DefectDojo · rossops · Jun 9, 2025 · Jun 2, 2025 · Jun 2, 2025 · Jun 3, 2025
@@ -12,29 +12,39 @@ DefectDojo Pro comes with many additional features.  Here is list of those featu
 ## Improved UX
 
 ### Pro UI
-DefectDojo's UI has been reworked in DefectDojo Pro to be faster, more functional and to be better at navigating through enterprise-level data volume.  It also includes a dark mode.  See our [Pro UI Guide](../ui_pro_vs_os) for more information.
+DefectDojo's UI has been reworked in DefectDojo Pro to be faster, more functional, and to be better at navigating through enterprise-level data volume.  It also includes a dark mode.  
+See our [Pro UI Guide](../ui_pro_vs_os) for more information.
 
 ![image](images/enabling_deduplication_within_an_engagement_2.png)
 
 ### Rules Engine
 DefectDojo Pro's Rules Engine allows you to set up a script of automated bulk actions - no programming experience required.
-Build custom workflows and bulk actions to handle Findings and other objects.  See our [Rules Engine Guide](/en/customize_dojo/rules_engine) for more info.
+Build custom workflows and bulk actions to handle Findings and other objects.  
+See our [Rules Engine Guide](/en/customize_dojo/rules_engine) for more info.
 
 ![image](images/rules_engine_4.png)
 
 ### Pro Dashboards and Reporting
 Generate [instant reports and metrics](../ui_pro_vs_os/#new-dashboards) to share the security posture of your apps and repos.  Evaluate your security tools and your team's performance in addressing security issues.
 
+### Deduplication Tuning
+Fine-tune how DefectDojo identifies and manages duplicate findings with advanced deduplication settings. Adjust same-tool, cross-tool, and reimport deduplication for precision matching between all your chosen security tools and vulnerability findings.
+See our [Deduplication Tuning Guide](/en/working_with_findings/finding_deduplication/tune_deduplication/) for more information.
+
+![image](images/deduplication_tuning.png)
+
 ## Streamlined import
 
 ### Background Imports
 For enterprise-level reports, DefectDojo Pro offers an optimized upload method which processes Findings in the background.
 
 ### CLI Tools
-Quickly build a command-line pipeline to import, reimport and export data to your DefectDojo Pro instance using our Universal Importer and DefectDojo CLI apps.  These tools are maintained by the DefectDojo Pro team and can be run in Windows, Macintosh or Linux environments.  See our [External Tools Guide](/en/connecting_your_tools/external_tools/) for more information.
+Quickly build a command-line pipeline to import, reimport, and export data to your DefectDojo Pro instance using our Universal Importer and DefectDojo CLI apps.  These tools are maintained by the DefectDojo Pro team and can be run in Windows, Macintosh, or Linux environments.  
+See our [External Tools Guide](/en/connecting_your_tools/external_tools/) for more information.
 
 ### Connectors
-DefectDojo can instantly connect to supported tools to import new Finding data - get an automated Import pipeline working out-of-the-box, without the need to set up any API calls or cron jobs.  See our [Connectors Guide](/en/connecting_your_tools/connectors/about_connectors/) for more information.
+DefectDojo can instantly connect to supported tools to import new Finding data - get an automated Import pipeline working out-of-the-box, without the need to set up any API calls or cron jobs.  
+See our [Connectors Guide](/en/connecting_your_tools/connectors/about_connectors/) for more information.
 
 ![image](images/add_edit_connectors_2.png)
 
@@ -54,6 +64,7 @@ Supported tools for Connectors include:
 ### Universal Parser
 Are you using an unsupported or customized scanning tool?  Or do you just wish DefectDojo handled a report slightly differently?
 
-Use DefectDojo Pro's Universal Parser to turn any .json or .csv report into an actionable set of Findings, and have DefectDojo parse the data however you like.  See our [Universal Parser Guide](/en/connecting_your_tools/parsers/universal_parser/)
+Use DefectDojo Pro's Universal Parser to turn any .json or .csv report into an actionable set of Findings, and have DefectDojo parse the data however you like.  
+See our [Universal Parser Guide](/en/connecting_your_tools/parsers/universal_parser/) for more information.
 
 ![image](images/universal_parser_3.png)
@@ -9,6 +9,19 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/en/open_source/upgrading/upgrading_guide/).
 
 
+## June 2025: v2.47
+
+### June 2, 2025: v2.47.0
+
+- **(Pro UI)** Finding review can now be set through the Pro UI.  You can now Request Review or clear a Finding review from Finding tables, or from the Finding View.
+
+![image](images/pro_request_review.png)
+
+- **(Pro UI)** Artifact files can now be uploaded through the Pro UI to Findings.  These files can be viewed or deleted on the **Finding Overview > Files** tab of a Finding page.
+
+![image](images/pro_upload_file.png)
+
+
 ## May 2025: v2.46
 
 ### ⚠️ Tag Format Change 
@@ -32,6 +45,22 @@ This update improves consistency, enhances DefectDojo's search capabilities, and
 
 We recommend reviewing your current tags to ensure they align with the new format.  Following the deployment of these new behaviors, requests sent to the API or through the UI with any of the violations listed above will result in an error, with the details of the error raised in the response.
 
