From 79259ffb959901208e6906726e1db26aac5d6d6b Mon Sep 17 00:00:00 2001
From: Greg Anderson <greg.anderson@owasp.org>
Date: Thu, 25 Jun 2026 20:21:22 -0600
Subject: [PATCH 1/5] feat(announcement): add DD_OS_MESSAGE_ENABLED and
 per-user dismiss for the OS promo banner

DD_OS_MESSAGE_ENABLED (bool, default True) is a global admin opt-out: when False, get_os_banner() returns None before any network call, so no request is made to the GCS bucket. Default behavior is unchanged.

Authenticated users can also dismiss the banner via a close (x) button. The dismissal is stored as a hash of the current message on UserContactInfo (mirroring the ui_use_tailwind preference), so the banner reappears only when the promo text changes. The button posts to a new dismiss_os_message endpoint (form-based CSRF) and hides the banner instantly via JS, degrading to a normal POST when JS is disabled.

Includes migration 0270, docs and template-env updates, and unit tests (36 passing in unittests/test_os_message.py).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 docs/content/en/open_source/upgrading/3.1.md  |   8 +-
 dojo/announcement/os_message.py               |  10 +-
 dojo/announcement/urls.py                     |   5 +
 dojo/announcement/views.py                    |  27 ++++-
 dojo/context_processors.py                    |  27 +++--
 ...ercontactinfo_os_message_dismissed_hash.py |  18 +++
 dojo/models.py                                |   1 +
 dojo/settings/settings.dist.py                |   2 +
 dojo/settings/template-env                    |   3 +
 dojo/static/dojo/js/classic/index.js          |  13 +++
 dojo/static/dojo/js/index.js                  |  22 ++++
 dojo/templates/base.html                      |   9 ++
 dojo/templates_classic/base.html              |   9 ++
 unittests/test_os_message.py                  | 104 ++++++++++++++++++
 14 files changed, 245 insertions(+), 13 deletions(-)
 create mode 100644 dojo/db_migrations/0270_usercontactinfo_os_message_dismissed_hash.py

diff --git a/docs/content/en/open_source/upgrading/3.1.md b/docs/content/en/open_source/upgrading/3.1.md
index bc1265d40c2..540140c7aba 100644
--- a/docs/content/en/open_source/upgrading/3.1.md
+++ b/docs/content/en/open_source/upgrading/3.1.md
@@ -2,6 +2,10 @@
 title: 'Upgrading to DefectDojo Version 3.1.x'
 toc_hide: true
 weight: -20260615
-description: No special instructions.
+description: New optional setting DD_OS_MESSAGE_ENABLED to control the open-source promo banner.
 ---
-There are no special instructions for upgrading to 3.1.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/3.1.0) for the contents of the release.
+There are no breaking changes when upgrading to 3.1.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/3.1.0) for the contents of the release.
+
+### New setting: `DD_OS_MESSAGE_ENABLED`
+
+This release adds the `DD_OS_MESSAGE_ENABLED` setting (default `True`), which controls the open-source promotional ("Upgrade to Pro") banner. The default preserves the existing behavior. Set `DD_OS_MESSAGE_ENABLED=False` to hide the banner; when disabled, DefectDojo skips the outbound request that fetches the message.
diff --git a/dojo/announcement/os_message.py b/dojo/announcement/os_message.py
index dfdb9288710..3ea5052f7f5 100644
--- a/dojo/announcement/os_message.py
+++ b/dojo/announcement/os_message.py
@@ -1,8 +1,10 @@
+import hashlib
 import logging
 
 import bleach
 import markdown
 import requests
+from django.conf import settings
 from django.core.cache import cache
 
 logger = logging.getLogger(__name__)
@@ -109,11 +111,17 @@ def parse_os_message(text):
 
