devGregA Merge branch 'dev' into tailwind

Resolve conflicts from dev's removal of Credential Manager (DefectDojo#14836),
Stub Findings (DefectDojo#14837), deprecated questionnaire API (DefectDojo#14835), plus
Xygeni parser (DefectDojo#14769) and import-time tag batching (DefectDojo#14839).

Accepted dev's deletions: cred module, stub findings, deprecated
viewsets, and their UI sections in view_eng/view_finding/view_test.
Kept tailwind's refactored auth (api_permissions shim, action-string
roles, _user_authorized_for) over dev's legacy Permissions-enum code.
Trimmed cred/Stub_Finding refs from authorization/{api_permissions,
query_registrations,url_permissions}.py and the legacy auth tests.

Note: dojo/templates_classic/ still references removed URL names
(new_cred_*, promote_to_finding, delete_stub_finding) — follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Maffooch

.github/workflows/integration-tests.yml

@@ -22,7 +22,6 @@ jobs:
           "tests/check_various_pages.py",
           "tests/close_old_findings_dedupe_test.py",
           "tests/close_old_findings_test.py",
-          "tests/credential_test.py",
           "tests/dashboard_test.py",
           "tests/dedupe_test.py",
           "tests/endpoint_extended_test.py",
@@ -46,7 +45,6 @@ jobs:
           "tests/notification_webhook_test.py",
           "tests/notifications_test.py",
           "tests/object_test.py",
-          "tests/product_credential_test.py",
           "tests/product_group_test.py",
           "tests/product_member_test.py",
           "tests/product_metadata_test.py",

.gitignore

@@ -152,3 +152,4 @@ docs/.hugo_build.lock
 
 # claude etc
 MEMORY.md
+.claude/

docs/content/supported_tools/parsers/file/xygeni.md

@@ -0,0 +1,79 @@
+---
+title: "Xygeni"
+toc_hide: true
+---
+### About Xygeni
+[Xygeni](https://xygeni.io) is a Software Supply Chain Security platform whose
+scanners produce JSON reports for code vulnerabilities (SAST), open-source
+dependency vulnerabilities (SCA), hard-coded secrets, IaC flaws, web-application
+vulnerabilities (DAST), CI/CD and SCM misconfigurations, and malicious or
+suspect components.
+
+This parser handles three Xygeni scan kinds in phase 1: **SAST**, **SCA**, and
+**Secrets**. All three share a common `metadata` envelope; the parser
+dispatches on `metadata.scanType`.
+
+### Scan Types
+| Scan type                | `metadata.scanType` | Xygeni CLI command (typical) |
+| ------------------------ | ------------------- | ---------------------------- |
+| `Xygeni SAST Scan`       | `sast`              | `xygeni scan --scan-type=sast --format=json` |
+| `Xygeni SCA Scan`        | `deps`              | `xygeni scan --scan-type=deps --format=json` |
+| `Xygeni Secrets Scan`    | `secrets`           | `xygeni scan --scan-type=secrets --format=json` |
+
+See the Xygeni documentation at <https://docs.xygeni.io> for installation and
+the full set of CLI options.
+
+### Acceptable JSON Format
+All three scan types share the same envelope:
+
+~~~
+{
+  "metadata": {
+    "uuid": "...",
+    "timestamp": "2026-04-26T07:08:29Z",
+    "projectName": "...",
+    "scanType": "sast" | "deps" | "secrets",
+    "format": "<scanType>-xygeni",
+    "reportProperties": {
+      "tool.name": "Xygeni",
+      "tool.version": "..."
+    }
+  },
+  ...
+}
+~~~
+
+The kind-specific payload then follows:
+
+- **SAST** — `vulnerabilities[]` — each entry carries `detector` (the rule id),
+  `severity`, `location.{filepath, beginLine, endLine, code}`, `cwe` /
+  `cwes[]`, `tags[]`, `explanation`, `uniqueHash`, `issueId`, and an optional
+  `codeFlows[]` block describing source / sink frames and the data path.
+- **SCA** — `dependencies[]` — each dependency has `name`, `version`,
+  `ecosystem`, and a nested `vulnerabilities[]` of CVE/GHSA advisories with
+  `cve`, `cwes`, `fixedVersion`, `aliases`, `overallCvssScore`, `references`,
+  `description`, `uniqueHash`, `issueId`.
+- **Secrets** — `secrets[]` — each entry has `type` (e.g.
+  `aws_access_key`), `detector`, `severity`, `location` (same shape as SAST),
+  `description`, `tags`, `uniqueHash`, `issueId`. The `secret` value and
+  `location.code` are already redacted by the Xygeni CLI before serialisation.
+
+### Sample Scan Data
+Sample Xygeni JSON reports can be found
+[here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/xygeni).
+
+### Deduplication
+
+Every finding carries `unique_id_from_tool` (set from Xygeni's vendor-stable
+`uniqueHash`) and `vuln_id_from_tool` (set from `issueId`). The deduplication
+algorithm is configured per scan type:
+
+| Scan type            | Algorithm                          | Hash-code fields (fallback)                                    |
+| -------------------- | ---------------------------------- | -------------------------------------------------------------- |
+| Xygeni SAST Scan     | `unique_id_from_tool`              | n/a                                                            |
+| Xygeni SCA Scan      | `unique_id_from_tool_or_hash_code` | `vulnerability_ids`, `component_name`, `component_version`     |
+| Xygeni Secrets Scan  | `unique_id_from_tool`              | n/a                                                            |
+
+For SCA the hash-code fallback enables cross-tool deduplication: the same
+CVE on the same package@version reported by Xygeni and another SCA scanner
+(Snyk, Trivy, etc.) collapse into a single Finding.

