Upgrading to DefectDojo Version 2.54.x
Breaking Change: Removal of django-auditlog
Starting with DefectDojo 2.53, django-auditlog support has been removed in favour of django-pghistory.
This is designed to be a backwards compatible change, unless:
- You’re querying the database directly for auditlog events, or,
- You’ve set the
DD_AUDITLOG_TYPEenvironment variable (orAUDITLOG_TYPEsettings field)
Required Actions
If you’re using DD_AUDITLOG_TYPE, remove it from your configuration/environment.
Existing Records Preserved
Historical audit log entries stored in the auditlog_logentry table will continue to be displayed in the action history view for backward compatibility. No data migration is required.
Benefits of django-pghistory
The switch to django-pghistory provides several advantages:
- Better performance: Database-level triggers reduce overhead compared to Django signal-based auditing
- More features: Enhanced context tracking and better support for complex queries
- Better data integrity: PostgreSQL-native implementation ensures consistency
Migration Notes
- A one-time data migration will take place to “backfill” the
django-pghistorytables with the initial snapshot of the tracked models. - The migration is designed to be fail-safe: if it fails for some reason, it will continue where it left off.
- If it fails completely or for any other reason you want to trigger it manually, you can do so via:
docker compose exec uwsgi bash -c "python manage.py pghistory_backfill_fast", ordocker compose exec uwsgi bash -c "python manage.py pghistory_backfill_simple", ordocker compose exec uwsgi bash -c "python manage.py pghistory_backfill"
The backfill migration is not mandatory to succeed. If it fails for some reason, the only side effect will be that the first auditlog diff will contain all fields of an object instead just the changed fields.
Dropped support for DD_PARSER_EXCLUDE
To simplify the management of the DefectDojo application, parser exclusions are no longer controlled via the environment variable DD_PARSER_EXCLUDE or application settings. This variable is now unsupported. From now on, you should use the active flag in the Test_Type model to enable or disable parsers. Only parsers associated with active Test_Type entries will be available for use.
Import/reimport performance improvements
DefectDojo 2.54.x includes performance improvements for reimporting scan results, especially for large scans:
- Faster reimports due to fewer database queries and more bulk operations.
- Reduced database load during reimport matching and post-processing (helps avoid slowdowns/timeouts under heavy scan volume).
- More efficient endpoint status updates during reimport of dynamic findings.
- Less churn when updating vulnerability IDs, avoiding unnecessary deletes/writes when nothing changed.
No action is required after upgrading. (Optional tuning knobs exist via DD_IMPORT_REIMPORT_MATCH_BATCH_SIZE and DD_IMPORT_REIMPORT_DEDUPE_BATCH_SIZE.)
Finding Template enhancements and removal of CWE matching
As communicated in the 2025Q1 community update the automated matching of Finding Templates based on CWE and/or title has now been removed.
There are other instructions for upgrading to 2.54.x. Check the Release Notes for the contents of the release: https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.54.0
Check the Release Notes for the contents of the release.