 
 def get_os_banner():
+    if not settings.OS_MESSAGE_ENABLED:
+        return None
     try:
         text = fetch_os_message()
         if not text:
             return None
-        return parse_os_message(text)
+        banner = parse_os_message(text)
     except Exception:
         logger.debug("os_message: get_os_banner failed", exc_info=True)
         return None
+    else:
+        if banner:
+            banner["dismiss_token"] = hashlib.sha256(text.encode("utf-8")).hexdigest()[:16]
+        return banner
diff --git a/dojo/announcement/urls.py b/dojo/announcement/urls.py
index 9dc91187653..07e79801045 100644
--- a/dojo/announcement/urls.py
+++ b/dojo/announcement/urls.py
@@ -13,4 +13,9 @@
         views.dismiss_announcement,
         name="dismiss_announcement",
     ),
+    re_path(
+        r"^dismiss_os_message$",
+        views.dismiss_os_message,
+        name="dismiss_os_message",
+    ),
 ]
diff --git a/dojo/announcement/views.py b/dojo/announcement/views.py
index 7afe915210b..2fd0eba02b0 100644
--- a/dojo/announcement/views.py
+++ b/dojo/announcement/views.py
@@ -1,14 +1,17 @@
 import logging
+import re
 
 from django.contrib import messages
-from django.http import HttpResponseRedirect
+from django.http import HttpResponse, HttpResponseForbidden, HttpResponseRedirect
 from django.shortcuts import render
 from django.urls import reverse
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.translation import gettext
 from django.utils.translation import gettext_lazy as _
+from django.views.decorators.http import require_POST
 
 from dojo.forms import AnnouncementCreateForm, AnnouncementRemoveForm
-from dojo.models import Announcement, UserAnnouncement
+from dojo.models import Announcement, UserAnnouncement, UserContactInfo
 from dojo.utils import add_breadcrumb
 
 logger = logging.getLogger(__name__)
@@ -85,3 +88,23 @@ def dismiss_announcement(request):
         )
         return render(request, "dojo/dismiss_announcement.html")
     return render(request, "dojo/dismiss_announcement.html")
+
+
+@require_POST
+def dismiss_os_message(request):
+    if not request.user.is_authenticated:
+        return HttpResponseForbidden()
+    token = request.POST.get("token", "").strip()
+    if token and re.fullmatch(r"[0-9a-f]{1,64}", token):
+        contact = UserContactInfo.objects.get_or_create(user=request.user)[0]
+        if contact.os_message_dismissed_hash != token:
+            contact.os_message_dismissed_hash = token
+            contact.save(update_fields=["os_message_dismissed_hash"])
+    if request.headers.get("x-requested-with") == "XMLHttpRequest":
+        return HttpResponse(status=204)
+    referer = request.META.get("HTTP_REFERER")
+    if referer and url_has_allowed_host_and_scheme(
+        referer, allowed_hosts={request.get_host()}, require_https=request.is_secure(),
+    ):
+        return HttpResponseRedirect(referer)
+    return HttpResponseRedirect("/")
diff --git a/dojo/context_processors.py b/dojo/context_processors.py
index 561ae0d5791..75ce9e38021 100644
--- a/dojo/context_processors.py
+++ b/dojo/context_processors.py
@@ -28,14 +28,20 @@ def globalize_vars(request):
     additional_banners = []
 
     if (os_banner := get_os_banner()) is not None:
-        additional_banners.append({
-            "source": "os",
-            "message": os_banner["message"],
-            "style": "info",
-            "url": "",
-            "link_text": "",
-            "expanded_html": os_banner["expanded_html"],
-        })
+        token = os_banner.get("dismiss_token", "")
+        user = getattr(request, "user", None)
+        dismissible = bool(token and getattr(user, "is_authenticated", False))
+        if not (dismissible and _os_message_dismissed(user, token)):
+            additional_banners.append({
+                "source": "os",
+                "message": os_banner["message"],
+                "style": "info",
+                "url": "",
+                "link_text": "",
+                "expanded_html": os_banner["expanded_html"],
+                "dismissible": dismissible,
+                "dismiss_token": token,
+            })
 
     if hasattr(request, "session"):
         for banner in request.session.pop("_product_banners", []):
@@ -72,6 +78,11 @@ def _should_show_ui_toggle_banner(request):
     return not (contact is not None and getattr(contact, "ui_use_tailwind", False))
 