dojo/api_v2/mixins.py

@@ -8,7 +8,6 @@
 from rest_framework.decorators import action
 
 from dojo.api_v2 import serializers
-from dojo.models import Answer, Question
 
 
 class DeletePreviewModelMixin:
@@ -46,13 +45,3 @@ def flatten(elem):
 
         serializer = serializers.DeletePreviewSerializer(page, many=True)
         return self.get_paginated_response(serializer.data)
-
-
-class QuestionSubClassFieldsMixin:
-    def get_queryset(self):
-        return Question.objects.select_subclasses()
-
-
-class AnswerSubClassFieldsMixin:
-    def get_queryset(self):
-        return Answer.objects.select_subclasses()

dojo/api_v2/serializers.py

@@ -46,15 +46,9 @@
     SEVERITY_CHOICES,
     STATS_FIELDS,
     Announcement,
-    Answer,
-    Answered_Survey,
     App_Analysis,
     BurpRawRequestResponse,
     Check_List,
-    ChoiceAnswer,
-    ChoiceQuestion,
-    Cred_Mapping,
-    Cred_User,
     Development_Environment,
     Dojo_User,
     DojoMeta,
@@ -63,12 +57,12 @@
     Endpoint_Status,
     Engagement,
     Engagement_Presets,
-    Engagement_Survey,
     FileUpload,
     Finding,
     Finding_Group,
     Finding_Template,
     General_Survey,
+    Global_Role,
     Language_Type,
     Languages,
     Network_Locations,
@@ -78,20 +72,19 @@
     Product,
     Product_API_Scan_Configuration,
     Product_Type,
+    Product_Type_Group,
+    Product_Type_Member,
     Question,
     Regulation,
     Risk_Acceptance,
     SLA_Configuration,
     Sonarqube_Issue,
     Sonarqube_Issue_Transition,
-    Stub_Finding,
     System_Settings,
     Test,
     Test_Import,
     Test_Import_Finding_Action,
     Test_Type,
-    TextAnswer,
-    TextQuestion,
     Tool_Configuration,
     Tool_Product_Settings,
     Tool_Type,
@@ -1788,47 +1781,6 @@ def update(self, instance, validated_data):
         return super().update(instance, validated_data)
 
