2025 End of Year Update & Next Steps on 3.0

[mtesauro]

Welcome to the end of the year and boy what a year it's been!

I did a ton of changelog reading and talked to the maintainers and below is the summary of that work.

If you don't want to read the below (or use an AI to summarize it), there's also a video of the latest Office Hours that's a review of both Pro and Community DefectDojo at https://www.youtube.com/watch?v=WVw4BwUMi1U.

2025 in Review

Beyond the normal care and feeding we give DefectDojo, we had some notable updates which I want to make note of below.

Before I go there, two themes came out of my look backwards on this year:

1. Optimizing the core of DefectDojo
2. Streamlining workflows in DefectDojo

Both of the efforts move us closer to the mythical 3.0 (more on that later).

Noteworthy optimizations and improvements to DefectDojo's core:

• Batch Dedupe of Findings instead of 1 by 1
  • Deduplicate findings in batches #13491
• Optimized import of endpoints to increase performance and reduce queries
  • endpoint import optimize #13521
• Process tags in bulk with roughly a 50% faster import time for example
  • performance optimization: add tags in bulk #13285
• Optimize product grading during imports for significant performance gains
  • Reduce and optimize number of product grading calls using a Chord #12914
• Async search index updates to increase speed and remove some cases where it blocked execution
  • watson: perform async index updates #13152
• Do not post process if not needed to remove unneeded / non-productive code runs
  • perf2: skip post processing if not needed #12862
• Use correlated subquery to improve count performance - less queries, more performance
  • Optimize queryset annotations & prefetches to cut DB time for test / finding / product views (issue #12575) #12603
• Various extra unit tests for deduplication logic
  • add unit tests to test importer deduplication #13372
• Swap Redis for Valkey
  • docker compose: switch to Valkey as message broker #13331
• Switch Django-Auditlog for Django-PgHistory
  • Auditlog: Add django-pghistory as audit log (optional for now) #13169

Streamlining workflows and other improvements:

• Teams support for Adaptive Cards
  • msteams: Support Power Automate Workflows via Adaptive Card format #13082
• CVSSv4 support
  • Add CVSS4 support #12751
• Finding groups now respect minimum severity when pushed to JIRA
  • Finding Groups: Respect minimum severity and active/verified rules when pushing to JIRA #12475
• Mondernized the Helm chart (various PRs)
• Consolidated and standardized the tag format across UI and API - commas, quotes (single & double) and spaces are no longer valid
  • Tag: Update allowed characters for a unified format #12194
• So many parser updates & new parsers
  • https://github.com/DefectDojo/django-DefectDojo/pulls?q=is%3Apr+is%3Aclosed+label%3Aparser
• Reimporting a scan can now handle special statuses assigned by a tool. Now, if a Finding was initially imported as Active, but the status was changed to False Positive, Out Of Scope or Risk Accepted by a subsequent report, that status will now be respected and applied to the Finding by Reimport.
• Mitigated timestamp in reports are no longer ignored/overwritten on Reimport.
• EPSS and KEV now available for Findings
  • 🎉 introducing EPSS score #9516
  • https://github.com/DefectDojo/django-DefectDojo/pulls?q=is%3Apr+is%3Aclosed+EPSS
  • https://github.com/DefectDojo/django-DefectDojo/pulls?q=is%3Apr+is%3Aclosed+KEV
• Rest API enhancements such as:
  • /test_reimport results can now be ordered via id, created, modified, version, branch_tag, build_id, and commit_hash.
  • Prefetching multiple parameters now returns all prefetched objects in an array.
  • Fixed issue where Findings created by API with methods other than /import / /reimport were not being identified as duplicates.
  • API can now filter Findings by tag using AND, in addition to OR. This can be done with the tags__and API filter.
  • Basic Auth Login has been removed from the swagger form. Only cookieAuth and tokenAuth are accepted.
• Jira Integration improvements including
  • When a Risk Acceptance expires, linked Jira Group issues will now be updated to reflect the status change.
  • Next-Gen Epic creation from an Engagement no longer requires an Epic Name to be set, and will instead use an Epic ID value if Epic Name fails.
  • Removed HTML encoding from strings that are sent to Jira, to prevent escape characters from being added to issue descriptions unnecessarily.
• SSO can now be set up with any kind of OIDC Configuration
  • https://github.com/DefectDojo/django-DefectDojo/pulls?q=is%3Apr+is%3Aclosed+OIDC
• Many more are not listed but probably should be...

In flight items

• Fully complete the transition to pghistory
  • We have a few lingering items here before we call it done
• Organization & Asset labels replacing Product Type & Product
  • Early in 2026, we're going to default to the Org/Asset labels
  • There's an settings.py config to switch this now or in the future
  • Eventually, we'll deprecate Product Type & Product but no timeline or decisions made on when
• locations - new but not new feature
  • This is a significant update to endpoints - so much we're changing the name
  • Loads of internal design and performance improvements on how endpoints work today
  • Work is happening on this right now so it should land very early in 2026 like ~January
• Modernizing the current Community UI
  • This is an effort that will likely span a good portion of 2026 given how much UI there is to DefectDojo
  • First step will be replacing Bootstrap with OpenProps as the main CSS library
• Container hardening
• Simplified Compose installs for those just wanting to run DefectDojo
  • Something along the lines of a one-liner to do "just run it" installs
• Expanding the Community program started in 2025

DefectDojo 3.0

So, the project with great excitement and anticipation spoke of DefectDojo 3.0 a while ago. This wasn't some bait and switch tactic. Rather, it was the project letting the community know our aspirations for DefectDojo.

We started the 3.0 discussion knowing that there was a long list of unknown unknowns that were between us and 3.0. We've spent the bulk of this year finding and making known (by addressing them) all those unknown unknowns. Most of the work above in the "Noteworthy optimizations..." section above was really 3.0 work just not explicitly labeled that way.

So, what's the timeline for 3.0?

The project has taken inspiration from the Debian community and is following their lead: DefectDojo 3.0 will happen when its ready but not before. We don't see any value in putting an artificial timeline that we can't really know we can meet.

We'll spend 2026 addressing anything that blocks our progress towards 3.0 while doing what we've done for years:

 Keep making DefectDojo even more awesome that it is today.

To the wonderful DefectDojo Community: Have a great rest of 2025 and a fantastic 2026!

That's what we're planning for DefectDojo 🚀