Upgrading to DefectDojo Version 2.52.x
Fix UI overwriting service field from parsers
The web form in the UI by default sends an empty string, which ended up overwriting the service value provided by parsers.
Only a few parsers do this, so the impact of this fix is low:
- Trivy Scan
- Trivy Operator Scan
- Hydra Scan
- JFrog Xray API Summary Artifact Scan
- StackHawk HawkScan
See PR 13517 for more details.
Deduplication fix of UNIQUE_ID_OR_HASH_CODE
A bug was fixed in the UNIQUE_ID_OR_HASH_CODE algorithm where it stopped processing candidate findings with equal unique_id_from_tool or hash_code value.
Strictly speaking this is not a breaking change, but we wanted to make you aware that you can see more (better) more deduplicatation for parsers using this algorithm.
Valkey in docker compose
Since the license change at Redis the fork ValKey has become widely popular and is backed by industry giants such as AWS. AWS is advising to use ValKey over Redis and is using lower prices for ValKey compared to Redis.
Defect Dojo 2.52 now uses ValKey as a message broker. Teh existing redit volume can be used by Valkey, so this is just a drop in replacement.
If you want to know more or have a setup where you cannot just re-use the existing volume, please visit https://valkey.io/topics/migration/.
When you shutdown Defect Dojo to perform the upgrade, the celery tasks that are in the queue are stored to disk. After the upgrade, the celery workers will process these tasks as normal.
If you want to be 110% sure no tasks will be lost you could perform the upgrade in two steps:
- Stop nginx, uwsgi, celerybeat to prevent new tasks from being created:
docker compose down nginx, uwsgi, celerybeat
- Observe the Redis queue and/or the logs of the celeryworker(s) and wait until all tasks are finished:
docker compose exec redis redis-cli llen celery – should output 0
docker compose logs celeryworker – should stop outputting new task logs
- Stop the remaining services:
docker compose down
- Continue the upgrade as normal per the upgrade guide
docker compose pulldocker compose up -d
Helm Chart Changes
This release introduces more important changes to the Helm chart configuration:
Breaking changes
Tags
tag and repositoryPrefix fields have been deprecated. Currently, image tags used in containers are derived by default from the appVersion defined in the Chart.
This behavior can be overridden by setting the tag value in images.django and images.nginx.
If fine-tuning is necessary, each containerβs image value can also be customized individually (celery.beat.image, celery.worker.image, django.nginx.image, django.uwsgi.image, initializer.image, and dbMigrationChecker.image).
Digest pinning is now supported as well.
Security context
This Helm chart extends security context capabilities to all deployed pods and containers.
You can define a default pod and container security context globally using securityContext.podSecurityContext and securityContext.containerSecurityContext keys.
Additionally, each deployment can specify its own pod and container security contexts, which will override or merge with the global ones.
Fine-grained resources
Now each container can specify the resource requests and limits.
Moved values
The following Helm chart values have been modified in this release:
securityContext.djangoSecurityContextβ deprecated in favor of container-specific security contexts (celery.beat.containerSecurityContext,celery.worker.containerSecurityContext,django.uwsgi.containerSecurityContextanddbMigrationChecker.containerSecurityContext)securityContext.nginxSecurityContextβ deprecated in favor of container-specific security contexts (django.nginx.containerSecurityContext)
Other changes
- Extra annotations: Now we can add common annotations to all resources.
There are other instructions for upgrading to 2.52.x. Check the Release Notes for the contents of the release.
Merge of MobSF parsers
Mobsfscan Scan" has been merged into the “MobSF Scan” parser. The “Mobsfscan Scan” scan_type has been retained to keep deduplication working for existing Tests, but users are encouraged to move to the “MobSF Scan” scan_type.
Release notes
Check the Release Notes for the contents of the release.