Please consult the Upgrade notes in the documentation for specific instructions for this release, and general upgrade instructions. Below is an automatically generated list of all PRs merged since the previous release.
Changes since 3.0.0
- Bugfix: make jfrog xray impact paths deterministic @paulOsinski (#15094)
- fix: guard legacy endpoint access in Make Template / Merge Findings under V3_FEATURE_LOCATIONS @stevewallone (#15139)
- fix: relabel finding Asset-tag (AND) filter to v3 Asset vocabulary @stevewallone (#15136)
- chore: remove legacy Slack PR reminder bot workflow @Maffooch (#15109)
- Update sample data @github-actions (#15117)
- fix(mass_model_updater): read tracked fields via attribute access for skip_unchanged @valentijnscholten (#15114)
- docs: migrate OSS asset-modelling pages to v3 Asset/Organization terminology + refresh screenshots @stevewallone (#15113)
- docs: DefectDojo Pro Customizable Dashboards (dashboard_v2) @skywalke34 (#15111)
- chore: replace archived upload-release-asset with gh release upload @Maffooch (#15110)
- docs: add Pro changelog entries for 3.0.200 @Maffooch (#15105)
- docs: split Attaching Files into OS and Pro guides with screenshots @Maffooch (#15104)
- Include analysis.detail from Dependency Track FPF in finding description @webdevred (#14931)
- fix(tags): keep user-set tags when creating a finding under product tag inheritance @valentijnscholten (#15097)
- fix(govulncheck): reject SARIF reports with a clear error pointing to the SARIF scan type @valentijnscholten (#15087)
- June18 docs @paulOsinski (#15093)
- feat(jira): support multiple components in project settings (SC-13173) @Maffooch (#15039)
- fix(rbac): resolve product-scoped users for the engagement Testing Lead selector @valentijnscholten (#15063)
- authorized users improvements @valentijnscholten (#15065)
- Fix SARIF parser: unwrap BlackDuck nested fingerprint dict values @Jino-T (#15080)
- Fix typo in README about demo environment @mo7921 (#15060)
- docs: add Pro changelog entries for 3.0.1, 3.0.2, 3.0.100 @Maffooch (#15059)
- add organization and product type articles @dangoelz (#14961)
- Fix Xygeni parser deduplicating repeated SAST/Secrets findings in the same file @lmrb-1968 (#15003)
- Fixing gha for new versioning scheme @rossops (#15052)
- Stabilize flaky notification-webhook integration test @Maffooch (#15043)
- docs: add DefectDojo Pro Report Builder guides (UI, API, LLM) @skywalke34 (#15008)
- fix(trivy): prevent import crash on legacy reports with missing Class field @stevewallone (#15006)
- test(perf): always run both v2 and v3 importer perf cases @valentijnscholten (#15042)
- feat(cargo-audit): parse CVSS vectors and derive severity (SC-13140) @Maffooch (#15041)
- perf(importers): batch Vulnerability_Id inserts @valentijnscholten (#14966)
- fix(findings): resolve single-location filter against Location model @skywalke34 (#15023)
- [docs] june wk 1 maintenance @paulOsinski (#14963)
🚩 Changes to settings.dist.py / local_settings.py
- feat: allow import/reimport to wait for deduplication to complete @valentijnscholten (#15007)
- feat: allow disabling and dismissing the open source message banner @devGregA (#15089)
- perf(dedupe): skip unchanged rows, VALUES fast-write, prefetch vulnerability_ids @valentijnscholten (#15046)
- Fix Xygeni SAST/Secrets deduplication: key on uniqueHash, not issueId @lmrb-1968 (#15061)
- Add Garak (NVIDIA LLM vulnerability scanner) parser @Dashtid (#15013)
- feat(govulncheck): add Govulncheck Scanner V2 parser @valentijnscholten (#15045)
- feat(parsers): add PICUS Breach and Attack Simulation CSV parser @skywalke34 (#14984)
- perf(importers): batch BurpRawRequestResponse inserts + re-enable perf tests @valentijnscholten (#14969)
- Added global required fields notice for WCAG H90 compliance @sym9 (#14962)
🚩 Database migration
- feat: allow import/reimport to wait for deduplication to complete @valentijnscholten (#15007)
- feat: allow disabling and dismissing the open source message banner @devGregA (#15089)
