Merge branch 'DefectDojo:dev' into dev

.github/workflows/test-helm-chart.yml

@@ -33,7 +33,7 @@ jobs:
              helm dependency update ./helm/defectdojo
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
           yamale_version: 4.0.4
           yamllint_version: 1.35.1

docs/content/en/about_defectdojo/ui_pro_vs_os.md

@@ -0,0 +1,53 @@
+---
+title: "🎨 Beta UI Features"
+description: "Working with different UIs in DefectDojo"
+draft: "false"
+weight: 4
+pro-feature: true
+---
+
+<span style="background-color:rgba(242, 86, 29, 0.3)">Note: The Beta UI and associated features are only available in DefectDojo Pro.</span>
+
+In late 2023, DefectDojo Inc. released a new UI for DefectDojo Pro, which has since been in Beta for Pro customers to test and experiment with.
+
+The Beta UI brings the following enhancements to DefectDojo:
+
+- Modern and sleek design, built using Vue.js
+- Optimized data delivery and load times, especially for large datasets
+- Access to new Pro features, including [API Connectors](/en/connecting_your_tools/connectors/about_connectors/), [Universal Importer](/en/connecting_your_tools/external_tools/), and Pro Metrics views
+- Improved UI workflows: better filtering, dashboards, and navigation
+
+## Switching To The Beta UI
+
+To access the Beta UI, open your User Options menu from the top-right hand corner.  You can also switch back to the Classic UI from the same menu.
+
+![image](images/beta-classic-uis.png)
+
+## Navigational Changes
+
+![image](images/beta-ui-overview.png)
+
+1. The **Sidebar** has been reorganized: Pro Metrics and the Homepage can be found in the first section.
+
+2. Import methods can be found in the **Import** section: set up [API Connectors](/en/connecting_your_tools/connectors/about_connectors/), use the Import Scan form to [Add Findings](/en/connecting_your_tools/import_scan_files/import_scan_ui/), or use [Smart Upload](/en/connecting_your_tools/import_scan_files/smart_upload/) to handle infrastructure scanning tools.
+
+3. The **Manage** section allows you to view different objects in the [Product Hierarchy](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/), with views for Product Types, Products, Engagements, Tests, Findings, Risk Acceptances, Endpoints and Components.
+
+4. The **Settings** section allows you to configure your DefectDojo instance, including your License, Cloud Settings, Users, Feature Configuration and admin-level Enterprise Settings.
+
+The Enterprise settings section contains the System Settings, Jira Instances, Deduplication Settings, SAML, OAuth, Login and MFA forms.
+
+5. The beta UI also has a **new table format** to help with navigation.  This table is used with all [Product Hierarchy](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/). Each column can be clicked on to apply a relevant filter, and columns can be reordered to present data however you like.
+
+6. The table also has a **"Toggle Columns"** menu which can add or remove columns from the table.
+
+## New Dashboards
+
+New metrics visualizations are included in the Beta UI.  All of these reports can be filtered and exported as PDF to share them with a wider audience.
+
+![image](images/program_insights.png)
+
+- The **Executive Insights** dashboard displays the current state of your Products and Product Types.
+- **Program Insights** dashboard displays the effectiveness of your security team and the cost savings associated with separating duplicates and false positives from actionable Findings.
+- **Remediation Insights** displays your effectiveness at remediating Findings.
+- **Tool Insights** displays the effectiveness of your tool suite (and Connectors pipelines) at detecting and reporting vulnerabilities.

docs/content/en/api/api-v2-docs.md

@@ -5,9 +5,6 @@ draft: false
 weight: 2
 ---
 
-
-
-
 DefectDojo\'s API is created using [Django Rest
 Framework](http://www.django-rest-framework.org/). The documentation of
 each endpoint is available within each DefectDojo installation at

docs/content/en/changelog/changelog.md

@@ -7,12 +7,26 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](../../open_source/upgrading/upgrading_guide).
 