+### May 26, 2025: v2.46.4
+
+- **(Pro Metrics)** Rework of filter menu within insights dashboards to remove cross Product Type and Product filtering capabilities.
+- **(Pro UI)** Clickable links within insights dashboards.
+- **(Pro UI)** You can now differentiate between **AppSec** and **SOC** Test Types, to specify whether Findings in DefectDojo were created by an AppSec or SOC process.  You can assign the SOC label by editing a Test Type in the Pro UI:
+
+![image](images/pro_test_types.png)
+
+Whether a Finding is "AppSec" or "SOC" depends on the parent Test Type.  If a Test Type does not have SOC set, all of the Findings associated with this Test Type will be considered "AppSec".
+
+The Priority Insights dashboard can quickly render a list of all SOC or AppSec Findings, ordered by Priority.
+
+![image](images/pro_soc_filter.png)
+
+- **(Pro UI)** More detailed messages in Bulk Edit provide a better explanation of why some Findings may have been skipped.
+
 ### May 19, 2025: v2.46.3
 
 - **(Calendar)** New filters have been added to Calendar view: Unassigned Lead, and Engagement/Test Type.
@@ -64,24 +93,24 @@ Hotfix release - no significant feature changes.
 
 ## Apr 2025: v2.45
 
-### Apr 28, 2025: v2.45.3
+#### Apr 28, 2025: v2.45.3
 
 - **(Import)** Reimporting a scan can now handle special statuses assigned by a tool.  Now, if a Finding was initially imported as Active, but the status was changed to False Positive, Out Of Scope or Risk Accepted by a subsequent report, that status will now be respected and applied to the Finding by Reimport.
 - **(Tools)** Fortify parser can now assign False Positive status to Findings according to the audit.xml file.
 
-### Apr 22, 2025: v2.45.2
+#### Apr 22, 2025: v2.45.2
 
 ![image](images/risk_table.png)
 
 - **(Pro UI)** Added a link to Universal Importer to the sidebar, which provides access to the [Universal Importer and DefectDojo CLI](/en/connecting_your_tools/external_tools/) tools.
 - **(Pro UI)** Added smart Prioritization and Risk fields to DefectDojo Pro, which can be used to more easily triage Findings based on the impact of the Product they affect.  See [Priority](/en/working_with_findings/finding_priority/) documentation for more information.
 - **(Tools)** Updated Fortify Webinspect parser to handle Fortify's new XML report format.
 
-### Apr 14, 2025: v2.45.1
+#### Apr 14, 2025: v2.45.1
 
 - **(Connectors)** Added a Connector for Wiz: see [tools reference](/en/connecting_your_tools/connectors/connectors_tool_reference/) for configuration instructions.
 
-### Apr 7, 2025: v2.45.0
+#### Apr 7, 2025: v2.45.0
 
 - **(Pro UI)** Added Calendar view to Pro UI: Calendar view now displays Tests and Engagements, and can be filtered.  Clicking on a Calendar entry now displays a more detailed description of the object.
 ![image](images/pro_calendar_view.png)

@@ -1,5 +1,5 @@
 ---
-title: "Branching model"
+title: "Open-Source Branching & Releases"
 description: "How we create releases"
 draft: false
 weight: 3

@@ -1,11 +1,10 @@
 ---
-title: "Exporting"
+title: "Export Findings"
 description: "DefectDojo has the ability to export findings."
 draft: false
 weight: 12
 ---
 
-
 ## Export Findings
 
 Pages that show a list of findings or a list of engagements have a CSV and Excel Export functionality in the top right dropdown menu.

@@ -1,5 +1,5 @@
 ---
-title: "Architecture"
+title: "Architecture (Open-Source)"
 description: "The DefectDojo platform consists of several components that work together closely."
 draft: false
 weight: 1

@@ -1,5 +1,5 @@
 ---
-title: "Languages and lines of code"
+title: "Languages and lines of code (Open-Source)"
 description: "You can import an analysis of languages used in a project, including lines of code."
 draft: false
 weight: 10

@@ -1,5 +1,5 @@
 ---
-title: "Authentication via LDAP"
+title: "Authentication via LDAP (Open-Source)"
 description: "Authenticate users using LDAP"
 draft: false
 weight: 4

@@ -1,12 +1,11 @@
 ---
-title: "Rate Limiting"
+title: "Rate Limiting (Open-Source)"
 description: "Configurable rate limiting on the login page to mitigate brute force attacks"
 draft: false
 weight: 11
 ---
 
-
-DefectDojo has protection against brute force attacks through rate limiting
+DefectDojo has protection against brute force attacks through rate limiting.
 
