You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to thank the new addition to the DefectDojo Hall of Fame - @alles-klar who provided significant contributions across many areas of DefectDojo.
Also, I'd like to call out the community (positively) for all the great discussion on migrating from MySQL to PostgreSQL after MySQL was deprecated. See for yourself in this lengthly discussion.
Accomplishments since the last quarterly update
Let's cover the cool things that have been completed since our last update in no particular order:
So, congrats all around for all those who've contributed to DefectDojo listed above or not. It's the awesome community that's kept this project thriving for so long. Pat yourself on the back for me.
Future Efforts and Thoughts on Next Steps
Improved docs on deploys
Both the Docker compose and Helm docs could use some attention. This will be a focus from now until the end of the year
Make a distinction between running compose as a 'normal' deploy vs building for dev and other tinkering purposes
Ideally, create a simpler way to 'just start running' DefectDojo with compose and getting images from Docker Hub.
Making sure the community understands that the Helm in this repo is a starting point of a Helm chart that works for how they do k8s. Given the many ways to deploy k8s and multiple cloud providers, there's no real way to make a turn-key Helm that works for any situation.
Hardened containers & compose clean-up
Also related to the above, we are looking at doing a thorough review of our container images and hardening them more than we do today. We're going to test things like distroless and Wolfi so we can provide both smaller and hardened images. After hardening the images and potentially using feedback from the improved documentation above, we'll be making updates to the Docker compose as needed. We'll phase in the transition from the existing containers to the hardened containers with the ideal situation being a single container instead of Debian (glibc) and Alpine (musl).
Feature Freeze
Some may remember, we added a feature freeze a while back while we were investigating what changes were needed for the next big push. We’re going to relax that so look for upcoming changes to the PR templates, documentation, contributing docs, etc. We still strongly recommend that you put an issue in first if you want to add a new feature to make sure it fits with the overall “DefectDojo vision” but we’ve completed most of the research and internal updates/improvements as you saw listed above. We may still say no to change but realize that for a PR, a “No” is for now and a “Yes” is forever. The project owns the code additions going forward so they need to be testable, pass the GHA tests and make sense for the broad DefectDojo community.
Other efforts we're considering
UI refresh
We're looking at ways to update the UI of DefectDojo - no definitive plans yet. We'll keep using Django templates but we'd like to get a new look sooner rather than later.
Accessibility is missing from DD
We've been running AccessLint for years to manage accessibility but with the potential of a new UI framework, we're also wanting to make sure we have this covered.
Deprecations / Potential Deprecations
Future Deprecation: Iron installs via godojo
While we started out supporting iron installs 12+ years ago via a bunch of Bash scripting, there's truly better options today. As the primary author of godojo, I'd love to see it deprecated and replaced with Docker compose installs. Those are significantly better in so many ways:
flexibility of deploy
isolated from OS provided Python version
upgrades are smooth and a very solved problem
So, today if you choose an iron install, you have some pretty 'interesting' things you're responsible for that you can completely avoid if you choose Docker compose. Containers are used for both compose and Helm/k8s so that's the direction we're spending our time on going forward.
Has the potential to push incomplete issues to jira due to endpoints not being saved
Because of that instability, we don't believe it will ever come out of experimental
External vendor API integrations
These continue to be painful from a DefectDojo maintainer perspective. I think I'm speaking for all the maintainers when I say it's painful to see an issue come in that we're completely unable to reproduce or help since we don't have access or a license to that commercial tool. Here's an example of that that makes me sad: BlackDuck API report import issue. #11029
We're not looking to remove any existing ones now but given we can't write GHA tests for them and can't reproduce issues reported, we don't want to set up community members to have issues we can't address. If it's in DefectDojo, one of the maintainers should be able to reproduce and fix the issue or maybe that feature doesn't need to be in DefectDojo.
Note
I have to admit that I was a bit overzealous when I did the Q1-2024 quarterly update - I only got half of the quarters covered if you count this one for Q4-2024. I'm setting up things so doing these going forward is much more stream-lined and I'm setting a goal of 4 for 4 in 2025. Sorry for my 50% performance in 2024.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
As always, to see my previous updates, look here
Special Thanks
I want to thank the new addition to the DefectDojo Hall of Fame - @alles-klar who provided significant contributions across many areas of DefectDojo.
Also, I'd like to call out the community (positively) for all the great discussion on migrating from MySQL to PostgreSQL after MySQL was deprecated. See for yourself in this lengthly discussion.
Accomplishments since the last quarterly update
Let's cover the cool things that have been completed since our last update in no particular order:
So, congrats all around for all those who've contributed to DefectDojo listed above or not. It's the awesome community that's kept this project thriving for so long. Pat yourself on the back for me.
Future Efforts and Thoughts on Next Steps
Improved docs on deploys
Both the Docker compose and Helm docs could use some attention. This will be a focus from now until the end of the year
Hardened containers & compose clean-up
Also related to the above, we are looking at doing a thorough review of our container images and hardening them more than we do today. We're going to test things like distroless and Wolfi so we can provide both smaller and hardened images. After hardening the images and potentially using feedback from the improved documentation above, we'll be making updates to the Docker compose as needed. We'll phase in the transition from the existing containers to the hardened containers with the ideal situation being a single container instead of Debian (glibc) and Alpine (musl).
Feature Freeze
Some may remember, we added a feature freeze a while back while we were investigating what changes were needed for the next big push. We’re going to relax that so look for upcoming changes to the PR templates, documentation, contributing docs, etc. We still strongly recommend that you put an issue in first if you want to add a new feature to make sure it fits with the overall “DefectDojo vision” but we’ve completed most of the research and internal updates/improvements as you saw listed above. We may still say no to change but realize that for a PR, a “No” is for now and a “Yes” is forever. The project owns the code additions going forward so they need to be testable, pass the GHA tests and make sense for the broad DefectDojo community.
Other efforts we're considering
Deprecations / Potential Deprecations
Future Deprecation: Iron installs via godojo
While we started out supporting iron installs 12+ years ago via a bunch of Bash scripting, there's truly better options today. As the primary author of godojo, I'd love to see it deprecated and replaced with Docker compose installs. Those are significantly better in so many ways:
So, today if you choose an iron install, you have some pretty 'interesting' things you're responsible for that you can completely avoid if you choose Docker compose. Containers are used for both compose and Helm/k8s so that's the direction we're spending our time on going forward.
Potential Deprecations:
Note
I have to admit that I was a bit overzealous when I did the Q1-2024 quarterly update - I only got half of the quarters covered if you count this one for Q4-2024. I'm setting up things so doing these going forward is much more stream-lined and I'm setting a goal of 4 for 4 in 2025. Sorry for my 50% performance in 2024.
Phew, that's all I have for now.
Cheers!
Beta Was this translation helpful? Give feedback.
All reactions