DefectDojo Feature Freeze, Prepping for DefectDojo 3.0

[mtesauro]

The Background

DefectDojo has been helping AppSec, Product Security and DevSecOps professionals for over 10 years and that is not going to stop anytime soon. The DefectDojo community is what makes the platform special, and why DefectDojo is by far the most popular open source tool for DevSecOps. We wanted to take some time and share with you how we’re charting and planning for the future:

• DefectDojo has done an amazing job of helping people make sense of the chaos that can happen while doing security work. We’re proud that the project that started as an idea on a whiteboard 10 years ago is still providing value and has continued to transform to accommodate the future of security automation.
• How modern software is developed continues to change rapidly, particularly in regards to how products, security teams and developers organize themselves.
• While DefectDojo's data model has stood the test of time, to make DefectDojo great for another 10 years, we need to make some changes to the core data models, with a focus on increased flexibility.

The Details

In order to ensure 3.0 is not a moving target, we've made some changes to how PRs are handled for now:

1. We've increased the number of approvals to merge a PR from 2 to 4. This allows broad consensus from the DefectDojo moderators on if the PR makes sense and is ultimately compatible with 3.0
2. One exception to the 4 approval rule is for regular library or software updates such as those from Dependabot, Renovate or similar. 2 approvals are needed for these routine updates.
3. We're still taking PRs, just not as broadly as we've done in the past. Full details are in the contributing guideline but here's a very quick summary:

• New or updated parsers are perfectly fine
• Bug Fixes or other functional fixes
• Security fixes
• Adding or improving tests

4. If what you're considering contributing and your potential contribution isn't in the above list, it may still be accepted. We just request that you ask before you start coding. We don't want to waste your time and really, really don't like saying 'no' to contributions after they are written. Again, full details are in the contributing guideline.

The Benefits

DefectDojo leads and the industry follows. You can see the inspiration from our modeling in many tools. The core changes coming to DefectDojo are radical redesigns that we expect will benefit both our community and security as a whole for the next generation of DevSecOps and security automation. We’re not yet ready to reveal all the changes in store, as some of the architectural details are still being finalized, but here are a couple of key changes we can reveal on why the PR slow down necessary:

• We’re re-working products to allow nested dependencies in an arbitrary parent/child relationship, to better model how vulnerabilities impact hyper-modern software and container-driven development.
• In the new model, a product consisting of 10 microservices, a web front-end and a mobile app can all live under this nested architecture. This architecture also allows us to highlight transient vulnerabilities and potentially easier SBOM management.
• Making new integrations easier to maintain and develop by adding an abstraction layer between DefectDojo and issue trackers. Currently, JIRA is a first-class citizen and has hooks deep into the DefectDojo code. While this is awesome for JIRA users, it's not so great for people who use other issue trackers. This improvement should allow for easier integration of other issue trackers.
• A new reactive and modern user interface. We think this item speaks for itself.

All of this will be open sourced and coming to the open-source version of DefectDojo. We greatly appreciate community members who have moved to the commercial version, as without that support, these improvements would not be possible.

Beyond the major update to the data model, we're planning to provide another decade of DefectDojo making things better in your security life. Please be patient with us while we design and create DefectDojo 3.0 and enjoy the features in DefectDojo 2.x in the meantime.

We will continue to maintain and provide updates for DefectDojo 2.x after 3.0’s release. We’ll publish those timelines as they become available.

[sahil3112]

Hi @mtesauro ,

We are planning to set up DefectDojo in our Organization, and we are currently evaluating DefectDojo 2.x, since the DefectDojo community is decided to launch DefectDojo 3.0 with major changes and we are planning to set up 3.0 in production, so are there any tentative timeline DefectDojo community is planned to release DefectDojo 3.0 like Q3 - 2023 or Q4 - 2023

[mtesauro]

Currently, I'd say that Q3 or Q4 of 2023 is the most likely initial launch of DefectDojo v3. However, there's some important points about that timeline:

• This is an open source project and hard deadlines and open source generally don't go together
• We're making some pretty big internal changes in v3 so there's many unknowns about how that transition will go which makes timelines harder to predict
• We already plan to have a migration path for v2 DefectDojo users to upgrade to v3. We did the same thing for v1 to v2 as seen here and will do the same for v3

Since there's a chance that v3 won't hit the timeline above, I'd recommend starting now with v2 since it has the benefits of

• allowing you to get value out of DefectDojo v2 today instead of waiting a couple of quarters for v3
• I believe the 'cost' of upgrading from v2 to v3 will be far less than the benefit of using DefectDojo v2 today
• The v1 to v2 transition happened with few problems and detailed instructions on the update. The plan is to make v3 the same.

HTH

[shipko]

Can somebody join to develop a new version?

Probably you can show tasks backlog to any DD members that can help with it

[mtesauro]

Sorry, this got lost on me.

We're always open to contributions but right now we don't have a list of tasks as we've come to the conclusion that some clean-up of the current code base would make v3 much easier to achieve. I'm about to post a new discussion to update the community on where we're at with the v3 effort.

[ptcrash]

Maybe this is a silly question but where can we find the v3 codebase? I'd like to test it in our lab ahead of the release date?

[mtesauro]

Not a silly question. The v3 codebase will be here. What we've been doing is experimenting with what it will take to change the DefectDojo data model to do the parent/child thing mentioned above.

I just added an update to the message above with more details at #8974