diff --git a/docs/content/admin/sso/_index.md b/docs/content/admin/sso/_index.md index 65c46706ad7..858967cc969 100644 --- a/docs/content/admin/sso/_index.md +++ b/docs/content/admin/sso/_index.md @@ -29,9 +29,9 @@ aliases: - /admin/sso/os__remote_user/ --- -Single Sign-On is a **DefectDojo Pro** feature. As of DefectDojo 2.59, the SSO surface — SAML, OIDC, and the bundled OAuth providers — is available only in DefectDojo Pro. Open-source DefectDojo uses local username/password login and the password-reset flow. +Single Sign-On is a **DefectDojo Pro** feature. As of DefectDojo 3.0, the SSO surface — SAML, OIDC, and the bundled OAuth providers — is available only in DefectDojo Pro. Open-source DefectDojo uses local username/password login and the password-reset flow. -If you're running open-source DefectDojo and want SSO, you'll need to switch to [DefectDojo Pro](https://defectdojo.com); the migration is covered in the [2.59 upgrade notes](/releases/os_upgrading/2.59/#sso-providers-are-available-in-defectdojo-pro-only). Existing user accounts and group memberships are preserved on upgrade. For access control on open-source DefectDojo, see the [Authorized Users](/admin/user_management/os__authorized_users/) page. +If you're running open-source DefectDojo and want SSO, you'll need to switch to [DefectDojo Pro](https://defectdojo.com); the migration is covered in the [3.0 upgrade notes](/releases/os_upgrading/3.0/#sso-providers-are-available-in-defectdojo-pro-only). Existing user accounts and group memberships are preserved on upgrade. For access control on open-source DefectDojo, see the [Authorized Users](/admin/user_management/os__authorized_users/) page. ## Supported SSO providers (DefectDojo Pro) diff --git a/docs/content/admin/user_management/OS__authorized_users.md b/docs/content/admin/user_management/OS__authorized_users.md index 1baf228c015..c758382f4ee 100644 --- a/docs/content/admin/user_management/OS__authorized_users.md +++ b/docs/content/admin/user_management/OS__authorized_users.md @@ -51,10 +51,10 @@ A few rules of thumb: ## Coming from a previous version of DefectDojo -DefectDojo open-source moved back to the Authorized Users model in version 2.59. If you're upgrading from a release that had the Members / Groups / Global Roles system, your existing access is carried forward into Authorized Users automatically by the upgrade — no manual mapping is needed. +DefectDojo open-source moved back to the Authorized Users model in version 3.0. If you're upgrading from a release that had the Members / Groups / Global Roles system, your existing access is carried forward into Authorized Users automatically by the upgrade — no manual mapping is needed. -The upgrade ships with a read-only management command, `preview_legacy_authorization_migration`, that summarizes what an upgrade would change against a copy of your database. The recommended workflow is to install 2.59 in a staging environment with a snapshot of production, run the command, review the summary, and then upgrade production. +The upgrade ships with a read-only management command, `preview_legacy_authorization_migration`, that summarizes what an upgrade would change against a copy of your database. The recommended workflow is to install 3.0 in a staging environment with a snapshot of production, run the command, review the summary, and then upgrade production. If you're moving the other direction — from open-source to DefectDojo Pro — Pro ships a `reconcile_authorized_users_to_rbac` command that brings Authorized Users access forward into Pro's RBAC. It supports `--dry-run` and is idempotent. -For more detail on both paths, see the [2.59 upgrade notes](/releases/os_upgrading/2.59/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization). +For more detail on both paths, see the [3.0 upgrade notes](/releases/os_upgrading/3.0/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization). diff --git a/docs/content/admin/user_management/_index.md b/docs/content/admin/user_management/_index.md index 33a52cc5583..ae5322fdda9 100644 --- a/docs/content/admin/user_management/_index.md +++ b/docs/content/admin/user_management/_index.md @@ -38,4 +38,4 @@ DefectDojo Pro uses a role-based system with Members, Groups, and Global Roles. ## Migrating between editions -If you're moving from open-source's Authorized Users to Pro's RBAC, or upgrading from a pre-2.59 open-source release that used RBAC into the current Authorized Users model, see the [2.59 upgrade notes](/releases/os_upgrading/2.59/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization). Existing access is preserved automatically. +If you're moving from open-source's Authorized Users to Pro's RBAC, or upgrading from a pre-3.0 open-source release that used RBAC into the current Authorized Users model, see the [3.0 upgrade notes](/releases/os_upgrading/3.0/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization). Existing access is preserved automatically. diff --git a/docs/content/admin/user_management/about_perms_and_roles.md b/docs/content/admin/user_management/about_perms_and_roles.md index 9a662bfd231..85ff79b50f9 100644 --- a/docs/content/admin/user_management/about_perms_and_roles.md +++ b/docs/content/admin/user_management/about_perms_and_roles.md @@ -7,7 +7,7 @@ aliases: - /en/customize_dojo/user_management/about_perms_and_roles --- -> **DefectDojo Pro feature.