DefectDojo
diff --git a/‎docker-compose.override.dev.yml‎
Lines changed: 12 additions & 0 deletions b/‎docker-compose.override.dev.yml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/content/en/changelog/changelog.md‎
Lines changed: 9 additions & 0 deletions b/‎docs/content/en/changelog/changelog.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎docs/content/en/open_source/upgrading/2.54.3.md‎
Lines changed: 9 additions & 0 deletions b/‎docs/content/en/open_source/upgrading/2.54.3.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎docs/content/en/open_source/upgrading/2.55.md‎
Lines changed: 8 additions & 2 deletions b/‎docs/content/en/open_source/upgrading/2.55.md‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎docs/package-lock.json‎
Lines changed: 8 additions & 8 deletions b/‎docs/package-lock.json‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎docs/package.json‎
Lines changed: 2 additions & 2 deletions b/‎docs/package.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎dojo/auditlog.py‎
Lines changed: 11 additions & 2 deletions b/‎dojo/auditlog.py‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎dojo/cred/queries.py‎
Lines changed: 68 additions & 22 deletions b/‎dojo/cred/queries.py‎
Lines changed: 68 additions & 22 deletions
diff --git a/‎dojo/cred/views.py‎
Lines changed: 2 additions & 2 deletions b/‎dojo/cred/views.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎dojo/db_migrations/0250_pghistory_backfill.py‎
Lines changed: 2 additions & 0 deletions b/‎dojo/db_migrations/0250_pghistory_backfill.py‎
Lines changed: 2 additions & 0 deletions
@@ -16,6 +16,10 @@ services:
       DD_ADMIN_PASSWORD: "${DD_ADMIN_PASSWORD:-admin}"
       DD_EMAIL_URL: "smtp://mailhog:1025"
   celeryworker:
+    build:
+      context: .
+      dockerfile: Dockerfile.django-${DEFECT_DOJO_OS:-debian}
+      target: development
     entrypoint: ['/wait-for-it.sh', '${DD_DATABASE_HOST:-postgres}:${DD_DATABASE_PORT:-5432}', '-t', '30', '--', '/entrypoint-celery-worker-dev.sh']
     volumes:
       - '.:/app:z'
@@ -24,12 +28,20 @@ services:
       DD_DEBUG: 'True'
       DD_EMAIL_URL: "smtp://mailhog:1025"
   celerybeat:
+    build:
+      context: .
+      dockerfile: Dockerfile.django-${DEFECT_DOJO_OS:-debian}
+      target: development
     volumes:
       - '.:/app:z'
     environment:
       PYTHONWARNINGS: error  # We are strict about Warnings during development
       DD_DEBUG: 'True'
   initializer:
+    build:
+      context: .
+      dockerfile: Dockerfile.django-${DEFECT_DOJO_OS:-debian}
+      target: development
     volumes:
       - '.:/app:z'
     environment:
 
@@ -10,6 +10,15 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 
 ## Jan 2025: v2.54
 
+### Jan 20, 2025: v2.54.2
+
+* **(Pro UI)** corrected a bug where unordered lists would display as ordered lists in editor forms.
+* **(Smart Upload)** introduced severity filtering to the Smart Importer to skip findings below a specified severity level. Added detailed logging throughout the findings processing to improve traceability and debugging.
+
+### Jan 12, 2025: v2.54.1
+
+* **(AI Tools)** added Risk Scores to schema for MCP processing.
+
 ### Jan 5, 2025: v2.54.0
 
 No significant UX changes.
 
