Merge pull request #14761 from DefectDojo/master-into-dev/2.57.3-2.58.0-dev

Release: Merge back 2.57.3 into dev from: master-into-dev/2.57.3-2.58.0-dev

Author: Maffooch

.github/workflows/release-1-create-pr.yml

@@ -111,11 +111,17 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            github.rest.pulls.create({
+            const pr = await github.rest.pulls.create({
               owner: '${{ env.GITHUB_ORG }}',
               repo: 'django-DefectDojo',
               title: 'Release: Merge release into master from: ${{ env.NEW_BRANCH }}',
               body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
               head: '${{ env.NEW_BRANCH }}',
               base: 'master'
             })
+            await github.rest.issues.addLabels({
+              owner: '${{ env.GITHUB_ORG }}',
+              repo: 'django-DefectDojo',
+              issue_number: pr.data.number,
+              labels: ['release-management']
+            })

.github/workflows/release-3-master-into-dev.yml

@@ -99,14 +99,20 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            github.rest.pulls.create({
+            const pr = await github.rest.pulls.create({
               owner: '${{ env.GITHUB_ORG }}',
               repo: 'django-DefectDojo',
               title: 'Release: Merge back ${{ inputs.release_number_new }} into dev from: ${{ env.NEW_BRANCH }}',
               body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
               head: '${{ env.NEW_BRANCH }}',
               base: 'dev'
             })
+            await github.rest.issues.addLabels({
+              owner: '${{ env.GITHUB_ORG }}',
+              repo: 'django-DefectDojo',
+              issue_number: pr.data.number,
+              labels: ['release-management']
+            })
 
   create_pr_for_merge_back_into_bugfix:
     runs-on: ubuntu-latest
@@ -175,11 +181,17 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            github.rest.pulls.create({
+            const pr = await github.rest.pulls.create({
               owner: '${{ env.GITHUB_ORG }}',
               repo: 'django-DefectDojo',
               title: 'Release: Merge back ${{ inputs.release_number_new }} into bugfix from: ${{ env.NEW_BRANCH }}',
               body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
               head: '${{ env.NEW_BRANCH }}',
               base: 'bugfix'
             })
+            await github.rest.issues.addLabels({
+              owner: '${{ env.GITHUB_ORG }}',
+              repo: 'django-DefectDojo',
+              issue_number: pr.data.number,
+              labels: ['release-management']
+            })

docs/content/releases/pro/changelog.md

@@ -12,6 +12,32 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Apr 2026: v2.57
 
+### Apr 20, 2026: v2.57.2
+
+* **(Pro UI)** Search and filter state is now preserved when closing a Finding from a Finding list, so you don't lose your place after editing.
+* **(Risk Acceptance)** Bulk Edit no longer leaves Simple Risk Acceptance findings in an inconsistent "Active + Risk Accepted" state. Reactivating a previously risk-accepted Finding now behaves correctly.
+* **(Risk SLA)** Creating a Risk SLA no longer silently coerces unchecked `enforce_*_risk` options to `True`.
+* **(Surveys)** Fixed survey access for both authenticated users and anonymous links.
+* **(Universal Parser)** Non-ASCII scan names no longer cause a `UnicodeEncodeError` on import. CSV files with `""`-escaped quotes in multiline fields now parse correctly.
+* **(API)** Import/Reimport now validates consistency between ID-based and name-based identifiers, catching mismatched payloads earlier.
+* **(Permissions)** Moving an Engagement between Products now requires appropriate permission on both the source and target Product.
+* **(Reports)** Fixed a CSS overflow issue in rendered reports. Cleaned up endpoint template rendering for user fields.
+* **(Tools)** `govulncheck` parser now records `fix_available` and `fix_version`. Risk Recon parser now validates URLs via a shared SSRF utility. Added Mozilla Foundation security advisories as a supported Vulnerability ID source.
+
+### Apr 13, 2026: v2.57.1
+
+* **(Pro UI)** Object-level history views no longer default to a 31-day date filter, so the full history is visible on load.
+* **(Pro UI)** Audit Log "changes" filter now searches only the names of changed fields, reducing false matches.
+* **(Pro UI)** Predefined Finding filters now sync UI state correctly, so the active filter indicator reflects the applied filter.
+* **(Deduplication)** Added a UI for global component deduplication settings, behind a feature flag.
+* **(Rules Engine)** Fixed a preview timeout that occurred when rules were previewed against large Finding sets.
+* **(Universal Parser)** CSV/XML query path now displays correctly in the Universal Parser UI.
+* **(Import)** Additional parameters are now stored in import settings, making them available for reuse on reimport.
+* **(Tools)** Wazuh 4.8 parser now correctly attaches endpoints and locations to findings.
+* **(Tools)** Invicti parser now uses `FirstSeenDate` when populating Finding dates when `DD_USE_FIRST_SEEN` is enabled.
+* **(Tools)** `govulncheck` parser fixed for NDJSON output.
+* **(Tools)** Added CNNVD as a supported Vulnerability ID source.
+
 ### Apr 7, 2026: v2.57.0
 