** The Members / Groups / Global Roles RBAC system described on this page is part of DefectDojo Pro. Open-source DefectDojo uses the [Authorized Users](../os__authorized_users/) model — see that page for open-source access control, and the [2.59 upgrade notes](/releases/os_upgrading/2.59/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization) if you're moving between editions. +> **DefectDojo Pro feature.** The Members / Groups / Global Roles RBAC system described on this page is part of DefectDojo Pro. Open-source DefectDojo uses the [Authorized Users](../os__authorized_users/) model — see that page for open-source access control, and the [3.0 upgrade notes](/releases/os_upgrading/3.0/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization) if you're moving between editions. If you have a team of users working in DefectDojo, it's important to set up Role\-Based Access Control (RBAC) appropriately so that users can only access specific data. Security data is highly sensitive, and DefectDojo's options for access control allow you to be specific about each team member’s access to information. diff --git a/docs/content/admin/user_management/create_user_group.md b/docs/content/admin/user_management/create_user_group.md index d432470212a..8107cd9dae4 100644 --- a/docs/content/admin/user_management/create_user_group.md +++ b/docs/content/admin/user_management/create_user_group.md @@ -7,7 +7,7 @@ aliases: - /en/customize_dojo/user_management/create_user_group --- -> **DefectDojo Pro feature.** User Groups and the underlying RBAC system are part of DefectDojo Pro. Open-source DefectDojo uses the [Authorized Users](../os__authorized_users/) model — see that page for open-source access control, and the [2.59 upgrade notes](/releases/os_upgrading/2.59/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization) if you're moving between editions. +> **DefectDojo Pro feature.** User Groups and the underlying RBAC system are part of DefectDojo Pro. Open-source DefectDojo uses the [Authorized Users](../os__authorized_users/) model — see that page for open-source access control, and the [3.0 upgrade notes](/releases/os_upgrading/3.0/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization) if you're moving between editions. If you have a significant number of DefectDojo users, you may want to create one or more **Groups**, in order to set the same Role\-Based Access Control (RBAC) rules for many users simultaneously. Only Superusers can create User Groups. diff --git a/docs/content/admin/user_management/set_user_permissions.md b/docs/content/admin/user_management/set_user_permissions.md index ed2018423fc..9134f2f61e8 100644 --- a/docs/content/admin/user_management/set_user_permissions.md +++ b/docs/content/admin/user_management/set_user_permissions.md @@ -7,7 +7,7 @@ aliases: - /en/customize_dojo/user_management/set_user_permissions --- -> **DefectDojo Pro feature.** The Members / Groups / Global Roles RBAC system described on this page is part of DefectDojo Pro. Open-source DefectDojo uses the [Authorized Users](../os__authorized_users/) model — see that page for open-source access control, and the [2.59 upgrade notes](/releases/os_upgrading/2.59/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization) if you're moving between editions. +> **DefectDojo Pro feature.** The Members / Groups / Global Roles RBAC system described on this page is part of DefectDojo Pro. Open-source DefectDojo uses the [Authorized Users](../os__authorized_users/) model — see that page for open-source access control, and the [3.0 upgrade notes](/releases/os_upgrading/3.0/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization) if you're moving between editions. ## Introduction to Permission Types diff --git a/docs/content/admin/user_management/user_permission_chart.md b/docs/content/admin/user_management/user_permission_chart.md index e29c65b0189..b119d48d0a3 100644 --- a/docs/content/admin/user_management/user_permission_chart.md +++ b/docs/content/admin/user_management/user_permission_chart.md @@ -7,7 +7,7 @@ aliases: - /en/customize_dojo/user_management/user_permission_chart --- -> **DefectDojo Pro feature.