From 4accb7349cdbc9293487ad272737cd81093cce39 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 9 Mar 2026 14:12:03 +0000 Subject: [PATCH 1/3] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 8 ++++---- helm/defectdojo/README.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/package.json b/components/package.json index ac19e754818..4d68c53285c 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.56.1", + "version": "2.57.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index f060213af76..822e987e936 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.56.1" +appVersion: "2.57.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.9.16 +version: 1.9.17-dev icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png maintainers: - name: madchap @@ -33,5 +33,5 @@ dependencies: # - kind: security # description: Critical bug annotations: - artifacthub.io/prerelease: "false" - artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.56.1\n" + artifacthub.io/prerelease: "true" + artifacthub.io/changes: "" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index c1c60e09900..f1fb7722e69 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -511,7 +511,7 @@ The HELM schema will be generated for you. # General information about chart values -![Version: 1.9.16](https://img.shields.io/badge/Version-1.9.16-informational?style=flat-square) ![AppVersion: 2.56.1](https://img.shields.io/badge/AppVersion-2.56.1-informational?style=flat-square) +![Version: 1.9.17-dev](https://img.shields.io/badge/Version-1.9.17--dev-informational?style=flat-square) ![AppVersion: 2.57.0-dev](https://img.shields.io/badge/AppVersion-2.57.0--dev-informational?style=flat-square) A Helm chart for Kubernetes to install DefectDojo From aff8d4a4af00b79f872e8a0ee054bc368659c9d8 Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Mon, 9 Mar 2026 12:13:20 -0400 Subject: [PATCH 2/3] use tags.add() instead of tags.set() on reimport (#14459) * change logic to add tags instead of set * update unit tests * ruff --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --- .gitignore | 3 ++ dojo/importers/default_importer.py | 4 +-- dojo/importers/default_reimporter.py | 4 +-- unittests/test_tags.py | 49 ++++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 166e3a75fe8..ad5fba05633 100644 --- a/.gitignore +++ b/.gitignore @@ -149,3 +149,6 @@ docs/.devcontainer/Dockerfile docs/LICENSE docs/.hugo_build.lock .cursor-rules + +# claude etc +MEMORY.md diff --git a/dojo/importers/default_importer.py b/dojo/importers/default_importer.py index c2899f132d8..8dd2aa4a4f9 100644 --- a/dojo/importers/default_importer.py +++ b/dojo/importers/default_importer.py @@ -243,9 +243,9 @@ def process_findings( # Parsers must use unsaved_tags to store tags, so we can clean them cleaned_tags = clean_tags(finding.unsaved_tags) if isinstance(cleaned_tags, list): - finding.tags.set(cleaned_tags) + finding.tags.add(*cleaned_tags) elif isinstance(cleaned_tags, str): - finding.tags.set([cleaned_tags]) + finding.tags.add(cleaned_tags) # Process any files self.process_files(finding) # Process vulnerability IDs diff --git a/dojo/importers/default_reimporter.py b/dojo/importers/default_reimporter.py index 03c80e00119..5075eb6409b 100644 --- a/dojo/importers/default_reimporter.py +++ b/dojo/importers/default_reimporter.py @@ -945,9 +945,9 @@ def finding_post_processing( if finding_from_report.unsaved_tags: cleaned_tags = clean_tags(finding_from_report.unsaved_tags) if isinstance(cleaned_tags, list): - finding.tags.set(cleaned_tags) + finding.tags.add(*cleaned_tags) elif isinstance(cleaned_tags, str): - finding.tags.set([cleaned_tags]) + finding.tags.add(cleaned_tags) # Process any files if finding_from_report.unsaved_files: finding.unsaved_files = finding_from_report.unsaved_files diff --git a/unittests/test_tags.py b/unittests/test_tags.py index d4ba7ef211f..54ef2a21df7 100644 --- a/unittests/test_tags.py +++ b/unittests/test_tags.py @@ -279,6 +279,7 @@ def setUp(self): self.zap_sample5_filename = get_unit_tests_scans_path("zap") / "5_zap_sample_one.xml" self.generic_sample_with_tags_filename = get_unit_tests_scans_path("generic") / "generic_report1.json" self.generic_sample_with_more_tags_filename = get_unit_tests_scans_path("generic") / "generic_report1_more_tags.json" + self.trivy_filename = get_unit_tests_scans_path("trivy") / "scheme_2_many_vulns.json" def test_import_and_reimport_with_tags(self): """Test that tags passed as import parameter are applied to the test.""" @@ -304,6 +305,54 @@ def test_import_and_reimport_with_tags(self): for tag in tags: self.assertIn(tag, response["tags"]) + def test_manually_set_tags_preserved_on_reimport(self): + """ + Manually set tags on findings must survive a reimport. + + Regression test for finding_post_processing() using tags.set() instead of + tags.add(), which caused manually-set tags to be silently wiped when reimporting + with parsers that populate unsaved_tags (Trivy, SARIF, SonarQube, etc.). + """ + # 1. Import a Trivy scan + import0 = self.import_scan_with_params( + self.trivy_filename, + scan_type="Trivy Scan", + minimum_severity="Info", + ) + test_id = import0["test"] + + # 2. Fetch findings and manually tag each one with "bla_bla" + findings_before = self.get_test_findings_api(test_id)["results"] + self.assertGreater(len(findings_before), 0, "Expected findings from Trivy scan") + for finding in findings_before: + self.patch_finding_api(finding["id"], {"tags": ["bla_bla"]}) + + # 3. Confirm the tag was applied before reimport + findings_before = self.get_test_findings_api(test_id)["results"] + for finding in findings_before: + self.assertIn( + "bla_bla", + finding["tags"], + f"Tag 'bla_bla' was not set on finding {finding['id']} before reimport", + ) + + # 4. Reimport the same scan + self.reimport_scan_with_params( + test_id, + self.trivy_filename, + scan_type="Trivy Scan", + minimum_severity="Info", + ) + + # 5. Confirm manually set tags survived — reimport must not overwrite them + findings_after = self.get_test_findings_api(test_id)["results"] + for finding in findings_after: + self.assertIn( + "bla_bla", + finding["tags"], + f"Manually set tag 'bla_bla' was overwritten on finding {finding['id']} during reimport", + ) + def test_import_report_with_tags(self): """Test that parser-generated tags on findings are preserved during import/reimport.""" def assert_tags_in_findings(findings: list[dict], expected_finding_count: int, desired_tags: list[str]) -> None: From ca52b1d77c9fed898df4542e9e48b1743e97e062 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 9 Mar 2026 17:41:12 +0000 Subject: [PATCH 3/3] Update versions in application files --- components/package.json | 2 +- helm/defectdojo/Chart.yaml | 8 ++++---- helm/defectdojo/README.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/package.json b/components/package.json index 4d68c53285c..ac19e754818 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.57.0-dev", + "version": "2.56.1", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 822e987e936..d9c1dd58f83 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.57.0-dev" +appVersion: "2.56.1" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.9.17-dev +version: 1.9.17 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png maintainers: - name: madchap @@ -33,5 +33,5 @@ dependencies: # - kind: security # description: Critical bug annotations: - artifacthub.io/prerelease: "true" - artifacthub.io/changes: "" + artifacthub.io/prerelease: "false" + artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.56.1\n" diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index f1fb7722e69..9e3fb35d2ca 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -511,7 +511,7 @@ The HELM schema will be generated for you. # General information about chart values -![Version: 1.9.17-dev](https://img.shields.io/badge/Version-1.9.17--dev-informational?style=flat-square) ![AppVersion: 2.57.0-dev](https://img.shields.io/badge/AppVersion-2.57.0--dev-informational?style=flat-square) +![Version: 1.9.17](https://img.shields.io/badge/Version-1.9.17-informational?style=flat-square) ![AppVersion: 2.56.1](https://img.shields.io/badge/AppVersion-2.56.1-informational?style=flat-square) A Helm chart for Kubernetes to install DefectDojo