+## Jan 13, 2025: v2.42.1
+
+- **(API)** Pro users can now specify the fields they want to return in a given API payload.  For example, this request will only return the title, severity and description fields for each Finding.  <span style="background-color:rgba(242, 86, 29, 0.5)">(Pro)</span>
+```
+curl -X 'GET' \
+  'https://localhost/api/v2/findings/?response_fields=title,severity,description' \
+  -H 'accept: application/json'
+```
+
+## Jan 6, 2025: v2.42.0
+
+- **(API)** `/test_reimport` results can now be ordered via id, created, modified, version, branch_tag, build_id, and commit_hash.
+- **(Jira)** When a Risk Acceptance expires, linked Jira Group issues will now be updated to reflect the status change.
+
 ## Dec 31, 2024: v2.41.4
 
 - **(API)** 'Force To Active / Verified' flag is no longer required when calling `/import-scan`, `/reimport-scan` endponts: a value of True now forces to Active, False now forces to Inactive, while setting a value of none (or not using the flag) will use the tool's status.
-- **(Beta UI)** Added ability to regenerate / copy your API token
-- **(Beta UI)** Fixed bug preventing date / planned remediation dates from being added via Bulk Edit
-- **(Import)** Added fields for EPSS score and percentile to Generic Findings Import parser
+- **(Beta UI)** Added ability to regenerate / copy your API token.
+- **(Beta UI)** Fixed bug preventing date / planned remediation dates from being added via Bulk Edit.
+- **(Import)** Added fields for EPSS score and percentile to Generic Findings Import parser.
 
 ## Dec 24, 2024: v2.41.3
 

docs/content/en/customize_dojo/notifications/configure_system_notifs.md

@@ -20,4 +20,23 @@ Both an account’s Personal Notifications and the global System Notifications c
 
 ![image](images/Configure_System_&_Personal_Notifications_2.png)
 
-To set destinations for system wide email notifications (Email, Slack or MS Teams), see our [Guide](../email_slack_teams).
+To set destinations for system wide email notifications (Email, Slack or MS Teams), see our [Guide](../email_slack_teams).
+
+## Template Notifications
+
+Superusers also have access to a "Template" form.  The Template Form allows you to set the default Personal Notifications that are enabled for any new user.
+
+## Where System Notifications Are Sent
+
+System notifications will be sent to:
+- the single email address specified in System Settings (if enabled)
+- any DefectDojo users with accounts and appropriate RBAC permissions
+- the System-wide Slack or Teams account.
+
+As with any notification in DefectDojo, System Notifications will only be sent to users that have access to the relevant data.  So even if Product Notifications are set up System-Wide, users will only receive notifications for the Products that they have access to view.
+
+This restriction does not apply to System Notifications that are sent to a specific Email or Slack channel.
+
+See our guide on [Role-Based Access Control](../../user_management/about_perms_and_roles/) for more information on RBAC and setting permissions.
+
+However, the connected System Email, Slack and Teams accounts cannot apply RBAC as they are not associated with a specific DefectDojo user.  **All selected system-wide notifications will be sent to these locations, so you should ensure that these channels can only be accessed by specific people in your organization.**

docs/content/en/open_source/archived_docs/usage/models.md

@@ -3,9 +3,10 @@ title: "Core data classes"
 description: "DefectDojo is made to be flexible to conform to your program, rather than making your team conform to the tool."
 draft: false
 weight: 1
+exclude_search: true
 ---
 
-{{ readFile "/docs/assets/svgs/DD-Hierarchy.svg" | safeHTML }}
+![image](images/dd-hierarchy.png)
 
 ## Product Type
 

docs/content/en/open_source/installation/architecture.md

@@ -5,7 +5,7 @@ draft: false
 weight: 1
 ---
 
-{{ readFile "/docs/assets/svgs/DD-Architecture.svg" | safeHTML }}
+![image](images/dd-architecture.png)
 
 ## NGINX
 

docs/content/en/open_source/upgrading/2.42.md

@@ -1,7 +1,7 @@
 ---
 title: 'Upgrading to DefectDojo Version 2.42.x'
 toc_hide: true
-weight: -20241104
+weight: -20241202
 description: No special instructions.
 ---
 There are no special instructions for upgrading to 2.42.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.42.0) for the contents of the release.

docs/content/en/share_your_findings/jira_integration/_index.md

@@ -1,5 +1,5 @@
 ---
-title: "Connect To Jira"
+title: "Send Findings To Jira"
 description: "Send DefectDojo Findings to one or more Jira Projects"
 summary: ""
 date: 2023-09-07T16:06:50+02:00

docs/content/en/share_your_findings/jira_integration/add_jira_to_product.md

@@ -37,19 +37,19 @@ Jira settings are located near the bottom of the Product Settings page.
 