 * **(Custom Enrichment)** On-prem administrators can now configure custom URLs for EPSS and KEV enrichment data sources under **Settings → Finding Enrichment Settings**. Each source (EPSS scores and CISA Known Exploited Vulnerabilities) can be independently enabled and pointed to an internal mirror or proxy. A **Test Configuration** button validates connectivity before saving. Findings with CVE IDs are automatically enriched with EPSS score/percentile and KEV status during enrichment runs.

docs/content/releases/pro/ddorch-database.md

@@ -0,0 +1,174 @@
+---
+title: "Adding the dd-orch Database on Upgrade"
+toc_hide: true
+weight: -20260501
+description: "Provisioning the dojodb-ddorch PostgreSQL database and pointing DefectDojo Pro at it on an existing self-hosted installation."
+audience: pro
+---
+
+Starting with 2.57.3, DefectDojo Pro requires a second PostgreSQL database, `dojodb-ddorch`, used by the new `ddorch` orchestrator service. The existing `dojodb` database continues to be used by the main Django application.
+
+This guide walks through adding `dojodb-ddorch` to an existing self-hosted PostgreSQL instance and pointing DefectDojo at it.
+
+## Prerequisites
+
+- PostgreSQL 16 is already installed and running on the DB server.
+- The `dojodbusr` role already exists with a known password.
+- `dojodb` is already created and reachable from the DefectDojo app server.
+- `listen_addresses` in `postgresql.conf` is already configured for remote access.
+- You have upgraded to the release that ships the `ddorch` and `ddorch-workers` services.
+
+> **A note on the database name:** `dojodb-ddorch` contains a hyphen, so it must be double-quoted in every SQL statement (`"dojodb-ddorch"`).
+
+## Part 1: Provision the Database
+
+### 1. Create the new database
+
+On the PostgreSQL server, open a `psql` session as the `postgres` superuser:
+
+```bash
+sudo -i -u postgres psql --username postgres
+```
+
+Create the database, grant privileges to the existing `dojodbusr` role, and transfer ownership:
+
+```sql
+CREATE DATABASE "dojodb-ddorch";
+GRANT ALL PRIVILEGES ON DATABASE "dojodb-ddorch" TO dojodbusr;
+ALTER DATABASE "dojodb-ddorch" OWNER TO dojodbusr;
+\q
+```
+
+**Example session:**
+
+```
+root@dbserver:~# sudo -i -u postgres psql --username postgres
+psql (16.8)
+Type "help" for help.
+
+postgres=# CREATE DATABASE "dojodb-ddorch";
+CREATE DATABASE
+postgres=# GRANT ALL PRIVILEGES ON DATABASE "dojodb-ddorch" TO dojodbusr;
+GRANT
+postgres=# ALTER DATABASE "dojodb-ddorch" OWNER TO dojodbusr;
+ALTER DATABASE
+postgres=# \q
+```
+
+> **PostgreSQL 15+ note:** Ownership covers schema rights for the owner, but if you ever connect as a non-owner role you will also need to grant schema privileges inside the new database:
+>
+> ```sql
+> \c "dojodb-ddorch"
+> GRANT ALL ON SCHEMA public TO dojodbusr;
+> ```
+
+### 2. Allow the app server to connect
+
+Edit `/etc/postgresql/16/main/pg_hba.conf` and add a new line for `dojodb-ddorch` next to the existing `dojodb` entry.
+
+**(a) Preferred — restrict to the DefectDojo app server's IP.**
+
+Supposing the app server's IP is `9.9.9.9`, add:
+
+```
+host  dojodb-ddorch  dojodbusr  9.9.9.9/32  scram-sha-256
+host  postgres  dojodbusr  9.9.9.9/32  scram-sha-256
+```
+
+**(b) Alternative — allow from any host.**
+
+```
+host  dojodb-ddorch  dojodbusr  0.0.0.0/0  scram-sha-256
+host  postgres  dojodbusr  0.0.0.0/0  scram-sha-256
+```
+
+> **Note:** The lines in `pg_hba.conf` are whitespace-delimited. The easiest way to add this line is to copy/paste the existing `dojodb` line and change the database name.
+
+**Alternative using `echo` (if no text editor is available):**
+
+```bash
+# For specific IP (replace 9.9.9.9 with your app server IP):
+echo "host  dojodb-ddorch  dojodbusr  9.9.9.9/32  scram-sha-256" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf
+echo "host  postgres  dojodbusr  9.9.9.9/32  scram-sha-256" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf
+
+# OR for all hosts:
+echo "host  dojodb-ddorch  dojodbusr  0.0.0.0/0  scram-sha-256" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf
+echo "host  postgres  dojodbusr  0.0.0.0/0  scram-sha-256" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf
+
+```
+
+### 3. Reload PostgreSQL
+
+Changes to `pg_hba.conf` only require a reload — no restart is needed:
+
+```bash
+sudo systemctl reload postgresql
+```
+
+Verify the reload was picked up:
+
+```bash
+sudo systemctl status postgresql
+```
+
+### 4. Verify connectivity from the app server
+
+From the **DefectDojo app server**, confirm `dojodbusr` can reach the new database. Replace `<db-server-ip>` with your DB server's IP and `<password>` with the password set for `dojodbusr`:
+
+```bash
+psql "host=<db-server-ip> dbname=dojodb-ddorch user=dojodbusr password=<password>" -c "SELECT 1;"
+```
+
+A successful response of `?column?` with a value of `1` confirms the database is reachable and the credentials are valid.
+
+## Part 2: Point DefectDojo at the New Database
+
+Only the `ddorch` service connects to the new database directly. The main Django application reaches the orchestrator over gRPC, so `DD_DATABASE_URL` does **not** change.
+
+### 1. Set the orchestrator database URL
+
+The `ddorch` service reads its connection string from the `DD_DATABASE_URL` environment variable and **automatically appends `-ddorch` to the database name** in whatever URL you pass it. This means you can reuse the same connection string you already use for the main Django application — no need to construct a second URL by hand.
+
+On startup, ddorch rewrites the database name in this URL from `dojodb` to `dojodb-ddorch` and connects to the database you created in Part 1.
+
+### 2. Restart the orchestrator services
+
+From the deployment directory, recreate the two orchestrator containers so they pick up the new environment:
+
+```bash
+docker compose up -d ddorch ddorch-workers
+```
+
+Docker Compose will detect the environment change and recreate the containers. The `ddorch` service runs its own schema migrations against `dojodb-ddorch` on startup — no manual migration command is required.
+
+### 3. Verify ddorch connected and migrated the new database
+
+The most direct signal that the database is correctly wired up is the ddorch startup log. Check the last hundred lines:
+
+```bash
+docker compose logs ddorch --tail=100
+```
+
+Look for three log lines in sequence:
+
+```
+{"level":"INFO","msg":"Appending database name to DATABASE_URL","from":"dojodb","to":"dojodb-ddorch"}
+INFO Running migrations current_schema_version=<N> next_version=<M> migrations_to_apply=<K>
+{"level":"INFO","msg":"starting server","port":9871}
+```
+
+What each line proves:
+
+- **`Appending database name to DATABASE_URL ... to: dojodb-ddorch`** — ddorch received your URL and derived the orch database name correctly.
+- **`Running migrations ... migrations_to_apply=0`** — ddorch connected to `dojodb-ddorch` and found the schema at the expected version. On a first-ever boot against a fresh database you may see `migrations_to_apply=<N>` with a non-zero value and no subsequent error — this means ddorch just created the tables from scratch. Both outcomes indicate success.
+- **`starting server ... port:9871`** — ddorch is up and listening.
+
+If instead you see an error such as `FATAL: password authentication failed`, `no pg_hba.conf entry for host`, or `database "dojodb-ddorch" does not exist`, the database is not reachable — revisit Part 1 before proceeding.
+
+Also confirm both orchestrator containers are running:
+
+```bash
+docker compose ps ddorch ddorch-workers
+```
+
+Both should report `Up`. With ddorch migrated and the workers container running, your installation is now using the new `dojodb-ddorch` database.