 
+def _os_message_dismissed(user, token):
+    contact = getattr(user, "usercontactinfo", None)
+    return contact is not None and contact.os_message_dismissed_hash == token
+
+
 def bind_system_settings(request):
     """Load system settings and display warning if there's a database error."""
     try:
diff --git a/dojo/db_migrations/0270_usercontactinfo_os_message_dismissed_hash.py b/dojo/db_migrations/0270_usercontactinfo_os_message_dismissed_hash.py
new file mode 100644
index 00000000000..239a559be1d
--- /dev/null
+++ b/dojo/db_migrations/0270_usercontactinfo_os_message_dismissed_hash.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.14 on 2026-06-25 00:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0269_normalize_blank_finding_components'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='usercontactinfo',
+            name='os_message_dismissed_hash',
+            field=models.CharField(blank=True, default='', editable=False, help_text='Hash of the most recently dismissed open-source promo banner; the banner reappears when the message changes.', max_length=64),
+        ),
+    ]
diff --git a/dojo/models.py b/dojo/models.py
index 7f798e23ae4..8de198110af 100644
--- a/dojo/models.py
+++ b/dojo/models.py
@@ -260,6 +260,7 @@ class UserContactInfo(models.Model):
     ui_use_tailwind = models.BooleanField(default=False, verbose_name=_("Use new UI (beta)"), help_text=_("Opt in to the new Tailwind-based UI. Leave off for the classic UI."))
     token_last_reset = models.DateTimeField(null=True, blank=True, help_text=_("Timestamp of the most recent API token reset for this user."))
     password_last_reset = models.DateTimeField(null=True, blank=True, help_text=_("Timestamp of the most recent password reset for this user."))
+    os_message_dismissed_hash = models.CharField(max_length=64, blank=True, default="", editable=False, help_text=_("Hash of the most recently dismissed open-source promo banner; the banner reappears when the message changes."))
 
 
 class System_Settings(models.Model):
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
index 2d92588ad70..d0afa0a88db 100644
--- a/dojo/settings/settings.dist.py
+++ b/dojo/settings/settings.dist.py
@@ -147,6 +147,7 @@
     DD_FORGOT_PASSWORD=(bool, True),  # do we show link "I forgot my password" on login screen
     DD_PASSWORD_RESET_TIMEOUT=(int, 259200),  # 3 days, in seconds (the deafult)
     DD_FORGOT_USERNAME=(bool, True),  # do we show link "I forgot my username" on login screen
+    DD_OS_MESSAGE_ENABLED=(bool, True),  # show the open-source "Upgrade to Pro" / OS message promo banner
     # Some security policies require allowing users to have only one active session
     DD_SINGLE_USER_SESSION=(bool, False),
     # if somebody is using own documentation how to use DefectDojo in his own company
@@ -474,6 +475,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 REQUIRE_PASSWORD_ON_USER = env("DD_REQUIRE_PASSWORD_ON_USER")
 FORGOT_USERNAME = env("DD_FORGOT_USERNAME")
 PASSWORD_RESET_TIMEOUT = env("DD_PASSWORD_RESET_TIMEOUT")
+OS_MESSAGE_ENABLED = env("DD_OS_MESSAGE_ENABLED")
 
 DOCUMENTATION_URL = env("DD_DOCUMENTATION_URL")
 
diff --git a/dojo/settings/template-env b/dojo/settings/template-env
index 0263dc941a7..2f633c769b4 100644
--- a/dojo/settings/template-env
+++ b/dojo/settings/template-env
@@ -47,6 +47,9 @@ DD_WHITENOISE=True
 # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
 # DD_SECURE_CONTENT_TYPE_NOSNIFF=True
 
+# Show the open-source promo ("Upgrade to Pro") banner. Set to False to disable.
+# DD_OS_MESSAGE_ENABLED=True
+
 # Change the default language set
 # DD_LANG=en-us
 
