist.md

@@ -65,7 +65,7 @@ Using the 'Push To Jira' workflow triggers an asynchronous process, however an I
 
 Common reasons issues are not created:
 * The Default Issue Type you have selected is not usable with the Jira Space
-* Issues in the Space have required attributes that prevent them from being created via DefectDojo (see our guide to [Custom Fields](../jira_guide/#custom-fields-in-jira))
+* Issues in the Space have required attributes that prevent them from being created via DefectDojo (which can be handled via Custom Fields in Jira)
 
 
 ## Error: Product Misconfigured or no permissions in Jira?
@@ -77,11 +77,11 @@ This error message can appear when attempting to add a created Jira configuratio
 
 ## Changes made to Jira issues are not updating Findings in DefectDojo
 
-* Start by confirming that the [DefectDojo webhook receiver](../jira_guide/#step-3-configure-bidirectional-sync-jira-webhook) is configured correctly and can successfully receive updates.
+* Start by confirming that the DefectDojo webhook receiver is configured correctly and can successfully receive updates.
 
 * Ensure the SSL certificate used by Defect Dojo is trusted by JIRA. For JIRA Cloud you must use [a valid SSL/TLS certificate, signed by a globally trusted certificate authority](https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-registering-webhooks-with-non-secure-urls/)
 
-* If you're trying to push status changes, confirm that Jira transition mappings are set up correctly (Reopen / Close [Transition IDs](../jira_guide/#step-3-configure-bidirectional-sync-jira-webhook)).
+* If you're trying to push status changes, confirm that Jira transition mappings are set up correctly (Reopen / Close Transition IDs).
 
 * [Test](https://support.atlassian.com/jira/kb/testing-webhooks-in-jira-cloud/) your JIRA webhook using a public endpoint such as Pipedream or Beeceptor:
 

docs/content/get_started/about/faq.md

@@ -12,6 +12,30 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Mar 2026: v2.56
 
+### Mar 30, 2026: v2.56.4
+
+* **(Deduplication)** Fixed an issue where cross-tool deduplication could silently fail to match duplicates when findings were imported across different scan tools.
+* **(Pro UI)** Audit Log table now supports global search and query parameter–based filtering.
+* **(Pro UI)** Improved page load performance for large listing tables (Findings, Endpoints, etc.) by reducing unnecessary computation during pagination.
+
+### Mar 23, 2026: v2.56.3
+
+* **(MFA)** All authenticated users can now access their own MFA settings page, regardless of role.
+* **(Pro UI)** Alerts table now uses server-side filtering, sorting, and pagination for improved performance.
+* **(Pro UI)** Removed the deprecated Credentials section from System Settings.
+* **(Pro UI)** Fixed boolean filters on the Product Types table for the Critical and Key Asset columns.
+* **(Pro UI)** Fixed a filter alignment issue on the Engagements table.
+* **(Pro UI)** Standardized the Test field label to "Title" across all screens.
+* **(Rules Engine)** Fixed a timeout (502 error) that could occur when previewing rules against a large number of Findings.
+
+### Mar 16, 2026: v2.56.2
+
+* **(API)** Added pagination limit enforcement and deprecation warnings for unpaginated API requests.
+* **(Jira)** Custom field values are now properly encoded and decoded as JSON, with validation errors shown for invalid input.
+* **(Pro UI)** The New Risk Acceptance form now pre-fills the expiration date using the system default number of days.
+* **(Pro UI)** Improved handling of Group membership and permissions in the UI.
+* **(SBOM)** SBOM imports are now processed asynchronously, improving upload responsiveness for large files.
+
 ### Mar 12, 2026: v2.56.1
 
 * **(Pro UI)** Finding Groups can now be filtered by computed status: resolved, active, or risk-accepted.

…ontent/issue_tracking/jira/jira_guide.md …nt/issue_tracking/jira/OS__jira_guide.mddocs/content/issue_tracking/jira/jira_guide.md renamed to docs/content/issue_tracking/jira/OS__jira_guide.md docs/content/issue_tracking/jira/jira_guide.md renamed to docs/content/issue_tracking/jira/OS__jira_guide.md

@@ -6,15 +6,38 @@ OASIS Static Analysis Results Interchange Format (SARIF). SARIF is
 supported by many tools. More details about the format here:
 <https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif>
 
-SARIF parser customizes the Test_Type with data from the report.
-For example, a report with `Dockle` as a driver name will produce a Test with a Test_Type named `Dockle Scan (SARIF)`
+Current implementation will aggregate all the findings in the SARIF file into a single report.
 
-Current implementation is limited and will aggregate all the findings in the SARIF file in one single report.
+## How Test Types Are Determined
 
-##### Support for de-duplication (fingerprinting)
+Unlike most parsers in DefectDojo, the SARIF parser has a **report-defined Test Type**. When you import a SARIF file with `scan_type=SARIF`, DefectDojo reads the tool name from within the SARIF file at `runs[].tool.driver.name` and uses it to construct the Test Type name.
 
-SARIF parser take into account data for fingerprinting. It's base on `fingerprints` and `partialFingerprints` properties.
-It's possible to activate de-duplication based on this data by customizing settings.
+The naming pattern is: **`{tool name} ({scan_type})`**
+
+For example:
+
+| Tool | `runs[].tool.driver.name` value | Resulting Test Type |
+|------|-------------------------------|---------------------|
+| Semgrep | `semgrep` | `semgrep (SARIF)` |
+| Trivy | `Trivy Scan` | `Trivy Scan (SARIF)` |
+| Dockle | `Dockle` | `Dockle Scan (SARIF)` |
+| MobSF | `mobsfscan` | `mobsfscan (SARIF)` |
+
+This means that even though all of these tools produce SARIF output and are imported with `scan_type=SARIF`, each tool will create a **distinct Test Type** in DefectDojo. For more information on how report-defined Test Types work, see **[Test Types](/asset_modelling/hierarchy/product_hierarchy#test-types)**.
+
+## Reimporting SARIF Results
+
+When using the `/api/v2/reimport-scan/` endpoint, DefectDojo needs to match incoming results to an existing Test. Understanding how this matching works is important when multiple SARIF-based tools are reporting into the same Engagement.
+
+### One Tool Per Test
+
+Each Test in DefectDojo represents results from a single tool. SARIF results from different tools (e.g. Semgrep, Trivy, MobSF) cannot be combined into the same Test, even though they share the same `scan_type=SARIF`. DefectDojo enforces this by validating that the tool name inside the SARIF file matches the existing Test's Test Type on reimport.
+
+This constraint is what makes reimport's comparison logic reliable: when a Finding is absent from a new report, DefectDojo can safely assume it has been resolved. If results from multiple tools were mixed in a single Test, DefectDojo would not be able to distinguish between a resolved Finding and a Finding that simply isn't covered by the current tool.
+
+## Support for Deduplication (Fingerprinting)
+
+The SARIF parser takes into account data for fingerprinting, based on the `fingerprints` and `partialFingerprints` properties in the SARIF file. It's possible to activate deduplication based on this data by customizing settings:
 
 ```Python
 # in your settings.py file
@@ -25,7 +48,7 @@ DEDUPLICATION_ALGORITHM_PER_PARSER["SARIF"] = DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR
 Sample SARIF scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/sarif).
 
 ### Default Deduplication Hashcode Fields
-By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
+By default, DefectDojo identifies duplicate Findings using these [hashcode fields](/triage_findings/finding_deduplication/about_deduplication):
 
 - title
 - cwe