Merge pull request #14678 from DefectDojo/master-into-dev/2.57.1-2.58.0-dev

Release: Merge back 2.57.1 into dev from: master-into-dev/2.57.1-2.58.0-dev

Author: rossops

docs/content/admin/sso/PRO__saml.md

@@ -45,6 +45,20 @@ If no group with a matching name exists, DefectDojo will automatically create on
 
 To activate group mapping, check the **Enable Group Mapping** checkbox at the bottom of the form.
 
+## Cloud vs On-Premise Differences
+
+DefectDojo Cloud does not have the same level of SAML customization as DefectDojo On-Prem.  The only variables that can be set are through the UI.  Here are some of the key differences:
+
+| Capability | Cloud | On-Premise |
+|---|---|---|
+| **Username matching** | NameID only | NameID only (the `SAML_USE_NAME_ID_AS_USERNAME` env var applies to Open Source only, not Pro) |
+| **SAML assertion encryption** | Not currently supported | Not currently supported |
+| **SAML login logs** | Not available in the UI. Contact Support to request logs. | Available via application container logs (`docker logs dojo`) |
+| **Configuration method** | Enterprise Settings UI only | Enterprise Settings UI, Django Admin, or Django Shell |
+| **Environment variables** | Cannot be set by customers directly. Contact Support for changes. | Can be set via `dojo-compose-cli environment add` |
+
+If you need to match users on an attribute other than NameID (such as `uid` or `email`), configure your Identity Provider to send the desired value as the NameID rather than adjusting DefectDojo settings.
+
 ## Additional Options
 
 * **Create Unknown User** — automatically create a new DefectDojo user if they are not found in the SAML response.

docs/content/asset_modelling/hierarchy/PRO__assets_organizations.md

@@ -8,7 +8,24 @@ aliases:
 ---
 DefectDojo Pro is extending the Product/Product Type object classes to provide greater flexibility with the data model.
 
-Currently, this feature is in Beta. Pro users who are interested in opting in can do so by emailing [support@defectdojo.com](mailto:support@defectdojo.com).
+Currently, this feature is in Beta.
+
+## Enabling the Hierarchy Feature
+
+Hierarchy features ship with new versions of DefectDojo Pro by default, but existing customers who wish to migrate these features can do so using the following methods
+
+### Cloud Customers
+
+The hierarchy feature and label changes must be enabled by DefectDojo Support. Email [support@defectdojo.com](mailto:support@defectdojo.com) with your instance URL and request:
+
+1. **Asset Hierarchy** — enables parent/child relationships between Assets. Once enabled, the hierarchy can be viewed and managed from the **Product** tab in the navigation.
+2. **Label Changes** (optional) — renames "Product Type" to "Organization" and "Product" to "Asset" throughout the UI. This is a separate step from enabling the hierarchy and can be requested at the same time or later.
+
+Note that label changes are cosmetic only: API endpoints and field names remain unchanged, so existing automation will continue to work.
+
+### On-Premise Customers
+
+ Contact Support for guidance on enabling these features via your instance configuration.
 