@@ -0,0 +1,9 @@
+---
+title: 'Upgrading to DefectDojo Version 2.54.3'
+toc_hide: true
+weight: -20250602
+description: Trivy parser deduplication
+---
+
+## Trivy parser deduplication
+Deduplication of Trivy misconfiguration findings is improved for newly imported findings, but existing findings may no longer match because they don’t contain the new vulnerability_id or file_path fields.
@@ -2,6 +2,12 @@
 title: 'Upgrading to DefectDojo Version 2.55.x'
 toc_hide: true
 weight: -20260105
-description: No special instructions.
+description: Authorization related optimizations
 ---
-There are no special instructions for upgrading to 2.55.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.55.0) for the contents of the release.
+
+## Authorization related optimizations
+
+The queries related to authorizations have been optmized. For example retrieving the list of authorized findings for the logged in user.
+Some of these are now also cached during that duration of a request. This should have no functional effects and only results in better performance.
+
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.55.0) for the contents of the release.
@@ -20,8 +20,8 @@
     "@docsearch/js": "4.5.3",
     "@tabler/icons": "3.36.1",
     "@thulite/doks-core": "1.8.3",
-    "@thulite/images": "3.3.3",
-    "@thulite/inline-svg": "1.2.1",
+    "@thulite/images": "3.3.4",
+    "@thulite/inline-svg": "1.2.2",
     "@thulite/seo": "2.4.2",
     "thulite": "2.6.4"
   },
 
@@ -805,7 +805,16 @@ def process_model_backfill(
     """
     if progress_callback is None:
         def progress_callback(msg, style=None):
-            logger.info(msg)
+            if style == "ERROR":
+                logger.error(msg)
+            elif style == "WARNING":
+                logger.warning(msg)
+            elif style == "SUCCESS":
+                logger.info(msg)
+            elif style == "DEBUG":
+                logger.debug(msg)
+            else:
+                logger.info(msg)
 
     try:
         table_name, event_table_name = get_table_names(model_name)
@@ -821,7 +830,7 @@ def progress_callback(msg, style=None):
             progress_callback(
                 f"  Event table {event_table_name} not found. "
                 f"Is {model_name} tracked by pghistory?",
-                "ERROR",
+                "DEBUG",
             )
             return 0, 0.0
 
 
@@ -1,17 +1,21 @@
 from crum import get_current_user
-from django.db.models import Exists, OuterRef, Q
+from django.db.models import Q, Subquery
 
 from dojo.authorization.authorization import get_roles_for_permission, user_has_global_permission
 from dojo.models import Cred_Mapping, Product_Group, Product_Member, Product_Type_Group, Product_Type_Member
+from dojo.request_cache import cache_for_request
 
 
-def get_authorized_cred_mappings(permission, queryset=None):
+# Cached: all parameters are hashable, no dynamic queryset filtering
+@cache_for_request
+def get_authorized_cred_mappings(permission):
+    """Cached - returns all cred mappings the user is authorized to see."""
     user = get_current_user()
 
     if user is None:
         return Cred_Mapping.objects.none()
 
-    cred_mappings = Cred_Mapping.objects.all().order_by("id") if queryset is None else queryset
+    cred_mappings = Cred_Mapping.objects.all().order_by("id")
 
     if user.is_superuser:
         return cred_mappings
@@ -20,27 +24,69 @@ def get_authorized_cred_mappings(permission, queryset=None):
         return cred_mappings
 
