Merge origin/dev into tailwind

Pulls in 15 upstream commits including:

* dojo/sso/ consolidation (DefectDojo#14765) — SSO settings/urls/views/templates/
  remote-user moved into a self-contained package.
* dojo/notifications/ consolidation (DefectDojo#14767) — notification helper +
  templates moved into the package, with a new context_processors split.
* dojo/github/ consolidation (DefectDojo#14766) — github_issue_link package
  renamed and reshaped under dojo/github/{models,services,ui,...}.
* test_tag_inheritance.py extension (DefectDojo#14771).
* Bulk-delete findings extension hook (DefectDojo#14740).
* Planned-remediation-version column alignment fix (DefectDojo#14773).
* Dependency bumps (datatables.net, gitpython, python-gitlab, pyopenssl,
  vulners, ruff, postcss).

Conflict resolutions worth flagging:

* dojo/forms.py — kept dev's reshuffled imports (GITHUB_* models now
  re-exported via dojo.github.ui.forms; Global_Role moved to
  dojo.models). Dropped the duplicate Global_Role import; the legacy
  authorization rewrite still imports from
  dojo.authorization.models for the rest.
* dojo/settings/settings.dist.py — kept tailwind's UIPreferenceLoader
  chain and APP_DIRS=False, but added a shared
  _DOJO_EXTRA_TEMPLATE_DIRS list referenced by both TEMPLATES[0]["DIRS"]
  and the FilesystemLoader so that dojo/sso/settings.py:apply_sso_settings
  can append the SSO template dir at startup and have it resolved at
  render time.
* dojo/templates/dojo/login.html — Tailwind tree, kept the inline
  Tailwind-styled SSO buttons rather than dev's
  {% include "dojo/sso_login_buttons.html" %} (which is Bootstrap-classic
  flavored and mounted by the SSO consolidation against the classic tree
  only).
* unittests/test_remote_user.py — adopted dev's import path
  (dojo.sso.remote_user, dojo.models.Dojo_Group_Member).
* dojo/api_v2/permissions.py — added a backward-compat shim
  re-exporting from dojo.authorization.api_permissions because the
  legacy authorization consolidation deleted the old module but
  dojo/notifications/api/views.py (new from dev) still imports from the
  old path.

Verified: ruff clean on touched files; manage.py check passes;
unittests.test_authorized_users_ui + unittests.authorization +
unittests.test_user_ui_timestamps + unittests.test_rest_framework +
unittests.test_remote_user all green (1144 tests, 542 skipped).

Author: devGregA

.dryrunsecurity.yaml

@@ -41,8 +41,8 @@ sensitiveCodepaths:
   - 'dojo/middleware.py'
   - 'dojo/models.py'
   - 'dojo/okta.py'
-  - 'dojo/pipeline.py'
-  - 'dojo/remote_user.py'
+  - 'dojo/sso/pipeline.py'
+  - 'dojo/sso/remote_user.py'
   - 'dojo/tasks.py'
   - 'dojo/urls.py'
   - 'dojo/utils.py'

Dockerfile.django-debian

@@ -5,7 +5,7 @@
 # Dockerfile.nginx to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.13.13-slim-trixie@sha256:9213d136547f0602c3337ff48291e937f9cc43060b3e123402cf2aaff1a08b75 AS base
+FROM python:3.13.13-slim-trixie@sha256:d2462a6bed37b4fc6cabecf5a2132ae70df772fe03c7393c4d98a0c2fb48aa2e AS base
 FROM base AS build
 WORKDIR /app
 RUN \

Dockerfile.integration-tests-debian

@@ -1,9 +1,9 @@
 
 # code: language=Dockerfile
 
-FROM openapitools/openapi-generator-cli:v7.21.0@sha256:ce308310f3c1f8761e65338b8ab87b651bf4862c6acb80de510f381fffc4510b AS openapitools
+FROM openapitools/openapi-generator-cli:v7.22.0@sha256:1f459499a7c794aa0ea769c3c9b0eb54806c5ad2f68510a0ebb9338d0a626ced AS openapitools
 # currently only supports x64, no arm yet due to chrome and selenium dependencies
-FROM python:3.13.13-slim-trixie@sha256:9213d136547f0602c3337ff48291e937f9cc43060b3e123402cf2aaff1a08b75 AS build
+FROM python:3.13.13-slim-trixie@sha256:d2462a6bed37b4fc6cabecf5a2132ae70df772fe03c7393c4d98a0c2fb48aa2e AS build
 WORKDIR /app
 RUN \
   apt-get -y update && \