 ## Configuration
 

@@ -0,0 +1,85 @@
+---
+title: "Deduplication Tuning (Pro)"
+description: "Configure how DefectDojo identifies and manages duplicate findings"
+weight: 4
+---
+
+Deduplication Tuning is a DefectDojo Pro feature that gives you fine-grained control over how findings are deduplicated, allowing you to optimize duplicate detection for your specific security testing workflow.
+
+## Deduplication Settings
+
+In DefectDojo Pro, you can access Deduplication Tuning through:
+**Settings > Pro Settings > Deduplication Settings**
+
+![image](images/deduplication_tuning.png)
+
+The Deduplication Settings page offers three key configuration areas:
+- Same Tool Deduplication
+- Cross Tool Deduplication
+- Reimport Deduplication
+
+## Same Tool Deduplication
+
+Same Tool Deduplication is enabled by default for all security tool parsers. This ensures findings from consecutive scans using the same tool are properly deduplicated.
+
+To adjust Same Tool Deduplication:
+
+1. Select a specific **Security Tool** from the dropdown
+2. Choose a **Deduplication Algorithm** from the available options
+
+![image](images/same_tool_deduplication.png)
+
+### Available Deduplication Algorithms
+
+DefectDojo Pro offers three deduplication methods for same-tool deduplication:
+
+#### Hash Code
+Uses a combination of selected fields to generate a unique hash. When selected, a third dropdown will appear showing the fields being used to calculate the hash.
+
+#### Unique ID From Tool
+Leverages the security tool's own internal identifier for findings, ensuring perfect deduplication when the scanner provides reliable unique IDs.
+
+#### Unique ID From Tool or Hash Code
+Attempts to use the tool's unique ID first, then falls back to the hash code if no unique ID is available. This provides the most flexible deduplication option.
+
+## Cross Tool Deduplication
+
+Cross Tool Deduplication is disabled by default, as deduplication between different security tools requires careful configuration due to variations in how tools report the same vulnerabilities.
+
+![image](images/cross_tool_deduplication.png)
+
+To enable Cross Tool Deduplication:
+
+1. Select a **Security Tool** from the dropdown
+2. Change the **Deduplication Algorithm** from "Disabled" to "Hash Code"
+3. Select which fields should be used for generating the hash in the **Hash Code Fields** dropdown
+
+Unlike Same Tool Deduplication, Cross Tool Deduplication only supports the Hash Code algorithm, as different tools rarely share compatible unique identifiers.
+
+## Reimport Deduplication
+
+Reimport Deduplication Settings are specifically designed for reimporting data using Universal Parsers or the Generic Parser.
+
+![image](images/reimport_deduplication.png)
+
+When configuring Reimport Deduplication:
+
+1. Select the **Security Tool** (Universal or Generic Parser)
+2. Choose the appropriate **Deduplication Algorithm**
+
+The same three algorithm options are available for Reimport Deduplication as for Same Tool Deduplication:
+- Hash Code
+- Unique ID From Tool
+- Unique ID From Tool or Hash Code
+
+## Deduplication Best Practices
+
+For optimal results with Deduplication Tuning:
+
+- **Start with defaults**: The preconfigured deduplication settings work well for most scenarios
+- **Test changes carefully**: After adjusting deduplication settings, monitor a few imports to ensure proper behavior.
+- **Adjustments to deduplication will retroactively adjust the hash values for findings already imported for the given test type that was changed**.  The recalculation is applied in the background to all findings in the database associated with the given test type that was changed. Please note that since the process is occurring in the background, immediate changes may not be observed.
+- **Use Hash Code for cross-tool deduplication**: When enabling cross-tool deduplication, select fields that reliably identify the same finding across different tools (such as vulnerability name, location, and severity).  **IMPORTANT** Each tool enabled for cross-tool deduplication **MUST** have the same fields selected.
+- **Avoid overly broad deduplication**: Cross-tool deduplication with too few hash fields may result in false duplicates
+
+By tuning deduplication settings to your specific tools, you can significantly reduce duplicate noise.
@@ -98,6 +98,8 @@
         </style>
     </head>
     <body class="{% dojo_body_class %}">
+        {% block pre_wrapper %}
+        {% endblock pre_wrapper %}
         <div id="wrapper">
             {% block navigation %}
                 <!-- Navigation -->
@@ -1120,7 +1122,7 @@ <h4 class="modal-title" id="sessionModalLabel">Session Expiring Soon</h4>
 
                         setTimeout(() => {
                             $('#sessionTimeoutModal').modal('show');
-                        }, timeout * 1000);
+                        }, Math.min(timeout, 2147483) * 1000); // Do not allow a buffer overflow here
 
                     }  
                     session_notifcation();

@@ -97,7 +97,7 @@ <h3>{% trans "Login" %}</h3>
 
                 {% if SAML2_ENABLED is True %}
                     <div class="col-sm-offset-1 col-sm-2">
-                        <a id="oauth-login-saml" rel="nofollow" data-method="post" href="/saml2/login" style="color: rgb(255,255,255)" class="btn btn-success" type="button">{{ SAML2_LOGIN_BUTTON_TEXT }}</a>
+                        <a id="oauth-login-saml" rel="nofollow" data-method="post" href="/saml2/login?next={{ request.GET.next }}" style="color: rgb(255,255,255)" class="btn btn-success" type="button">{{ SAML2_LOGIN_BUTTON_TEXT }}</a>
                     </div>
                 {% endif %}
             </div>

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.48.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.191-dev
+version: 1.6.192-dev
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap