DefectDojo/django-DefectDojo 2.59.0

2.59.0 🌈

on GitHub

Please consult the Upgrade notes in the documentation for specific instructions for this release, and general upgrade instructions. Below is an automatically generated list of all PRs merged since the previous release.

Changes since 2.58.0

• Fix SARIF parser crash on empty extensions @kleomartiny (#14898)
• Rename title to 'Open-Source Permissions' @paulOsinski (#14908)
• docs: add 2.58.3 and 2.58.4 release notes to Pro changelog @Maffooch (#14926)
• 🐛 fix cyclonedx missing vector field #14874 @manuel-sommer (#14884)
• [docs] Improve Snyk parser documentation with export instructions and enterprise workflow @balaakasam (#14675)
• Add docs for Products and Assets @dangoelz (#14876)
• May docs maintenance @paulOsinski (#14880)
• rename CLAUDE.md to AGENTS.md @valentijnscholten (#14873)
• Expose created/updated date filters for Risk Acceptance API (created_before/after, updated_before/after) @PDFour4 (#14786)
• Scope report views to the requesting user's authorized products @Maffooch (#14870)
• Anchor location finding reference authorization to the finding's own product @Maffooch (#14871)
• Remove gitpython @dogboat (#14808)
• Update changelog for v2.58.2 release notes @Maffooch (#14854)
• Fix URLs and expand Lychee coverage @Maffooch (#14855)
• ⚡ speed up migrate_endpoints_to_locations (~14× fewer queries) @Maffooch (#14841)
• docs: Add Components page and glossary entry @Jino-T (#14840)
• [docs] locations (pro feature), maintenance @paulOsinski (#14834)
• feat(importers): apply import-time tags per batch before post-processing, do not tag old findings @valentijnscholten (#14839)
• perf(tags): centralize tag inheritance + replace signal disconnect with batch context manager (Phase B) @valentijnscholten (#14827)
• perf(tags): bulk-propagate inherited tags + gate child post_save on create @valentijnscholten (#14812)
• Add mitigation finding filters and complete mitigation filter tests @bendnema (#14790)
• cascade delete: prepare preview_only parameter @valentijnscholten (#14810)
• test: add background param to import all unit tests command @valentijnscholten (#14805)
• perf(dupe-delete): use bulk_delete_findings + correlated subquery in async_dupe_delete @valentijnscholten (#14797)
• test: pin query-count baselines for tag inheritance hot paths @valentijnscholten (#14811)
• Update changelog for May 2026 release (v2.58.0) @Maffooch (#14807)
• endpoint: optimize eq via product_id @valentijnscholten (#14806)
• Fix broken links @paulOsinski (#14802)

🚩 Changes to settings.dist.py / local_settings.py

• perf(watson): prefetch relations + force async indexing @valentijnscholten (#14881)
• perf(tag inheritance): batch_mode + per-batch bulk during import + reorganize @valentijnscholten (#14877)
• Dojo V3 - Tailwind UI rebuild, legacy authorization, OS surface removals @devGregA (#14865)
• feat(parsers): add Xygeni JSON parser (SAST, SCA, Secrets) @lmrb-1968 (#14769)
• 🎉 add ksa security advisory @manuel-sommer (#14809)

🚩 Database migration

• Dojo V3 - Tailwind UI rebuild, legacy authorization, OS surface removals @devGregA (#14865)
• remove: Credential Manager (2.57 deprecation, 2.59 EOL) @Maffooch (#14836)
• remove: Stub Findings (2.57 deprecation, 2.59 EOL) @Maffooch (#14837)

🚀 API features and enhancements

• refactor: rename dispatch kwarg sync= to force_sync= @valentijnscholten (#14882)
• Apply object-level permission check to finding duplicate API actions @Maffooch (#14866)
• Dojo V3 - Tailwind UI rebuild, legacy authorization, OS surface removals @devGregA (#14865)
• remove: Credential Manager (2.57 deprecation, 2.59 EOL) @Maffooch (#14836)
• Use a dedicated permission class for BurpRawRequestResponseViewSet @Maffooch (#14838)
• remove: Stub Findings (2.57 deprecation, 2.59 EOL) @Maffooch (#14837)
• remove: questionnaire API endpoints (2.56 deprecation, 2.59 EOL) @Maffooch (#14835)

🖌 Updates in UI

• Dojo V3 - Tailwind UI rebuild, legacy authorization, OS surface removals @devGregA (#14865)
• remove: Credential Manager (2.57 deprecation, 2.59 EOL) @Maffooch (#14836)
• remove: Stub Findings (2.57 deprecation, 2.59 EOL) @Maffooch (#14837)

🗣 Updates in localization

• Add pt-BR locale translation @GraoMelo (#14909)
• add russian locale @polishchukd (#14799)