components/package.json

@@ -16,9 +16,7 @@
     "chosen-bootstrap": "https://github.com/dbtek/chosen-bootstrap",
     "chosen-js": "^1.8.7",
     "clipboard": "^2.0.11",
-    "datatables.net": "^2.3.7",
-    "datatables.net-bs": "^2.3.7",
-    "datatables.net-buttons": "^3.2.0",
+    "datatables.net": "^2.3.8",
     "datatables.net-buttons-bs": "^3.2.6",
     "datatables.net-colreorder": "^2.1.2",
     "drmonty-datatables-plugins": "^1.0.0",

components/yarn.lock

@@ -485,7 +485,14 @@ datatables.net-colreorder@^2.1.2:
     datatables.net "^2"
     jquery ">=1.7"
 
-datatables.net@2.3.8, datatables.net@^2, datatables.net@^2.3.7:
+datatables.net@2.3.2:
+  version "2.3.2"
+  resolved "https://registry.yarnpkg.com/datatables.net/-/datatables.net-2.3.2.tgz#6821f6288e6ad3cb6879c33e0e7e11d4091d330b"
+  integrity sha512-31TzwIQM0+pr2ZOEOEH6dsHd/WSAl5GDDGPezOHPI3mM2NK4lcDyOoG8xXeWmSbVfbi852LNK5C84fpp4Q+qxg==
+  dependencies:
+    jquery ">=1.7"
+
+datatables.net@^2, datatables.net@^2.3.8:
   version "2.3.8"
   resolved "https://registry.yarnpkg.com/datatables.net/-/datatables.net-2.3.8.tgz#55a8dbe3bd2196951c498ab79bf44602a2bf3229"
   integrity sha512-uhViowhlDlheAuo5a8TrkQqADsjrtGeOyvrigvr4t0+K3MyAWqClORXWAYIcN9VLX6iIX0C8O9gwJNd01hITRg==

docs/package-lock.json

@@ -0,0 +1,9 @@
+"""
+Backward-compat re-export for callers that still import permission classes
+from ``dojo.api_v2.permissions``. The canonical home is
+``dojo.authorization.api_permissions`` after the legacy authorization
+consolidation; this shim lets sub-package modules consolidated from
+upstream (``dojo/notifications/api/views.py``, etc.) keep their old import
+path.
+"""
+from dojo.authorization.api_permissions import *  # noqa: F401,F403

dojo/api_v2/permissions.py

@@ -21,7 +21,7 @@
 from rest_framework import serializers
 from rest_framework.exceptions import NotFound
 from rest_framework.exceptions import ValidationError as RestFrameworkValidationError
-from rest_framework.fields import DictField, MultipleChoiceField
+from rest_framework.fields import DictField
 
 import dojo.finding.helper as finding_helper
 import dojo.risk_acceptance.helper as ra_helper
@@ -51,9 +51,7 @@
 from dojo.jira import services as jira_services
 from dojo.location.models import Location, LocationFindingReference
 from dojo.models import (
-    DEFAULT_NOTIFICATION,
     IMPORT_ACTIONS,
-    NOTIFICATION_CHOICES,
     SEVERITIES,
     SEVERITY_CHOICES,
     STATS_FIELDS,
@@ -88,8 +86,6 @@
     Note_Type,
     NoteHistory,
     Notes,
-    Notification_Webhooks,
-    Notifications,
     Product,
     Product_API_Scan_Configuration,
     Product_Type,
@@ -3056,110 +3052,7 @@ class FindingNoteSerializer(serializers.Serializer):
     note_id = serializers.IntegerField()
 
 
-class NotificationsSerializer(serializers.ModelSerializer):
-    product = serializers.PrimaryKeyRelatedField(
-        queryset=Product.objects.all(),
-        required=False,
-        default=None,
-        allow_null=True,
-    )
-    user = serializers.PrimaryKeyRelatedField(
-        queryset=Dojo_User.objects.all(),
-        required=False,
-        default=None,
-        allow_null=True,
-    )
-    product_type_added = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    product_added = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    engagement_added = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    test_added = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    scan_added = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    jira_update = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    upcoming_engagement = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    stale_engagement = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    auto_close_engagement = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    close_engagement = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    user_mentioned = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    code_review = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    review_requested = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    other = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    sla_breach = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    sla_breach_combined = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    risk_acceptance_expiration = MultipleChoiceField(
-        choices=NOTIFICATION_CHOICES, default=DEFAULT_NOTIFICATION,
-    )
-    template = serializers.BooleanField(default=False)
-
-    class Meta:
-        model = Notifications
-        fields = "__all__"
-
-    def validate(self, data):
-        user = None
-        product = None
-        template = False
-
-        if self.instance is not None:
-            user = self.instance.user
-            product = self.instance.product
-
-        if "user" in data:
-            user = data.get("user")
-        if "product" in data:
-            product = data.get("product")
-        if "template" in data:
-            template = data.get("template")
-
-        if (
-            template
-            and Notifications.objects.filter(template=True).count() > 0
-        ):
-            msg = "Notification template already exists"
-            raise ValidationError(msg)
-        if (
-            self.instance is None
-            or user != self.instance.user
-            or product != self.instance.product
-        ):
-            notifications = Notifications.objects.filter(
-                user=user, product=product, template=template,
-            ).count()
-            if notifications > 0:
-                msg = "Notification for user and product already exists"
-                raise ValidationError(msg)
-        return data
+from dojo.notifications.api.serializer import NotificationsSerializer  # noqa: E402, F401  -- backward compat
 
 
 class EngagementPresetsSerializer(serializers.ModelSerializer):
@@ -3336,7 +3229,4 @@ def create(self, validated_data):
             raise
 
 
-class NotificationWebhooksSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Notification_Webhooks
-        fields = "__all__"
+from dojo.notifications.api.serializer import NotificationWebhooksSerializer  # noqa: E402, F401  -- backward compat

dojo/api_v2/serializers.py

@@ -125,8 +125,6 @@
     Note_Type,
     NoteHistory,
     Notes,
-    Notification_Webhooks,
-    Notifications,
     Product,
     Product_API_Scan_Configuration,
     Product_Type,
@@ -3407,21 +3405,6 @@ def queue_task_purge(self, request):
         return Response({"purged": purged})
 
 
-# Authorization: superuser
-@extend_schema_view(**schema_with_prefetch())
-class NotificationsViewSet(
-    PrefetchDojoModelViewSet,
-):
-    serializer_class = serializers.NotificationsSerializer
-    queryset = Notifications.objects.none()
-    filter_backends = (DjangoFilterBackend,)
-    filterset_fields = ["id", "user", "product", "template"]
-    permission_classes = (permissions.IsSuperUser, DjangoModelPermissions)
-
-    def get_queryset(self):
-        return Notifications.objects.all().order_by("id")
-
-
 @extend_schema_view(**schema_with_prefetch())
 class EngagementPresetsViewset(
     PrefetchDojoModelViewSet,
@@ -3684,13 +3667,3 @@ class AnnouncementViewSet(
 
     def get_queryset(self):
         return Announcement.objects.all().order_by("id")
-
-
-class NotificationWebhooksViewSet(
-    PrefetchDojoModelViewSet,
-):
-    serializer_class = serializers.NotificationWebhooksSerializer
-    queryset = Notification_Webhooks.objects.all()
-    filter_backends = (DjangoFilterBackend,)
-    filterset_fields = "__all__"
-    permission_classes = (permissions.IsSuperUser, DjangoModelPermissions)  # TODO: add permission also for other users

dojo/api_v2/views.py

@@ -84,6 +84,8 @@ def ready(self):
         import dojo.file_uploads.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.finding_group.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.notes.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
+        import dojo.notifications.admin  # noqa: PLC0415, F401 raised: AppRegistryNotReady
+        import dojo.notifications.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.product.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.product_type.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.risk_acceptance.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady