Merge branch 'bugfix' into issue_13593

Author: manuel-sommer

docs/assets/images/priority_chooseengine.png

@@ -58,8 +58,9 @@ High. Criticality is a subjective field, so when assigning this field, consider
 Product compares to other Products in your organization.
 * **User Records** is a numerical estimation of user records in a database (or a system
 that can access that database).
-* **Revenue** is a numerical estimation of annual revenue for the Product. It is not
-possible to set a currency type in DefectDojo, so make sure that all of your Revenue
+* **Revenue** is a numerical estimation of annual revenue for the Product. To calculate Priority, DefectDojo will calculate a percentage by comparing this Product's revenue to the sum of all Products within the Product Type.
+
+It is not possible to set a currency type in DefectDojo, so make sure that all of your Revenue
 estimations have the same currency denomination. (“50000” could mean $50,000
 US Dollars or ¥50,000 Japanese Yen - the denomination does not matter as long as
 all of your Products have revenue calculated in the same currency).
@@ -85,9 +86,6 @@ Findings within a Product can have additional metadata which can further adjust
 * Whether the Finding is in the KEV (Known Exploited Vulnerabilities) database, which is checked by DefectDojo on a regular basis
 * The tool-reported Severity of a Finding (Info, Low, Medium, High, Critical)
 
-Currently, Priority calculation and the underlying formula cannot be adjusted. These
-numbers are meant as a reference only - your team’s actual priority for remediation
-may vary from the DefectDojo calculation.
 
 ## Finding Risk Calculation
 

docs/assets/images/priority_default.png

@@ -0,0 +1,62 @@
+---
+title: "Adjusting Priority and Risk (Pro)"
+description: "Change weighting of Priority and Risk calculations"
+weight: 2
+---
+
+DefectDojo Pro's Priority and Risk calculations can be adjusted, allowing you to tailor DefectDojo Pro to match your internal standards for Finding Priority and Risk.
+
+## Prioritization Engines
+
+Similar to SLA configurations, Prioritization Engines allow you to set the rules governing how Priority and Risk are calculated.
+
+![image](images/priority_default.png)
+
+DefectDojo comes with a built-in Prioritization Engine, which is applied to all Products.  However, you can edit this Prioritization Engine to change the weighting of **Finding** and **Product** multipliers, which will adjust how Finding Priority and Risk are assigned.
+
+### Finding Multipliers
+
+Eight contextual factors impact the Priority score of a Finding.  Three of these are Finding-specific, and the other five are assigned based on the Product that holds the Finding.
+
+You can tune your Prioritization Engine by adjusting how these factors are applied to the final calculation.
+
+![image](images/priority_sliders.png)
+
+Select a factor by clicking the button, and adjust this slider allows you to control the percentage a particular factor is applied.  As you adjust the slider, you'll see the Risk thresholds change as a result.
+
+#### Finding-Level Multipliers
+
+* **Severity** - a Finding's Severity level
+* **Exploitability** - a Finding's KEV and/or EPSS score
+* **Endpoints** - the amount of Endpoints associated with a Finding
+
+#### Product-Level Multipliers
+
+* **Business Criticality** - the related Product's Business Criticality (None, Very Low, Low, Medium, High, or Very
+High)
+* **User Records** - the related Product's User Records count
+* **Revenue** - the related Product's revenue, relative to the total revenue of the Product Type
+* **External Audience** - whether or not the related Product has an external audience
+* **Internet Accessible** - whether or not the related Product is internet accessible
+
+### Risk Thresholds
+
+Based on the tuning of the Priority Engine, DefectDojo will automatically recommend Risk Thresholds.  However, these thresholds can be adjusted as well and set to whatever values you deem appropriate.
+
+![image](images/risk_threshold.png)
+
+## Creating New Prioritization Engines
+
+You can use multiple Prioritization Engines, which can each be assigned to different Products.
+
+![image](images/priority_engine_new.png)
+
+Creating a new Prioritization Engine will open the Prioritization Engine form.  Once this form is submitted, a new Prioritization Engine will be added to the table.
+
+## Assigning Prioritization Engines to Products
+
+Each Product can have a Prioritization Engine currently in use via the **Edit Product** form for a given Product.
+
+![image](images/priority_chooseengine.png)
+
+Note that when a Product's Prioritization Engine is changed, or a Prioritization Engine is updated, the Product's Prioritization Engine or the Prioritization Engine itself will be "Locked" until the prioritization calculation has completed.

