Release: Merge back 2.56.3 into dev from: master-into-dev/2.56.3-2.57.0-dev (#14580)

* Update versions in application files

* Exclude async_user from celery task (#14506)

* [doc] various updates (#14484)

* implement lychee

* pass unit tests

* update contribution guidelines for docs

* [doc] close_old_findings diff between import types

* remove usage docs from open_source/archive

* move docs archive up a folder

* rules engine is pro only

* create a single notification_webhooks article

* mv remaining open_source articles

* chore: normalize line endings to LF per .gitattributes

* fix links

* remove redundant upgrade file

* Merge pull request #14551 from dogboat/drop-system-settings-credentials

Drop System_Settings "credentials" field

* Change dependabot and renovate to weekly on Wednesdays (#14552)

* Change dependabot and renovate schedules from daily to weekly on Wednesdays

Reduces noise from dependency update PRs by limiting both dependabot and
renovate to run once per week on Wednesdays instead of daily.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Pin Hugo version and prevent automated update PRs

Remove Renovate annotations from Hugo version lines in workflow files
and add gohugoio/hugo to ignoreDeps in renovate.json to prevent
Dependabot/Renovate from opening PRs to bump the Hugo version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix import-languages 500 errors and optimize DB performance (#14553)

* Fix import-languages endpoint 500 errors and optimize performance

The /api/v2/import-languages/ endpoint was producing 500 errors due to
database integrity issues on Language_Type and Languages models. This
commit addresses both reliability and performance.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix ruff lint errors in serializer and migration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Consolidate two migrations into single 0262_language_type_unique_language

Combines the data deduplication (RunPython) and schema change (AlterField)
into a single migration file.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix test fixtures conflicting with Language_Type unique constraint

Remove Language_Type entries from test fixtures that duplicate languages
already seeded by migration 0115_language_types. Update Languages FK
references to point to the correct seeded Language_Type PKs.

- dojo_testdata.json: Remove JSON (pk=1) and Python (pk=2) Language_Type
  entries, update Languages FK from pk=1 to pk=94 (seeded JSON pk)
- dojo_testdata_locations.json: Same changes
- defect_dojo_sample_data.json: Remove 3 conflicting Language_Type entries
  (DOS Batch, InstallShield, Ruby) with PKs that differ from seed data
- defect_dojo_sample_data_locations.json: Same changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Renumber migration from 0262 to 0263 to avoid conflict

Migration 0262_remove_system_settings_credentials was merged to the
bugfix branch. Renumber our migration to 0263 and update the dependency
chain and max_migration.txt accordingly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* Extended migration steps for PostgreSQL data (#14561)

Extended migration steps for PostgreSQL data after upgrading to 2.55.4.

* Fix deterministic ordering for async_dupe_delete when duplicate dates tie (#14562)

* fix: deterministic order when deleting excess duplicate findings

order_by("date") does not define order for rows with identical dates.
Add id as secondary sort so async_dupe_delete removes oldest duplicates
first (by date, then id), matching documented behavior.

* test: cover async_dupe_delete ordering when duplicate dates match

Add test_delete_duplicate_order_same_date_tiebreak_by_id; lower-id
duplicate is removed first when max_dupes is exceeded and date ties.

* Parse Twistlock packagePath so that we can record where the CVE is found (#14549)

* Update versions in application files

* Update versions in application files

---------

Co-authored-by: DefectDojo release bot <dojo-release-bot@users.noreply.github.com>
Co-authored-by: Ross E Esposito <ross@defectdojo.com>
Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com>
Co-authored-by: Paul Osinski <42211303+paulOsinski@users.noreply.github.com>
Co-authored-by: dogboat <dogboat@users.noreply.github.com>
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Stephan Pillhofer <43667664+DarkR0ast@users.noreply.github.com>
Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>

Author: 9 people

.github/dependabot.yml

@@ -3,7 +3,8 @@ updates:
 - package-ecosystem: pip
   directory: "/"
   schedule:
-    interval: daily
+    interval: weekly
+    day: wednesday
     time: "08:00"
   open-pull-requests-limit: 10
   target-branch: dev
@@ -17,7 +18,8 @@ updates:
 - package-ecosystem: npm
   directory: "/components"
   schedule:
-    interval: daily
+    interval: weekly
+    day: wednesday
     time: "08:00"
   open-pull-requests-limit: 10
   target-branch: dev

.github/renovate.json

@@ -1,7 +1,9 @@
 {
   "extends": [
-    "config:recommended"
+    "config:recommended",
+    "schedule:weekly"
   ],
+  "schedule": ["* * * * 3"],
   "dependencyDashboard": true,
   "dependencyDashboardApproval": false,
   "baseBranchPatterns": ["dev"],
@@ -16,7 +18,7 @@
     "dojo/components/yarn.lock",
     "dojo/components/package.json"
   ],
-  "ignoreDeps": [],
+  "ignoreDeps": ["gohugoio/hugo"],
   "packageRules": [{
     "matchPackageNames": ["*"],
     "commitMessageExtra": "from {{currentVersion}} to {{#if isMajor}}v{{{newMajor}}}{{else}}{{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",

.github/workflows/gh-pages.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
-          hugo-version: '0.153.4' # renovate: datasource=github-releases depName=gohugoio/hugo
+          hugo-version: '0.153.4'
           extended: true
 
       - name: Setup Node

.github/workflows/validate_docs_build.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
-          hugo-version: '0.153.4' # renovate: datasource=github-releases depName=gohugoio/hugo
+          hugo-version: '0.153.4'
           extended: true
 