 ## Significant Changes
 

docs/content/automation/api/api-v2-docs.md

@@ -264,6 +264,34 @@ A classic way of reimporting a scan is by specifying the ID of the test instead:
 }
 ```
 
+## Asynchronous Deletion Behavior
+
+Deletions in DefectDojo (via both the API and UI) are processed **asynchronously** by Celery background workers. When you delete an Engagement, Test, or other object, the API or UI returns a success response immediately, but the actual deletion runs in the background.
+
+This means:
+- Objects may still appear in queries for a period of time after deletion is confirmed.
+- Cascade deletions (e.g., deleting an Engagement also deletes its Tests and Findings) are processed as a chain of background tasks. Child objects are removed in dependency order: Findings, then Tests, then Engagements.
+- For large Engagements with many Findings, this process can take several minutes to complete.
+
+There is no need to build custom scripts to delete objects in dependency order. A single `DELETE` request on an Engagement will cascade to all child objects automatically. Simply allow time for the background tasks to complete.
+
+## API Pagination Limits
+
+DefectDojo Pro enforces a maximum page size of **250** results per API request. Setting `limit` higher than 250 may result in HTTP 502 errors due to query timeouts.
+
+Open Source DefectDojo instances may also experience timeouts with very large page sizes depending on dataset size and server resources.
+
+For large result sets, use pagination with a page size of 50-250 and add short delays between paginated requests to avoid saturating the worker pool.
+
+## Large-Scale Import Best Practices
+
+When importing scan results at scale (e.g., SBOM pipelines with thousands of components), consider the following:
+
+- **Use `background_import=true`** for large payloads. Synchronous imports tie up a uwsgi worker for the duration of the import, which can degrade performance for all users.
+- **Target payload sizes under 1 MB per import** where possible. Split large SBOMs into smaller files per product or component group.
+- **Add delays between consecutive API calls** to avoid worker pool exhaustion, which causes HTTP 502 errors.
+- **Use Reimport** (`/api/v2/reimport-scan/`) for recurring scans to update existing findings rather than creating duplicates.
+
 ## Using the Scan Completion Date (API: `scan_date`) field
 
 DefectDojo offers a plethora of supported scanner reports, but not all of them contain the

docs/content/issue_tracking/intro/intro.md

@@ -10,8 +10,8 @@ The DefectDojo issue tracking integrations connect your vulnerability management
 
 | Edition      | Supported Issue Tracking Integrations |
 |--------------|---------------------------------------|
-| Community Edition  | * Jira                          |
-| Pro          | * Jira<br>* Azure DevOps<br>* GitHub<br>* GitLab Boards<br>* ServiceNow |
+| Community Edition  | * [Jira](/issue_tracking/jira/os__jira_guide/)                          |
+| Pro          | * [Jira](/issue_tracking/jira/pro__jira_guide/)<br>* [Azure DevOps](/issue_tracking/pro_integration/integrations_toolreference/#azure-devops-boards)<br>* [GitHub](/issue_tracking/pro_integration/integrations_toolreference/#github)<br>* [GitLab Boards](/issue_tracking/pro_integration/integrations_toolreference/#gitlab)<br>* [ServiceNow](/issue_tracking/pro_integration/integrations_toolreference/#servicenow) |
 
 
 When enabled, DefectDojo can create issues automatically, or selectively from Products or Engagement. As Findings are updated in DefectDojo—resolved, mitigated, or reactivated—the corresponding issues can be kept in sync, ensuring both systems reflect the current state of risk.

docs/content/issue_tracking/jira/troubleshooting_jira.md

@@ -55,6 +55,12 @@ For example:
 curl -H "Authorization: Bearer ATATT1234567890abcdefghijklmnopqrstuvwxyz" https://<COMPANY>.atlassian.net/rest/api/latest/issue/<JIRA_ISSUE_KEY>/transitions?expand=transitions.fields
 ```
 
+## Jira Service Accounts Are Not Supported
+
+Jira Cloud Service Accounts (created via Atlassian's admin console) use a different API host than standard user accounts and are **not currently supported** by DefectDojo's Jira integration. Attempting to use a Service Account API token or OAuth 2.0 credentials from a Service Account will result in HTTP 403 errors.
+
+To set up the Jira integration, create a standard Jira user account (with a valid email address) and generate an API token from that account. If you want to clearly identify issues created by DefectDojo, create a dedicated user named something like "DefectDojo" and use its API token for the integration.
+
 ## I can't find an Epic Name ID for my Space
 Certain Spaces in Jira, such as Team-Managed Spaces, do not use Epics and therefore will not have an Epic Name ID.  In this case, set Epic Name ID to 0 in DefectDojo.
 

docs/content/issue_tracking/pro_integration/integrations.md

@@ -5,6 +5,8 @@ audience: pro
 aliases:
   - /en/share_your_findings/integrations
 ---
+**Availability:** Integrations is currently in **Beta** and is only available for **Cloud-hosted** DefectDojo Pro instances. On-premise deployments do not yet have the required infrastructure to support Integrations. If you are an on-premise customer interested in this feature, please contact [support@defectdojo.com](mailto:support@defectdojo.com) for updates on availability.
+
 DefectDojo Pro's Integrations let you push your Findings and Finding Groups to ticket tracking systems to easily integrate security remediation with your teams existing development workflow.
 
 Supported Integrations:

docs/content/releases/pro/changelog.md

@@ -10,6 +10,20 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/releases/os_upgrading/upgrading_guide/).
 