🧰 Maintenance

• Update dependency kubernetes from 1.33.11 to v1.33.12 (.github/workflows/k8s-tests.yml) @renovate (#14891)
• Update manusa/actions-setup-minikube action from v2.16.1 to v2.18.0 (.github/workflows/k8s-tests.yml) @renovate (#14893)
• Update postgres Docker tag from 18.3 to v18.4 (docker-compose.yml) @renovate (#14894)
• Update python:3.14.5-slim-trixie Docker digest from 3.14.5 to 3.14.5-slim-trixie (Dockerfile.integration-tests-debian) @renovate (#14895)
• chore(deps): bump pyjwt from 2.12.1 to 2.13.0 @dependabot (#14919)
• chore(deps): bump django-prometheus from 2.4.1 to 2.5.0 @dependabot (#14921)
• chore(deps): bump django-permissions-policy from 4.29.0 to 4.30.0 @dependabot (#14905)
• chore(deps): bump django-htmx from 1.21.0 to 1.27.0 @dependabot (#14907)
• chore(deps-dev): bump @tailwindcss/cli from 4.2.4 to 4.3.0 in /components @dependabot (#14904)
• chore(deps): bump lxml from 6.1.0 to 6.1.1 @dependabot (#14903)
• chore(deps): bump vulners from 3.1.9 to 3.1.10 @dependabot (#14901)
• chore(deps): bump alpinejs from 3.15.11 to 3.15.12 in /components @dependabot (#14902)
• chore(deps): bump requests from 2.34.0 to 2.34.2 @dependabot (#14900)
• chore(deps): bump ruff from 0.15.12 to 0.15.13 @dependabot (#14899)
• Update python Docker tag from 3.13.13 to v3.14.5 (Dockerfile.nginx-alpine) @renovate (#14863)
• Update valkey Docker tag from 0.20.1 to v0.20.2 (helm/defectdojo/Chart.yaml) @renovate (#14857)
• chore(deps): update peaceiris/actions-hugo action from v3.0.0 to v3.2.1 (.github/workflows/validate_docs_build.yml) @renovate (#14859)
• chore(deps): update python:3.13.13-slim-trixie docker digest from 3.13.13 to v (dockerfile.integration-tests-debian) @renovate (#14856)
• chore(deps): update release-drafter/release-drafter action from v7.2.1 to v7.3.0 (.github/workflows/release-drafter.yml) @renovate (#14864)
• chore(deps): bump requests from 2.33.1 to 2.34.0 @dependabot (#14861)
• chore(deps): bump pdfmake from 0.3.7 to 0.3.8 in /components @dependabot (#14862)
• Update peaceiris/actions-gh-pages action from v4.0.0 to v4.1.0 (.github/workflows/gh-pages.yml) @renovate (#14858)
• chore(deps): bump urllib3 from 2.6.3 to 2.7.0 @dependabot (#14853)
• chore(deps): bump gitpython from 3.1.49 to 3.1.50 @dependabot (#14845)
• chore(deps): bump django from 5.2.13 to 5.2.14 @dependabot (#14846)
• chore(deps): bump @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.4 in /docs @dependabot (#14844)
• chore(deps): bump django from 5.2.13 to 5.2.14 @dependabot (#14843)
• Update valkey/valkey Docker tag from 9.0.3 to v9.0.4 (docker-compose.yml) @renovate (#14831)
• chore(deps): bump social-auth-app-django from 5.8.0 to 5.9.0 @dependabot (#14826)
• chore(deps): bump drf-spectacular-sidecar from 2026.4.14 to 2026.5.1 @dependabot (#14825)
• chore(deps): bump gitpython from 3.1.49 to 3.1.50 @dependabot (#14823)
• chore(deps): bump psycopg from 3.3.3 to 3.3.4 @dependabot (#14822)
• chore(deps): bump django-polymorphic from 4.11.2 to 4.11.3 @dependabot (#14821)
• chore(deps): bump pyopenssl from 26.1.0 to 26.2.0 @dependabot (#14818)
• chore(deps): bump easymde from 2.20.0 to 2.21.0 in /components @dependabot (#14817)
• Update losisin/helm-values-schema-json-action action from v2.5.0 to v3 (.github/workflows/test-helm-chart.yml) @renovate (#14816)
• Update actions/labeler action from v6.0.1 to v6.1.0 (.github/workflows/pr-labeler.yml) @renovate (#14815)
• Update losisin/helm-docs-github-action action from v1.8.0 to v2 (.github/workflows/test-helm-chart.yml) @renovate (#14814)
• Update valkey Docker tag from 0.20.0 to v0.20.1 (helm/defectdojo/Chart.yaml) @renovate (#14813)