Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion docs/content/releases/os_upgrading/3.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: 'Upgrading to DefectDojo Version 3.1.x'
toc_hide: true
weight: -20260617
description: Blank Finding components are now normalized to NULL so component-less findings group together; JIRA project configurations now support multiple comma-separated components.
description: Blank Finding components are now normalized to NULL so component-less findings group together; JIRA project configurations now support multiple comma-separated components; Tool Configuration credentials are re-encrypted to AES-256-GCM.
---

## Blank Finding components normalized to NULL
Expand All @@ -22,3 +22,19 @@ The `Component` field on a JIRA project configuration now supports assigning mor
### What you need to do

Nothing is required. Note that a component name that legitimately contains a comma will be split into separate components — component names rarely contain commas, so this is an accepted limitation.

## Tool Configuration credentials upgraded to AES-256-GCM

DefectDojo encrypts the credentials stored on Tool Configurations (the `password`, `ssh`, and `api_key` fields). Previously these values were encrypted with AES-256 in OFB mode (the `AES.1` stored format). This release introduces a modern `AES.2` format that uses AES-256-GCM, an authenticated encryption scheme that detects tampering with the stored ciphertext.

New and updated credentials are written in the `AES.2` format automatically. The encryption key is unchanged — both formats derive their key from the same `DD_CREDENTIAL_AES_256_KEY`, so no key rotation or settings change is required.

A data migration (`0272_reencrypt_tool_config_credentials_aes_gcm`) included in this release eagerly re-encrypts every existing `AES.1` credential to `AES.2` on upgrade. The legacy `AES.1` decryption path is retained for backward compatibility, so any value that has not yet been migrated continues to decrypt normally. The same migration also widens the `password`, `ssh`, and `api_key` columns by 50% so that credentials stored at the old maximum length still fit once the GCM nonce and authentication tag are added.

This release also bumps `cryptography` to 49.0.0 and `pyopenssl` to 26.3.0.

### What you need to do

Nothing — the change is applied automatically by the database migration included in this release. Ensure your `DD_CREDENTIAL_AES_256_KEY` is unchanged from your prior deployment so the existing credentials can be decrypted and re-encrypted; a value that fails to decrypt (for example, because it was encrypted under a different key) is left untouched rather than overwritten.

For more information, check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/3.1.0).
22 changes: 0 additions & 22 deletions docs/content/releases/os_upgrading/3.2.md

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ def noop_reverse(apps, schema_editor):

class Migration(migrations.Migration):
dependencies = [
("dojo", "0269_normalize_blank_finding_components"),
("dojo", "0271_finding_perf_indexes"),
]

operations = [
Expand Down
4 changes: 2 additions & 2 deletions dojo/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -978,7 +978,7 @@ def reopen_external_issue(finding_id, note, external_issue_provider, **kwargs):
# time they are saved.
#
# REMOVAL TRACKING (legacy OFB path):
# Migration 0270_reencrypt_tool_config_credentials_aes_gcm eagerly re-encrypts
# Migration 0272_reencrypt_tool_config_credentials_aes_gcm eagerly re-encrypts
# every stored Tool_Configuration credential to "AES.2", so after it has run in
# every environment there should be no "AES.1" values left in the database.
# Once that migration is squashed/baked into the release floor (i.e. no upgrade
Expand Down Expand Up @@ -1079,7 +1079,7 @@ def prepare_for_view(encrypted_value):
decrypted_value = AESGCM(key).decrypt(iv, binascii.a2b_hex(value), None).decode("utf-8")
else:
# Legacy "AES.1" (AES-256-OFB) read path. Removable once
# migration 0270 is guaranteed to have run everywhere and no
# migration 0272 is guaranteed to have run everywhere and no
# "AES.1" values remain -- see the REMOVAL TRACKING note on
# the encrypt()/decrypt() block above.
decrypted_value = decrypt(key, iv, value).decode("utf-8")
Expand Down
Loading