 ![image](images/Add_a_Connected_Jira_Project_to_a_Product_2.png)
 
-#### **Jira Instance**
+### Jira Instance
 
 If you have multiple instances of Jira set up, for separate products or teams within your organization, you can indicate which Jira Project you want DefectDojo to create Issues in. Select a Project from the drop\-down menu.
 
 If this menu doesn't list any Jira instances, confirm that those Projects are connected in your global Jira Configuration for DefectDojo \- yourcompany.defectdojo.com/jira.
 
-#### **Project key**
+### Project key
 
 This is the key of the Project that you want to use with DefectDojo.  The Project Key for a given project can be found in the URL.
 
 ![image](images/Add_a_Connected_Jira_Project_to_a_Product_3.png)
 
-#### **Issue template**
+### Issue template
 
 Here you can determine how much DefectDojo metadata you want to send to Jira. Select one of two options:
 
@@ -65,7 +65,7 @@ Here is an example of a **jira\_full** Issue:
 
 ![image](images/Add_a_Connected_Jira_Project_to_a_Product_5.png)
 
-#### **Component**
+### Component
 
 If you manage your Jira project using Components, you can assign the appropriate Component for DefectDojo here.
 
@@ -87,19 +87,23 @@ Select the relevant labels that you want the Issue to be created with in Jira, e
 
 ![image](images/Add_a_Connected_Jira_Project_to_a_Product_6.png)
 
-#### **Default assignee**
+### Default assignee
 
 The name of the default assignee in Jira. If left blank, DefectDojo will follow the default behaviour in your Jira Project when creating Issues.
 
-#### Checkbox options
+## Additional Jira Options
 
-![image](images/Add_a_Connected_Jira_Project_to_a_Product_7.png)
+### Enable Connection With Jira Project
 
-#### **Add vulnerability Id as a Jira label**
+Jira integrations can be removed from your instance only if no related Issues have been created.  If Issues have been created, there is no way to completely remove a Jira Instance from DefectDojo.
+
+However, you can disable your Jira integration by disabling it at the Product level. This will not delete or change any existing Jira tickets created by DefectDojo, but will disable any further updates.
+
+### Add Vulnerability Id as a Jira label
 
 This allows you to add the Vulnerability ID data as a Jira Label automatically. Vulnerability IDs are added to Findings from individual security tools \- these may be Common Vulnerabilities and Exposures (CVE) IDs or a different format, specific to the tool reporting the Finding. 
 
-#### **Enable engagement epic mapping**
+### Enable Engagement Epic Mapping
 
 In DefectDojo, Engagements represent a collection of work. Each Engagement contains one or more tests, which contain one or more Findings which need to be mitigated. Epics in Jira work in a similar way, and this checkbox allows you to push Engagements to Jira as Epics.
 
@@ -110,21 +114,21 @@ In DefectDojo, Engagements represent a collection of work. Each Engagement conta
 
 ![image](images/Add_a_Connected_Jira_Project_to_a_Product_9.png)
 
-#### **Push All Issues**
+### Push All Issues
 
 If checked, DefectDojo will automatically push any Active and Verified Findings to Jira as Issues. If left unchecked, all Findings will need to be pushed to Jira manually.
 
-#### **Push notes**
+### Push Notes
 
 If enabled, Jira comments will populate on the associated Finding in DefectDojo, under Notes on the issue(screenshot), and vice versa; Notes on Findings will be added to the associated Jira Issue as Comments. 
 
-#### **Send SLA notifications as comment?**
+### Send SLA Notifications As Comments
 
 If enabled, any Issue which breaches DefectDojo’s Service Level Agreement rules will have comments added to the Jira issue indicating this. These comments will be posted daily until the Issue is resolved.
 
 Service Level Agreements can be configured under **Configuration \> SLA Configuration** in DefectDojo and assigned to each Product.
 
-#### **Send Risk Acceptance expiration notifications as comment?**
+### Send Risk Acceptance Expiration Notifications As Comment?
 
 If enabled, any Issue where the associated DefectDojo Risk Acceptance expires will have a comment added to the Jira issue indicating this. These comments will be posted daily until the Issue is resolved.