django-DefectDojo v1.10 releases: application vulnerability correlation & security orchestration application

DefectDojo is an open-source application vulnerability correlation and security orchestration application. It allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities, and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.

While traceability and metrics are the ultimate end goal, it is a bug tracker at its core. Taking advantage of DefectDojo’s Product:Engagement model enables traceability among multiple projects and test cycles and allows for fine-grained reporting.

How does DefectDojo work?

It is based on a model that allows the ultimate flexibility in your test tracking needs.

• Working in DefectDojo starts with a Product Type.
• Each Product Type can have one or more Products.
• Each Product can have one or more Engagements.
• Each Engagement can have one more Tests.
• Each Test can have one or more Findings.

Changelog v1.10

💣 Breaking changes

• Move charts to bitnami’s repo @madchap (#2859)
• JIRA: Allow config per engagement, incl big JIRA refactor @valentijnscholten (#3200)

🚩 Requires settings change

• Acunetix parser: Import all affected items + technical details @steeve85 (#2289)
• performance: optimize a bit view_finding, max similar findings=25 @valentijnscholten (#3293)
• Various bug fixes in various places @Maffooch (#3308)
• sla notify: disable by default, add explanation to settings @valentijnscholten (#3289)
• Celery: only send model ids and not full instances @valentijnscholten (#3092)

🚀 Features and enhancements

• tags: add testcases @valentijnscholten (#3324)
• reimport: set component_name&version on existing findings @valentijnscholten (#3288)
• API_V2 : Add metadata operation on findings endpoints @RomainJufer (#3254)
• performance: optimize a bit view_finding, max similar findings=25 @valentijnscholten (#3293)
• Various bug fixes in various places @Maffooch (#3308)
• sla notify: disable by default, add explanation to settings @valentijnscholten (#3289)
• Reintroduce HTML report builder @Maffooch (#3250)
• JIRA: Allow config per engagement, incl big JIRA refactor @valentijnscholten (#3200)
• Celery: only send model ids and not full instances @valentijnscholten (#3092)
• jira: set jira_project when creating JIRA_Issue @valentijnscholten (#3294)
• Set flag for auto refresh of alert/counts @Maffooch (#3275)

🐛 Bug Fixes

• apiv2: set mitigated date if applicable @keenan-v1 (#3285)
• Acunetix parser: Import all affected items + technical details @steeve85 (#2289)
• Correct filter for findings for non-staff users @StefanFl (#3339)
• jira: fix add/edit engagement if no jira config used @valentijnscholten (#3335)
• fix importing aws securityhub timestamp @Enigmatyk (#3329)
• Fix Product Metrics link to false positives. @tohch4 (#3334)
• jira_webhook: improve error handling @valentijnscholten (#3321)
• Nikto quick fix to hostname/url parsing (fixes #3268) @madchap (#3318)
• reimport: don’t try to set component_name for absent findings @valentijnscholten (#3331)
• debug_toolbar: add known issue + fix for static files @valentijnscholten (#3309)
• Added steps to reproduce in Jira Description Template @FallenAtticus (#2990)
• aws security hub: fix handling of missing lastObservedAt @valentijnscholten (#3277)
• jira: fix mailto link in description @valentijnscholten (#3281)
• jira: split url handling for issues and projects @valentijnscholten (#3284)
• Various bug fixes in various places @Maffooch (#3308)
• Allow re-import scan to function without JIRA @Maffooch (#3295)
• Fix Accepted Risk reporter/owner in engineer metrics @Maffooch (#3297)
• Fix JIRA owner instead of reporter @madchap (#3282)
• settings.dist.py: reduce default log level from DEBUG to INFO @valentijnscholten (#3280)
• jira: use correct url for dojo_alert notification @valentijnscholten (#3273)
• Update open finding definition on product level @Maffooch (#3267)
• uwsgi: increase default buffer-size @valentijnscholten (#3269)
• Change encoding from utf-8 to utf-8-sig @jhamba (#2583)
• Commented out print statement ‘ready(): initializing watson’ as it breaks ‘manage.py dumpdata’ @mtesauro (#3274)
• Fix NoneType error on Metrics page @danielnaab (#3323)
• unittests: delete erroneously committed empty ZoneIdentifier metatdata files @valentijnscholten (#3304)

🧰 Maintenance

• build(deps): bump django-celery-results from 1.2.1 to 2.0.0 @dependabot-preview (#3311)
• Move charts to bitnami’s repo @madchap (#2859)
• chore(deps): update mysql:5.7.32 docker digest to ec6742a (docker-compose.yml) @renovate (#3300)
• chore(deps): update rabbitmq:3.8.9 docker digest to b05476a (docker-compose.yml) @renovate (#3301)
• build(deps): bump google-api-python-client from 1.12.6 to 1.12.8 @dependabot-preview (#3305)
• build(deps): bump django-crispy-forms from 1.9.2 to 1.10.0 @dependabot-preview (#3307)
• Release drafter – add breaking changes section @madchap (#3291)
• build(deps): bump google-api-python-client from 1.12.5 to 1.12.6 @dependabot-preview (#3287)
• build(deps): bump asteval from 0.9.20 to 0.9.21 @dependabot-preview (#3266)
• Update CONTRIBUTING.md @madchap (#3314)
• Update SPONSORING.md @madchap (#3316)
• Update MAINTAINERS.md @madchap (#3315)
• Update CONTRIBUTING.md @madchap (#3317)
• Updated contributing doc to have Python 3.6 instead of 3.5 @mtesauro (#3306)
• Release: Merge release into master from: release/1.10.0 @github-actions (#3344)
• Release: Merge back master into dev from: master-into-dev/1.10.0-dev @github-actions (#3268

Install

$ git clone https://github.com/DefectDojo/django-DefectDojo
$ cd django-DefectDojo
$ ./setup.bash
$ ./run_dojo.bash

navigate to 127.0.0.1:8000

Tutorial

Copyright (c) 2015, DefectDojo Maintainers, All rights reserved.