docs/content/triage_findings/finding_deduplication/PRO__deduplication_tuning.md

@@ -34,7 +34,7 @@ To adjust Same Tool Deduplication:
 
 ### Available Deduplication Algorithms
 
-DefectDojo Pro offers three deduplication methods for same-tool deduplication:
+DefectDojo Pro offers the following deduplication methods for same-tool deduplication:
 
 #### Hash Code
 Uses a combination of selected fields to generate a unique hash. When selected, a third dropdown will appear showing the fields being used to calculate the hash.
@@ -47,6 +47,9 @@ This algorithm can be useful when working with SAST scanners, or situations wher
 #### Unique ID From Tool or Hash Code
 Attempts to use the tool's unique ID first, then falls back to the hash code if no unique ID is available. This provides the most flexible deduplication option.
 
+#### Global Component
+Matches findings by component name and version across **all Products** in the instance, rather than within a single Product or Engagement. Intended for SCA tools where the same vulnerable dependency appears in many Products. This algorithm is off by default and must be enabled by DefectDojo Support. See [Global Component Deduplication](/triage_findings/finding_deduplication/pro__global_component_deduplication/) for details.
+
 ## Cross Tool Deduplication
 
 Cross Tool Deduplication is disabled by default, as deduplication between different security tools requires careful configuration due to variations in how tools report the same vulnerabilities.
@@ -59,7 +62,7 @@ To enable Cross Tool Deduplication:
 2. Change the **Deduplication Algorithm** from "Disabled" to "Hash Code"
 3. Select which fields should be used for generating the hash in the **Hash Code Fields** dropdown
 
-Unlike Same Tool Deduplication, Cross Tool Deduplication only supports the Hash Code algorithm, as different tools rarely share compatible unique identifiers.
+Cross Tool Deduplication supports the Hash Code algorithm, which is suitable for most workflows, as different tools rarely share compatible unique identifiers. For SCA tools reporting the same dependencies, [Global Component Deduplication](/triage_findings/finding_deduplication/pro__global_component_deduplication/) is also available as a cross-tool option (off by default).
 
 ## Reimport Deduplication
 
@@ -76,7 +79,7 @@ When configuring Reimport Deduplication:
 1. Select the **Security Tool** (Universal or Generic Parser)
 2. Choose the appropriate **Deduplication Algorithm**
 
-The same three algorithm options are available for Reimport Deduplication as for Same Tool Deduplication:
+The following algorithm options are available for Reimport Deduplication:
 - Hash Code
 - Unique ID From Tool
 - Unique ID From Tool or Hash Code