       - name: Setup Node

docs/content/admin/notifications/about_notifications.md

@@ -75,4 +75,4 @@ For more information about this behavior see the [related pull request #9699](ht
 
 ### Webhooks (experimental)
 
-DefectDojo also supports webhooks that follow the same events as other notifications (you can be notified in the same situations). Details about setup are described in [related page](/open_source/notification_webhooks/how_to).
+DefectDojo also supports webhooks that follow the same events as other notifications (you can be notified in the same situations). Details about setup are described in [the related page](/automation/api/notification_webhooks/).

docs/content/admin/sso/OS__ldap.md

@@ -0,0 +1,135 @@
+---
+title: "LDAP Authentication"
+description: "Authenticate users via LDAP by building custom Docker images"
+weight: 20
+audience: opensource
+aliases:
+  - /en/open_source/ldap-authentication
+---
+
+**This feature is experimental, and is not implemented in DefectDojo Pro**.
+
+DefectDojo does not support LDAP authentication out of the box. However, since DefectDojo is built on Django, LDAP can be added by building your own Docker images and modifying a small number of configuration files.
+
+## Files to Modify
+
+- `Dockerfile.django-*`
+- `Dockerfile.nginx-*`
+- `requirements.txt`
+- `local_settings.py`
+- `docker-compose.yml` *(optional — for passing secrets via environment variables)*
+
+## Dockerfile Modifications
+
+In both `Dockerfile.django-alpine` and `Dockerfile.nginx-alpine`, add the following to the `apk add` layer:
+
+```bash
+openldap-dev \
+cyrus-sasl-dev \
+```
+
+In `Dockerfile.django-debian`, add the following to the `apt-get install` layer:
+
+```bash
+libldap2-dev \
+libsasl2-dev \
+ldap-utils \
+```
+
+## requirements.txt
+
+Check [pypi.org](https://pypi.org) for the latest versions at the time of implementation, then add:
+
+```
+python-ldap==3.4.5
+django-auth-ldap==5.2.0
+```
+
+- [python-ldap](https://pypi.org/project/python-ldap/)
+- [django-auth-ldap](https://pypi.org/project/django-auth-ldap/)
+
+## local_settings.py
+
+Find the settings file (see `/dojo/settings/settings.py` for instructions on using `local_settings.py`) and make the following additions.
+
+At the top of the file:
+
+```python
+import ldap
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+import environ
+```
+
+Add LDAP variables to the `env` dict:
+
+```python
+# LDAP
+env = environ.FileAwareEnv(
+    DD_LDAP_SERVER_URI=(str, 'ldap://ldap.example.com'),
+    DD_LDAP_BIND_DN=(str, ''),
+    DD_LDAP_BIND_PASSWORD=(str, ''),
+)
+```
+
+Then add the LDAP settings beneath the `env` dict:
+
+```python
+AUTH_LDAP_SERVER_URI = env('DD_LDAP_SERVER_URI')
+AUTH_LDAP_BIND_DN = env('DD_LDAP_BIND_DN')
+AUTH_LDAP_BIND_PASSWORD = env('DD_LDAP_BIND_PASSWORD')
+
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    "ou=Groups,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
+)
+
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+}
+```
+
+Customise all search variables to match your organisation's LDAP configuration.
+
+### Optional: Group Controls
+
+```python
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+    "dc=example,dc=com",
+    ldap.SCOPE_SUBTREE,
+    "(objectClass=groupOfNames)",
+)
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
+
+AUTH_LDAP_REQUIRE_GROUP = "cn=DD_USER_ACTIVE,ou=Groups,dc=example,dc=com"
+
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    "is_active": "cn=DD_USER_ACTIVE,ou=Groups,dc=example,dc=com",
+    "is_staff": "cn=DD_USER_STAFF,ou=Groups,dc=example,dc=com",
+    "is_superuser": "cn=DD_USER_ADMIN,ou=Groups,dc=example,dc=com",
+}
+```
+
+Finally, add `django_auth_ldap.backend.LDAPBackend` to `AUTHENTICATION_BACKENDS`:
+
+```python
+AUTHENTICATION_BACKENDS = (
+    'django_auth_ldap.backend.LDAPBackend',
+    'django.contrib.auth.backends.RemoteUserBackend',
+    'django.contrib.auth.backends.ModelBackend',
+)
+```
+
+Full documentation: [Django Authentication with LDAP](https://django-auth-ldap.readthedocs.io/en/latest/)
+
+## docker-compose.yml
+
+To pass LDAP credentials to the container via environment variables, add these to the `uwsgi` service environment section:
+
+```yaml
+DD_LDAP_SERVER_URI: "${DD_LDAP_SERVER_URI:-ldap://ldap.example.com}"
+DD_LDAP_BIND_DN: "${DD_LDAP_BIND_DN:-}"
+DD_LDAP_BIND_PASSWORD: "${DD_LDAP_BIND_PASSWORD:-}"
+```
+
+Alternatively, set these values directly in `local_settings.py`.

docs/content/admin/user_management/set_user_permissions.md

@@ -120,7 +120,7 @@ Configuration Permissions are not related to a specific Product or Product Type
 * **Finding Templates:** Access to the Findings \> Finding Templates page
 * **Groups**: Access the 👤Users \> Groups page
 * **Jira Instances:** Access the ⚙️Configuration \> JIRA page
-* **Language Types**:Access the [Language Types](/open_source/languages/) API endpoint
+* **Language Types**:Access the [Language Types](/automation/api/languages/) API endpoint
 * **Login Banner**: Edit the ⚙️Configuration \> Login Banner page
 * **Announcements**: Access ⚙️Configuration \> Announcements
 * **Note Types:** Access the ⚙️Configuration \> Note Types page