The Background

DefectDojo has been helping AppSec, Product Security and DevSecOps professionals for over 10 years and that is not going to stop anytime soon. The DefectDojo community is what makes the platform special, and why DefectDojo is by far the most popular open source tool for DevSecOps. We wanted to take some time and share with you how we’re charting and planning for the future:

• DefectDojo has done an amazing job of helping people make sense of the chaos that can happen while doing security work. We’re proud that the project that started as an idea on a whiteboard 10 years ago is still providing value and has continued to transform to accommodate the future of security automation.
• How modern software is developed continues to change rapidly, particularly in regards to how products, security teams and developers organize themselves.
• While DefectDojo's data model has stood the test of time, to make DefectDojo great for another 10 years, we need to make some changes to the core data models, with a focus on increased flexibility.

The Details

In order to ensure 3.0 is not a moving target, we've made some changes to how PRs are handled for now:

1. We've increased the number of approvals to merge a PR from 2 to 4. This allows broad consensus from the DefectDojo moderators on if the PR makes sense and is ultimately compatible with 3.0
2. One exception to the 4 approval rule is for regular library or software updates such as those from Dependabot, Renovate or similar. 2 approvals are needed for these routine updates.
3. We're still taking PRs, just not as broadly as we've done in the past. Full details are in the contributing guideline but here's a very quick summary:

• New or updated parsers are perfectly fine
• Bug Fixes or other functional fixes
• Security fixes
• Adding or improving tests

4. If what you're considering contributing and your potential contribution isn't in the above list, it may still be accepted. We just request that you ask before you start coding. We don't want to waste your time and really, really don't like saying 'no' to contributions after they are written. Again, full details are in the contributing guideline.

The Benefits

DefectDojo leads and the industry follows. You can see the inspiration from our modeling in many tools. The core changes coming to DefectDojo are radical redesigns that we expect will benefit both our community and security as a whole for the next generation of DevSecOps and security automation. We’re not yet ready to reveal all the changes in store, as some of the architectural details are still being finalized, but here are a couple of key changes we can reveal on why the PR slow down necessary:

• We’re re-working products to allow nested dependencies in an arbitrary parent/child relationship, to better model how vulnerabilities impact hyper-modern software and container-driven development.
• In the new model, a product consisting of 10 microservices, a web front-end and a mobile app can all live under this nested architecture. This architecture also allows us to highlight transient vulnerabilities and potentially easier SBOM management.
• Making new integrations easier to maintain and develop by adding an abstraction layer between DefectDojo and issue trackers. Currently, JIRA is a first-class citizen and has hooks deep into the DefectDojo code. While this is awesome for JIRA users, it's not so great for people who use other issue trackers. This improvement should allow for easier integration of other issue trackers.
• A new reactive and modern user interface. We think this item speaks for itself.

All of this will be open sourced and coming to the open-source version of DefectDojo. We greatly appreciate community members who have moved to the commercial version, as without that support, these improvements would not be possible.

Beyond the major update to the data model, we're planning to provide another decade of DefectDojo making things better in your security life. Please be patient with us while we design and create DefectDojo 3.0 and enjoy the features in DefectDojo 2.x in the meantime.

We will continue to maintain and provide updates for DefectDojo 2.x after 3.0’s release. We’ll publish those timelines as they become available.