     roles = get_roles_for_permission(permission)
+
+    # Get authorized product/product_type IDs via subqueries
     authorized_product_type_roles = Product_Type_Member.objects.filter(
-        product_type=OuterRef("product__prod_type_id"),
-        user=user,
-        role__in=roles)
+        user=user, role__in=roles,
+    ).values("product_type_id")
+
     authorized_product_roles = Product_Member.objects.filter(
-        product=OuterRef("product_id"),
-        user=user,
-        role__in=roles)
+        user=user, role__in=roles,
+    ).values("product_id")
+
     authorized_product_type_groups = Product_Type_Group.objects.filter(
-        product_type=OuterRef("product__prod_type_id"),
-        group__users=user,
-        role__in=roles)
+        group__users=user, role__in=roles,
+    ).values("product_type_id")
+
     authorized_product_groups = Product_Group.objects.filter(
-        product=OuterRef("product_id"),
-        group__users=user,
-        role__in=roles)
-    cred_mappings = cred_mappings.annotate(
-        product__prod_type__member=Exists(authorized_product_type_roles),
-        product__member=Exists(authorized_product_roles),
-        product__prod_type__authorized_group=Exists(authorized_product_type_groups),
-        product__authorized_group=Exists(authorized_product_groups))
+        group__users=user, role__in=roles,
+    ).values("product_id")
+
+    # Filter using IN with Subquery - no annotations needed
     return cred_mappings.filter(
-        Q(product__prod_type__member=True) | Q(product__member=True)
-        | Q(product__prod_type__authorized_group=True) | Q(product__authorized_group=True))
+        Q(product__prod_type_id__in=Subquery(authorized_product_type_roles))
+        | Q(product_id__in=Subquery(authorized_product_roles))
+        | Q(product__prod_type_id__in=Subquery(authorized_product_type_groups))
+        | Q(product_id__in=Subquery(authorized_product_groups)),
+    )
+
+
+def get_authorized_cred_mappings_for_queryset(permission, queryset):
+    """Filters a provided queryset for authorization. Not cached due to dynamic queryset parameter."""
+    user = get_current_user()
+
+    if user is None:
+        return Cred_Mapping.objects.none()
+
+    if user.is_superuser:
+        return queryset
+
+    if user_has_global_permission(user, permission):
+        return queryset
+
+    roles = get_roles_for_permission(permission)
+
+    # Get authorized product/product_type IDs via subqueries
+    authorized_product_type_roles = Product_Type_Member.objects.filter(
+        user=user, role__in=roles,
+    ).values("product_type_id")
+
+    authorized_product_roles = Product_Member.objects.filter(
+        user=user, role__in=roles,
+    ).values("product_id")
+
+    authorized_product_type_groups = Product_Type_Group.objects.filter(
+        group__users=user, role__in=roles,
+    ).values("product_type_id")
+
+    authorized_product_groups = Product_Group.objects.filter(
+        group__users=user, role__in=roles,
+    ).values("product_id")
+
+    # Filter using IN with Subquery - no annotations needed
+    return queryset.filter(
+        Q(product__prod_type_id__in=Subquery(authorized_product_type_roles))
+        | Q(product_id__in=Subquery(authorized_product_roles))
+        | Q(product__prod_type_id__in=Subquery(authorized_product_type_groups))
+        | Q(product_id__in=Subquery(authorized_product_groups)),
+    )
@@ -8,7 +8,7 @@
 
 from dojo.authorization.authorization_decorators import user_is_authorized, user_is_configuration_authorized
 from dojo.authorization.roles_permissions import Permissions
-from dojo.cred.queries import get_authorized_cred_mappings
+from dojo.cred.queries import get_authorized_cred_mappings_for_queryset
 from dojo.forms import CredMappingForm, CredMappingFormProd, CredUserForm, NoteForm
 from dojo.models import Cred_Mapping, Cred_User, Engagement, Finding, Product, Test
 from dojo.utils import Product_Tab, add_breadcrumb, dojo_crypto_encrypt, prepare_for_view
@@ -85,7 +85,7 @@ def view_cred_details(request, ttid):
     notes = cred.notes.all()
     cred_products = Cred_Mapping.objects.select_related("product").filter(
         product_id__isnull=False, cred_id=ttid).order_by("product__name")
-    cred_products = get_authorized_cred_mappings(Permissions.Product_View, cred_products)
+    cred_products = get_authorized_cred_mappings_for_queryset(Permissions.Product_View, cred_products)
 
     if request.method == "POST":
         form = NoteForm(request.POST)
 
@@ -43,6 +43,8 @@ def progress_callback(msg, style=None):
             logger.warning(msg)
         elif style == "SUCCESS":
             logger.info(msg)
+        elif style == "DEBUG":
+            logger.debug(msg)
         else:
             logger.info(msg)