- perf(finding): add sla_expiration_date index for global finding list @rossops (#15103)
- perf(jira,product): fix finding-group push N+1 and add case-insensitive product-name index @Maffooch (#15122)
- Renumber #15058 migration and move release notes to 3.1.x @Maffooch (#15108)
- Modernize Tool Config credential encryption to AES-256-GCM @Maffooch (#15058)
- Ree/perf indexes @rossops (#15095)
- Add partial indexes for authorized finding-list queries @rossops (#15064)
- perf(migrations): bulk backfill in 0268 release_authorization_to_pro @Maffooch (#15044)
- fix(findings): normalize blank components to NULL (SC-13073) @Maffooch (#15038)
🚀 API features and enhancements
- feat: allow import/reimport to wait for deduplication to complete @valentijnscholten (#15007)
- perf(finding-api): drop blanket DISTINCT from FindingViewSet list @rossops (#15096)
- refactor(reorg): extract every type of class into modules [10/10] @valentijnscholten (#14987)
- Prefetcher updates @dogboat (#14964)
- Endpoint_Status updates @dogboat (#15012)
- Refactor and enhance API permissions @dogboat (#15034)
- fix: prevent 500 on org/product delete with deprecated endpoints, and point new-UI banner at 3.3.0 @Maffooch (#15024)
🐛 Bug Fixes
- fix(filters): don't auto-open the filter panel when only sorting a column @skywalke34 (#15082)
🖌 Updates in UI
- feat: allow import/reimport to wait for deduplication to complete @valentijnscholten (#15007)
- Fix: right-aligned dropdown menus overflow off the right edge of the page @stevewallone (#15137)
- feat(ui): animate collapse panels in the new UI @ksitton58 (#15116)
- feat(ui): smooth and tidy the filter category accordion in the new UI @ksitton58 (#15106)
- feat: allow disabling and dismissing the open source message banner @devGregA (#15089)
- PDF Report: Show vulnerability IDs @samiat4911 (#15115)
- fix(ui): stop client/server sort flash on asset & finding-group lists @skywalke34 (#15084)
- fix(filters): don't auto-open the filter panel when only sorting a column @skywalke34 (#15082)
- fix(metrics): prevent 500 on Critical Asset Metrics page when no critical products exist @valentijnscholten (#15057)
- refactor(ui): use design tokens instead of hardcoded colors on new lo… @ksitton58 (#14998)
- fix(ui): use brand color tokens instead of hardcoded hex in new UI @ksitton58 (#14999)
- fix(ui): add missing "solid" keyword to disclaimer border in new UI @ksitton58 (#15001)
- feat(ui): fold Finding Groups under Findings in the sidebar @ksitton58 (#15040)
- perf(importers): batch BurpRawRequestResponse inserts + re-enable perf tests @valentijnscholten (#14969)
- Added global required fields notice for WCAG H90 compliance @sym9 (#14962)
🧰 Maintenance
- Update dependency kubernetes/kubernetes from v1.35.4 to v1.35.6 (.github/workflows/k8s-tests.yml) @renovate (#14892)
- chore(deps): update stefanzweifel/git-auto-commit-action action from v7.1.0 to v7.2.0 (.github/workflows/release-3-master-into-dev.yml) @renovate (#15130)
- Update actions/checkout action from v6.0.3 to v7 (.github/workflows/validate_docs_build.yml) @renovate (#15132)
- chore(deps-dev): bump @tailwindcss/cli from 4.3.1 to 4.3.2 in /components @dependabot (#15131)
- chore(deps): update docker/build-push-action action from v7.2.0 to v7.3.0 (.github/workflows/release-x-manual-docker-containers.yml) @renovate (#15138)
- chore(deps-dev): bump tailwindcss from 4.3.1 to 4.3.2 in /components @dependabot (#15129)
- chore(deps): bump ruff from 0.15.19 to 0.15.20 @dependabot (#15128)
- chore(deps): bump humanize from 4.15.0 to 4.16.0 @dependabot (#15127)
- chore(deps): bump django-permissions-policy from 4.31.0 to 4.32.0 @dependabot (#15126)
- Update dependency kubernetes from 1.33.13 to v1.34.9 (.github/workflows/k8s-tests.yml) @renovate (#15121)
- Update gcr.io/cloudsql-docker/gce-proxy Docker tag from 1.38.0 to v1.38.1 (helm/defectdojo/values.yaml) @renovate (#15119)
- chore(deps): update actions/cache action from v6.0.0 to v6.1.0 (.github/workflows/validate_docs_build.yml) @renovate (#15120)