 
-class CredentialSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Cred_User
-        exclude = ("password",)
-
-
-class CredentialMappingSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Cred_Mapping
-        fields = "__all__"
-
-
-class StubFindingSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Stub_Finding
-        fields = "__all__"
-
-    def validate_severity(self, value: str) -> str:
-        if value not in SEVERITIES:
-            msg = f"Severity must be one of the following: {SEVERITIES}"
-            raise serializers.ValidationError(msg)
-        return value
-
-
-class StubFindingCreateSerializer(serializers.ModelSerializer):
-    test = serializers.PrimaryKeyRelatedField(queryset=Test.objects.all())
-
-    class Meta:
-        model = Stub_Finding
-        fields = "__all__"
-        extra_kwargs = {
-            "reporter": {"default": serializers.CurrentUserDefault()},
-        }
-
-    def validate_severity(self, value: str) -> str:
-        if value not in SEVERITIES:
-            msg = f"Severity must be one of the following: {SEVERITIES}"
-            raise serializers.ValidationError(msg)
-        return value
-
-
 class ProductSerializer(serializers.ModelSerializer):
     findings_count = serializers.SerializerMethodField()
     findings_list = serializers.SerializerMethodField()
@@ -2735,111 +2687,6 @@ class Meta:
         exclude = ("content_type",)
 
 
-class QuestionnaireQuestionSerializer(serializers.ModelSerializer):
-    def to_representation(self, instance):
-        if isinstance(instance, TextQuestion):
-            return TextQuestionSerializer(instance=instance).data
-        if isinstance(instance, ChoiceQuestion):
-            return ChoiceQuestionSerializer(instance=instance).data
-        return QuestionSerializer(instance=instance).data
-
-    class Meta:
-        model = Question
-        exclude = ("polymorphic_ctype",)
-
-
-class QuestionSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Question
-        exclude = ("polymorphic_ctype",)
-
-
-class TextQuestionSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = TextQuestion
-        exclude = ("polymorphic_ctype",)
-
-
-class ChoiceQuestionSerializer(serializers.ModelSerializer):
-    choices = serializers.StringRelatedField(many=True)
-
-    class Meta:
-        model = ChoiceQuestion
-        exclude = ("polymorphic_ctype",)
-
-
-class QuestionnaireAnsweredSurveySerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Answered_Survey
-        fields = "__all__"
-
-
-class QuestionnaireAnswerSerializer(serializers.ModelSerializer):
-    def to_representation(self, instance):
-        if isinstance(instance, TextAnswer):
-            return TextAnswerSerializer(instance=instance).data
-        if isinstance(instance, ChoiceAnswer):
-            return ChoiceAnswerSerializer(instance=instance).data
-        return AnswerSerializer(instance=instance).data
-
-    class Meta:
-        model = Answer
-        exclude = ("polymorphic_ctype",)
-
-
-class AnswerSerializer(serializers.ModelSerializer):
-    question = serializers.StringRelatedField()
-    answered_survey = QuestionnaireAnsweredSurveySerializer()
-
-    class Meta:
-        model = Answer
-        exclude = ("polymorphic_ctype",)
-
-
-class TextAnswerSerializer(serializers.ModelSerializer):
-    question = serializers.StringRelatedField()
-    answered_survey = QuestionnaireAnsweredSurveySerializer()
-
-    class Meta:
-        model = TextAnswer
-        exclude = ("polymorphic_ctype",)
-
-
-class ChoiceAnswerSerializer(serializers.ModelSerializer):
-    answer = serializers.StringRelatedField(many=True)
-    question = serializers.StringRelatedField()
-    answered_survey = QuestionnaireAnsweredSurveySerializer()
-
-    class Meta:
-        model = ChoiceAnswer
-        exclude = ("polymorphic_ctype",)
-
-
-class QuestionnaireEngagementSurveySerializer(serializers.ModelSerializer):
-    questions = serializers.SerializerMethodField()
-
-    @extend_schema_field(serializers.ListField(child=serializers.CharField()))
-    def get_questions(self, obj):
-        questions = obj.questions.all()
-        formated_questions = []
-        for question in questions:
-            formated_question = f"Order #{question.order} - {question.text}{' (Optional)' if question.optional else ''}"
-            formated_questions.append(formated_question)
-        return formated_questions
-
-    class Meta:
-        model = Engagement_Survey
-        fields = "__all__"
-
-
-class QuestionnaireGeneralSurveySerializer(serializers.ModelSerializer):
-    survey = QuestionnaireEngagementSurveySerializer()
-
-    class Meta:
-        model = General_Survey
-        fields = "__all__"
-
-
 class AnnouncementSerializer(serializers.ModelSerializer):
 
     class Meta: