Upgrading to DefectDojo Version 2.7.x

breaking change

This release is a breaking change regarding the Choctaw Hog parser. As the maintainers of this project unified multiple parsers under the RustyHog parser, we now support the parsing of Choctaw Hog JSON output files through the Rusty Hog parser. Furthermore, we also support Gottingen Hog and Essex Hog JSON output files with the RustyHog parser.

There is another breaking change regarding the import of SSLyze scans. The parser has been renamed from SSLyze 3 Scan (JSON) to SSLyze Scan (JSON). The data in the database is fixed by the initializer, but it may break scripted API calls.

Release 2.7.0 contains a beta functionality to make permissions for the configuration of DefectDojo more flexible. When the settings parameter FEATURE_CONFIGURATION_AUTHORIZATION is set to True, many configuration dialogues and API endpoints can be enabled for users or groups of users, regardless of their Superuser or Staff status, see Configuration Permissions.

The functionality using the flag AUTHORIZATION_STAFF_OVERRIDE has been removed. The same result can be achieved with giving the staff users a global Owner role.

To support the transition for these 2 changes, you can run a migration script with ./manage.py migrate_staff_users. This script:

  • creates a group for all staff users,
  • sets all configuration permissions that staff users had and
  • sets the global Owner role, if AUTHORIZATION_STAFF_OVERRIDE is set to True.