- Update python:3.14.6-slim-trixie Docker digest from 3.14.6 to 3.14.6-slim-trixie (Dockerfile.integration-tests-debian) @renovate (#15118)
- chore(deps): update dependency renovatebot/renovate from 43.240.0 to v43.248.0 (.github/workflows/renovate.yaml) @renovate (#15099)
- chore(deps): bump python-gitlab from 8.3.0 to 8.4.0 @dependabot (#14956)
- chore(deps): update release-drafter/release-drafter action from v7.3.1 to v7.5.1 (.github/workflows/release-drafter.yml) @renovate (#15083)
- chore(deps): update actions/cache action from v5.0.5 to v6 (.github/workflows/validate_docs_build.yml) @renovate (#15085)
- chore(deps): update openapitools/openapi-generator-cli docker tag from v7.22.0 to v7.23.0 (dockerfile.integration-tests-debian) @renovate (#15079)
- chore(deps): update mccutchen/go-httpbin docker tag from 2.18.3 to v2.23.1 (docker-compose.override.integration_tests.yml) @renovate (#15078)
- chore(deps): update dependency node from 24.16.0 to v24.18.0 (.github/workflows/validate_docs_build.yml) @renovate (#15077)
- chore(deps): update actions/setup-python action from v6.2.0 to v6.3.0 (.github/workflows/test-helm-chart.yml) @renovate (#15076)
- chore(deps): bump pdfmake from 0.3.10 to 0.3.11 in /components @dependabot (#15075)
- chore(deps): bump redis from 8.0.0 to 8.0.1 @dependabot (#15074)
- chore(deps): bump django-environ from 0.13.0 to 0.14.0 @dependabot (#15073)
- chore(deps): bump ruff from 0.15.16 to 0.15.19 @dependabot (#15072)
- chore(deps-dev): bump django-debug-toolbar from 6.3.0 to 7.0.0 @dependabot (#15071)
- chore(deps): update softprops/action-gh-release action from v3.0.0 to v3.0.1 (.github/workflows/release-x-manual-helm-chart.yml) @renovate (#15070)
- chore(deps): update python docker tag from 3.14.5 to v3.14.6 (dockerfile.integration-tests-debian) @renovate (#15069)
- chore(deps): update dependency kubernetes from 1.33.12 to v1.33.13 (.github/workflows/k8s-tests.yml) @renovate (#15068)
- chore(deps): update azure/setup-helm action from v5.0.0 to v5.0.1 (.github/workflows/test-helm-chart.yml) @renovate (#15067)
- chore(deps): update valkey docker tag from 0.20.2 to v0.22.1 (helm/defectdojo/chart.yaml) @renovate (#14917)
- chore(deps): update valkey/valkey docker tag from 9.0.4 to v9.1.0 (docker-compose.yml) @renovate (#14896)
- chore(deps): update dependency renovatebot/renovate from 43.141.6 to v43.240.0 (.github/workflows/renovate.yaml) @renovate (#15048)
- chore(deps): bump django-permissions-policy from 4.30.0 to 4.31.0 @dependabot (#15027)
- chore(deps): bump json-log-formatter from 1.1.1 to 1.2.1 @dependabot (#14994)
- chore(deps): update docker/setup-buildx-action action from v4.0.0 to v4.1.0 (.github/workflows/release-x-manual-tag-as-latest.yml) @renovate (#14991)
- chore(deps-dev): bump vcrpy from 8.1.1 to 8.2.1 @dependabot (#15047)
- chore(deps): bump vulners from 3.1.10 to 3.1.11 @dependabot (#15030)
- chore(deps-dev): bump @tailwindcss/cli from 4.3.0 to 4.3.1 in /components @dependabot (#15031)
- chore(deps): update losisin/helm-values-schema-json-action digest from v3.0.1 to v3 (.github/workflows/test-helm-chart.yml) @renovate (#15021)
- chore(deps): bump sqlalchemy from 2.0.50 to 2.0.51 @dependabot (#15025)
- chore(deps-dev): bump vcrpy from 8.1.1 to 8.2.1 @dependabot (#15028)
- chore(deps): bump pdfmake from 0.3.8 to 0.3.10 in /components @dependabot (#14996)
- chore(deps): bump ruff from 0.15.15 to 0.15.16 @dependabot (#14995)
- chore(deps): update mccutchen/go-httpbin docker tag from 2.22.1 to v2.23.1 (docker-compose.override.dev.yml) @renovate (#14997)
- chore(deps): update eps1lon/actions-label-merge-conflict action from v3.0.3 to v3.1.0 (.github/workflows/detect-merge-conflicts.yaml) @renovate (#14992)
- chore(deps): update docker/login-action action from v4.1.0 to v4.2.0 (.github/workflows/release-x-manual-tag-as-latest.yml) @renovate (#14990)
- Update postgres:18.4-alpine Docker digest from 18.4 to 18.4-alpine (docker-compose.yml) @renovate (#15022)
- chore(deps): bump esbuild and vite in /docs @dependabot (#15004)