+## Apr 2026: v2.57
+
+### Apr 7, 2026: v2.57.0
+
+* **(Custom Enrichment)** On-prem administrators can now configure custom URLs for EPSS and KEV enrichment data sources under **Settings → Finding Enrichment Settings**. Each source (EPSS scores and CISA Known Exploited Vulnerabilities) can be independently enabled and pointed to an internal mirror or proxy. A **Test Configuration** button validates connectivity before saving. Findings with CVE IDs are automatically enriched with EPSS score/percentile and KEV status during enrichment runs.
+* **(Performance)** Optimized API response times across all endpoints with selective field loading and conditional prefetches.
+* **(Performance)** Improved Dashboard load times by eliminating redundant authorization queries and caching license lookups.
+* **(Performance)** Improved deduplication performance by batching duplicate marking and deferring large text fields.
+* **(Performance)** Improved false-positive history processing performance during async imports by using batch operations.
+* **(Pro UI)** Asset hierarchy filter dropdowns now only show relevant options (e.g., Parent filter shows only assets that have children).
+* **(Security)** Hardened container configurations for improved runtime security.
+* **(Universal Parser)** Added a list view and field mappings modal to the Pro UI for managing Universal Parser configurations.
+* **(Universal Parser)** Added support for 7 new fields: `file_path`, `component_name`, `component_version`, `line`, `steps_to_reproduce`, `severity_justification`, and CVSSv4 vectors.
+
 ## Mar 2026: v2.56
 
 ### Mar 30, 2026: v2.56.4
@@ -107,31 +121,31 @@ No significant UX changes.
 
 ## Dec 2025: v2.53
 
-### Dec 29, 2025: v2.53.5
+#### Dec 29, 2025: v2.53.5
 
 * **(Pro UI)** Added Finding count columns to Engagement table.
 * **(Pro UI)** Enter/Return no longer automatically submits forms.
 
-### Dec 22, 2025: v2.53.4
+#### Dec 22, 2025: v2.53.4
 
 * **(Pro UI)** Asset Hierarchy now uses separate tabs for Asset selection and for the rendered Asset tree:
 ![image](images/asset-hierarchy-2.53.4.png)
 
-### Dec 15, 2025: v2.53.3
+#### Dec 15, 2025: v2.53.3
 
 *DefectDojo v2.53.2 does not have a corresponding Pro release.*
 
 * **(Connectors)** Support for private CA certificates has been added to Connectors to assist with connectivity.
 
-### Dec 8, 2025: v2.53.1
+#### Dec 8, 2025: v2.53.1
 
 * **(Assets/Organizations)** Introduced overhaul to Products/Product Types, added the ability to create and diagram relationships between Assets.  See [Assets/Organizations documentation](/asset_modelling/hierarchy/pro__assets_organizations/) for details, and information on opting in to the Beta.
 * **(Findings)** Added new KEV fields for ransomware, exploits, and date handling.
 * **(Pro UI)** Added Table Preferences menu, allowing you to store preset lists of columns for each table.
 
 ![image](images/pro_tablepreferences.png)
 
-### Dec 1, 2025: v2.53.0
+#### Dec 1, 2025: v2.53.0
 
 * **(Pro UI)** Added Asset Hierarchy.
 * **(Priority)** Priority and Risk can now be overridden manually, or through Rules Engine.

docs/content/supported_tools/parsers/api/sonarqube.md

@@ -31,6 +31,23 @@ In `Add API Scan Configuration`
 -   If using SonarCloud, the organization ID can be used from step 1, but it
     can be overridden by supplying a different organization ID in the `Service key 2` input field.
 
+## Disabling Hotspot Imports
+
+By default, the SonarQube API Import includes both security issues and security hotspots. To import only security issues and exclude hotspots, set the following environment variable on your DefectDojo instance:
+
+```
+DD_SONARQUBE_API_PARSER_HOTSPOTS=False
+```
+
+For on-premise installations using the dojo-compose-cli:
+
+```bash
+dojo-compose-cli environment add --key DD_SONARQUBE_API_PARSER_HOTSPOTS --value "False"
+dojo-compose-cli app stop && dojo-compose-cli app start
+```
+
+Note that this setting is instance-wide and affects all SonarQube API imports. There is currently no per-tool-configuration or per-import toggle for hotspots. If you need hotspots for some projects but not others, you will need to build a custom middleware to filter results before importing.
+
 ## Multiple SonarQube API Configurations
 
 In the import or re-import dialog, you can select which `API Scan

docs/package-lock.json

@@ -27,7 +27,7 @@
   },
   "devDependencies": {
     "prettier": "3.8.1",
-    "vite": "7.3.1"
+    "vite": "7.3.2"
   },
   "engines": {
     "node": ">=20.11.0"