** The Members / Groups / Global Roles RBAC system described on this page is part of DefectDojo Pro. Open-source DefectDojo uses the [Authorized Users](../os__authorized_users/) model — see that page for open-source access control, and the [2.59 upgrade notes](/releases/os_upgrading/2.59/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization) if you're moving between editions. +> **DefectDojo Pro feature.** The Members / Groups / Global Roles RBAC system described on this page is part of DefectDojo Pro. Open-source DefectDojo uses the [Authorized Users](../os__authorized_users/) model — see that page for open-source access control, and the [3.0 upgrade notes](/releases/os_upgrading/3.0/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization) if you're moving between editions. ## Role Permission Chart diff --git a/docs/content/releases/os_upgrading/2.59.md b/docs/content/releases/os_upgrading/3.0.md similarity index 52% rename from docs/content/releases/os_upgrading/2.59.md rename to docs/content/releases/os_upgrading/3.0.md index a36e9e88b65..95e0ce984ea 100644 --- a/docs/content/releases/os_upgrading/2.59.md +++ b/docs/content/releases/os_upgrading/3.0.md @@ -1,10 +1,64 @@ --- -title: 'Upgrading to DefectDojo Version 2.59.x' +title: 'Upgrading to DefectDojo Version 3.0.x' toc_hide: true -weight: -20260602 -description: Authorized Users panel replaces Members/Groups under legacy authorization; SSO providers move to DefectDojo Pro; removal of Questionnaire API Endpoints, Credential Manager, and Stub Findings +weight: -20260615 +description: Locations and Asset/Organization labels are now enabled by default; Authorized Users panel replaces Members/Groups under legacy authorization; SSO providers move to DefectDojo Pro; removal of Questionnaire API Endpoints, Credential Manager, and Stub Findings --- +## Locations enabled by default + +`DD_V3_FEATURE_LOCATIONS` now defaults to `True`. Locations is a polymorphic location/asset model that replaces the legacy `Endpoint` model. **URL Locations** are the direct equivalent of Endpoints (same `protocol`, `host`, `port`, `path`, `query`, and `fragment` fields), and the model additionally supports **Dependency Locations** for SBOM/library data that Endpoints could never represent. + +### How to migrate + +After the feature is enabled on an existing instance, run the **`migrate_endpoints_to_locations`** management command to carry your Endpoint data forward into Locations. Enabling the flag alone does **not** move data — the command performs the one-time conversion. For every Endpoint, it: + +1. Creates (or re-uses) a **URL Location** from the Endpoint's `protocol`, `userinfo`, `host`, `port`, `path`, `query`, and `fragment`. +2. Carries over all **tags** and re-points all **metadata** (`DojoMeta`) onto the new Location. +3. Creates a **`LocationProductReference`** so the URL appears under the correct Asset (Product). +4. Creates a **`LocationFindingReference`** for every `Endpoint_Status`, collapsing the old multi-flag combinations into a single canonical status (first match wins): + + | Endpoint_Status flag | Resulting Location status | + | --- | --- | + | `risk_accepted=True` | **Risk Accepted** | + | `false_positive=True` | **False Positive** | + | `out_of_scope=True` | **Out of Scope** | + | `mitigated=True` | **Mitigated** | + | (none of the above) | **Active** | + +#### Running the migration + +``` +python manage.py migrate_endpoints_to_locations +``` + +- **Idempotent — safe to re-run.** Each phase uses `bulk_create(..., ignore_conflicts=True)`, so re-running the command will not create duplicates and will pick up any Endpoints not yet converted. After converting, it runs a tag-inheritance pass so migrated Locations pick up inherited product tags. +- **Resilient to per-row failures.** A single bad Endpoint is logged (with its ID) and skipped rather than aborting the whole run; re-run after addressing the cause to convert the remainder. The command prints live progress with an ETA and a final migrated/total summary. +- **Tuning flags (optional):** `--batch-size` (DB iterator chunk size, default `1000`) and `--progress-every` (progress-line cadence, default `50`). `--benchmark` and `--query-count` exist for profiling only and add overhead. + +For full details (including the read-compatibility behavior of the legacy API), see [Migrating from Endpoints](/asset_modelling/locations/pro__migrating_from_endpoints/). + +### What happens to existing endpoint data + +- **Nothing is deleted.** The original `Endpoint` and `Endpoint_Status` rows remain in the database to back the read-only legacy API. They are simply no longer used by the new UI or by imports. +- **Reads keep working; writes return 403.** `GET /api/v2/endpoints/` and `GET /api/v2/endpoint_status/` return rows projected from Locations, preserving the original Endpoint IDs and familiar fields. `POST`/`PUT`/`PATCH`/`DELETE` on those routes return `HTTP 403` — write clients should move to `POST /api/v2/urls/`, `POST /api/v2/location_findings/`, and `POST /api/v2/location_products/`. + +### How to roll back + +Set `DD_V3_FEATURE_LOCATIONS=False` to return to the legacy Endpoint model, UI, and read/write API. Because the original Endpoint rows are never deleted, your pre-upgrade endpoint data is still there. + +> **Caveat — migration is one-way.** There is no automated path that re-creates Endpoints from Locations. Any endpoint changes you made through the new Location endpoints while the feature was enabled are **not** back-ported into the legacy `Endpoint` tables, so they will not be visible after rolling back. + +## Asset / Organization labels enabled by default + +`DD_ENABLE_V3_ORGANIZATION_ASSET_RELABEL` now defaults to `True`. This renames **"Product Type" → "Organization"** and **"Product" → "Asset"** throughout the UI, and routes `/product/type` → `/organization` and `/product` → `/asset` (with backward-compatibility redirects from the old paths). + +This change is **cosmetic only**: the database model names, field names, and API endpoints are unchanged, so existing automation and integrations continue to work without modification. + +### How to roll back + +Set `DD_ENABLE_V3_ORGANIZATION_ASSET_RELABEL=False` to restore the "Product" / "Product Type" labels and the original URLs. No data is changed by this feature, so the rollback is fully reversible. + ## Authorized Users panel replaces Members/Groups under legacy authorization Open Source DefectDojo uses the legacy authorization model: access to a Product is granted by `Product.authorized_users` (with cascade via `Product_Type.authorized_users`), and `is_staff` / `is_superuser` bypass everything. @@ -93,4 +147,4 @@ Any requests to this endpoint will now return a 404 Not Found error. The Stub Fi In [PR 14881](https://github.com/DefectDojo/django-DefectDojo/pull/14881)We optimized the way the Django Watson search index is updated during imports and reimports. There is not a single configuration setting to manage the threshold: `DD_WATSON_ASYNC_INDEX_UPDATE_BATCH_SIZE`. The default value should work fine for most instances. -For more information, check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.59.0). +For more information, check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/3.0.0). diff --git a/docs/content/releases/pro/changelog.md b/docs/content/releases/pro/changelog.md index 762cd12c74a..1216f187b62 100644 --- a/docs/content/releases/pro/changelog.md +++ b/docs/content/releases/pro/changelog.md @@ -10,6 +10,19 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/releases/os_upgrading/upgrading_guide/). +## June 2026: v3.0 + +### June 15, 2026: v3.0.0 + +* **(Locations)** Locations are now enabled by default, superseding the legacy Endpoint model. The legacy Endpoint API stays read-compatible and your data is preserved. See [Locations enabled by default](/releases/os_upgrading/3.0/#locations-enabled-by-default). +* **(Assets & Organizations)** "Product Type" → "Organization" and "Product" → "Asset" relabeling (UI labels + URL routing) is now on by default. The change is cosmetic — API endpoints and field names are unchanged. See [Asset / Organization labels enabled by default](/releases/os_upgrading/3.0/#asset--organization-labels-enabled-by-default). +* **(Authorization)** Open Source restores the **Authorized Users** panel on Product/Product Type detail under the legacy authorization model; Pro deployments retain full RBAC and are not impacted. See [Authorized Users panel replaces Members/Groups under legacy authorization](/releases/os_upgrading/3.0/#authorized-users-panel-replaces-membersgroups-under-legacy-authorization). +* **(SSO)** SSO providers (SAML, OIDC, Google, Okta, Azure AD, GitLab, Auth0, Keycloak, GitHub Enterprise, remote-user header auth) are now DefectDojo Pro-only. See [SSO providers are available in DefectDojo Pro only](/releases/os_upgrading/3.0/#sso-providers-are-available-in-defectdojo-pro-only). +* **(API)** Removed the Questionnaire API endpoints. See [Removal: Questionnaire API Endpoints](/releases/os_upgrading/3.0/#removal-questionnaire-api-endpoints). +* **(API)** Removed the Credential Manager feature and its API endpoints. See [Removal: Credential Manager](/releases/os_upgrading/3.0/#removal-credential-manager). +* **(API)** Removed the Stub Findings feature and its API endpoint. See [Removal: Stub Findings](/releases/os_upgrading/3.0/#removal-stub-findings). +* **(Search)** Watson search index updates during import/reimport are now batched, tunable via `DD_WATSON_ASYNC_INDEX_UPDATE_BATCH_SIZE`. See [Configuration change in Watson Search Indexing](/releases/os_upgrading/3.0/#configuration-change-in-watson-search-indexing). + ## June 2026: v2.59 ### June 1, 2026: v2.59.0