docs/assets/images/priority_engine_new.png

@@ -94,6 +94,11 @@ def process_exception(self, request, exception):
         if isinstance(exception, AuthForbidden):
             messages.error(request, "You are not authorized to log in via this method. Please contact support or use the standard login.")
             return redirect("/login?force_login_form")
+        if isinstance(exception, TypeError) and "'NoneType' object is not iterable" in str(exception):
+            logger.warning("OIDC login error: NoneType is not iterable")
+            messages.error(request, "An unexpected error occurred during social login. Please use the standard login.")
+            return redirect("/login?force_login_form")
+        logger.error(f"Unhandled exception during social login: {exception}")
         return super().process_exception(request, exception)
 
 

docs/assets/images/priority_sliders.png

@@ -183,5 +183,6 @@ def sanitize_username(username):
 def create_user(strategy, details, backend, user=None, *args, **kwargs):
     if not settings.SOCIAL_AUTH_CREATE_USER:
         return None
-    details["username"] = sanitize_username(details.get("username"))
+    username = details.get(settings.SOCIAL_AUTH_CREATE_USER_MAPPING)
+    details["username"] = sanitize_username(username)
     return social_core.pipeline.user.create_user(strategy, details, backend, user, args, kwargs)

docs/assets/images/risk_threshold.png

@@ -113,6 +113,7 @@
     DD_FORGOT_USERNAME=(bool, True),  # do we show link "I forgot my username" on login screen
     DD_SOCIAL_AUTH_SHOW_LOGIN_FORM=(bool, True),  # do we show user/pass input
     DD_SOCIAL_AUTH_CREATE_USER=(bool, True),  # if True creates user at first login
+    DD_SOCIAL_AUTH_CREATE_USER_MAPPING=(str, "username"),  # could also be email or fullname
     DD_SOCIAL_LOGIN_AUTO_REDIRECT=(bool, False),  # auto-redirect if there is only one social login method
     DD_SOCIAL_AUTH_TRAILING_SLASH=(bool, True),
     DD_SOCIAL_AUTH_OIDC_AUTH_ENABLED=(bool, False),
@@ -574,6 +575,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 SHOW_LOGIN_FORM = env("DD_SOCIAL_AUTH_SHOW_LOGIN_FORM")
 SOCIAL_LOGIN_AUTO_REDIRECT = env("DD_SOCIAL_LOGIN_AUTO_REDIRECT")
 SOCIAL_AUTH_CREATE_USER = env("DD_SOCIAL_AUTH_CREATE_USER")
+SOCIAL_AUTH_CREATE_USER_MAPPING = env("DD_SOCIAL_AUTH_CREATE_USER_MAPPING")
 
 SOCIAL_AUTH_STRATEGY = "social_django.strategy.DjangoStrategy"
 SOCIAL_AUTH_STORAGE = "social_django.models.DjangoStorage"
@@ -1881,6 +1883,7 @@ def saml2_attrib_map_format(din):
     "KB": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=",  # e.g. https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0108401
     "KHV": "https://avd.aquasec.com/misconfig/kubernetes/",  # e.g. https://avd.aquasec.com/misconfig/kubernetes/khv045
     "LEN-": "https://support.lenovo.com/cl/de/product_security/",  # e.g. https://support.lenovo.com/cl/de/product_security/LEN-94953
+    "MAL-": "https://cvepremium.circl.lu/vuln/",  # e.g. https://cvepremium.circl.lu/vuln/mal-2025-49305
     "MGAA-": "https://advisories.mageia.org/&&.html",  # e.g. https://advisories.mageia.org/MGAA-2013-0054.html
     "MGASA-": "https://advisories.mageia.org/&&.html",  # e.g. https://advisories.mageia.org/MGASA-2025-0023.html
     "MSRC_": "https://cvepremium.circl.lu/vuln/",  # e.g. https://cvepremium.circl.lu/vuln/msrc_cve-2025-59200