diff --git a/dojo/static/dojo/js/classic/index.js b/dojo/static/dojo/js/classic/index.js
index 4de7c38f63b..694f62dec1b 100644
--- a/dojo/static/dojo/js/classic/index.js
+++ b/dojo/static/dojo/js/classic/index.js
@@ -1,5 +1,18 @@
 $(function () {
     $('body').append('<a id="toTop" title="Back to Top" class="btn btn-primary btn-circle"><i class="fa-solid fa-arrow-up fa-fw"></i></a>');
+
+    // ---- OS promo banner dismiss: persist per-user (form carries CSRF) + hide instantly ----
+    $(document).on('submit', '.os-message-dismiss-form', function (e) {
+        e.preventDefault();
+        var form = this;
+        $(form).closest('.announcement-banner').fadeOut(200, function () { $(this).remove(); });
+        fetch(form.action, {
+            method: 'POST',
+            body: new FormData(form),
+            headers: { 'X-Requested-With': 'XMLHttpRequest' },
+            credentials: 'same-origin',
+        });
+    });
     $(window).scroll(function () {
         if ($(this).scrollTop() > 300) {
             $('#toTop').fadeIn();
diff --git a/dojo/static/dojo/js/index.js b/dojo/static/dojo/js/index.js
index d9986d7b975..4f29c973685 100644
--- a/dojo/static/dojo/js/index.js
+++ b/dojo/static/dojo/js/index.js
@@ -65,6 +65,28 @@
     });
 })();
 
+/* ---- OS promo banner dismiss ----
+   Persist the dismissal per-user (the form carries csrfmiddlewaretoken) and
+   hide the banner instantly. Degrades to a normal form POST when JS is off.
+*/
+document.addEventListener('submit', function (e) {
+    var form = e.target.closest('.os-message-dismiss-form');
+    if (!form) return;
+    e.preventDefault();
+    var banner = form.closest('.announcement-banner');
+    if (banner) {
+        banner.style.transition = 'opacity 0.2s';
+        banner.style.opacity = '0';
+        setTimeout(function () { banner.remove(); }, 200);
+    }
+    fetch(form.action, {
+        method: 'POST',
+        body: new FormData(form),
+        headers: { 'X-Requested-With': 'XMLHttpRequest' },
+        credentials: 'same-origin',
+    });
+});
+
 /* ---- Collapse shim ----
    Handles [data-toggle="collapse"] by toggling .in on the target element.
    CSS in tailwind.css:  .collapse { display:none }  .collapse.in { display:block }
diff --git a/dojo/templates/base.html b/dojo/templates/base.html
index 1929f8370f8..b3ee380b913 100644
--- a/dojo/templates/base.html
+++ b/dojo/templates/base.html
@@ -503,6 +503,15 @@
                 {% for banner in additional_banners %}
                     <div role="alert" class="announcement-banner alert alert-{{ banner.style }} show"
                          data-source="{{ banner.source }}">
+                        {% if banner.dismissible %}
+                            <form method="post" action="{% url 'dismiss_os_message' %}" class="os-message-dismiss-form">
+                                {% csrf_token %}
+                                <input type="hidden" name="token" value="{{ banner.dismiss_token }}">
+                                <button type="submit" class="close" aria-label="Close">
+                                    <span aria-hidden="true">&times;</span>
+                                </button>
+                            </form>
+                        {% endif %}
                         {{ banner.message|safe }}{% if banner.url %} <a href="{{ banner.url }}">{{ banner.link_text }}</a>{% endif %}
                         {% if banner.expanded_html %}
                             <button type="button" class="banner-toggle collapsed"
diff --git a/dojo/templates_classic/base.html b/dojo/templates_classic/base.html
index 16d97fbcadb..abd595f2ff7 100644
--- a/dojo/templates_classic/base.html
+++ b/dojo/templates_classic/base.html
@@ -653,6 +653,15 @@
                 {% for banner in additional_banners %}
                     <div role="alert" class="announcement-banner alert alert-{{ banner.style }} show"
                          data-source="{{ banner.source }}">
+                        {% if banner.dismissible %}
+                            <form method="post" action="{% url 'dismiss_os_message' %}" class="os-message-dismiss-form">
+                                {% csrf_token %}
+                                <input type="hidden" name="token" value="{{ banner.dismiss_token }}">
+                                <button type="submit" class="close" aria-label="Close">
+                                    <span aria-hidden="true">&times;</span>
+                                </button>
+                            </form>
+                        {% endif %}
                         {{ banner.message|safe }}{% if banner.url %} <a href="{{ banner.url }}">{{ banner.link_text }}</a>{% endif %}
                         {% if banner.expanded_html %}
                             <button type="button" class="banner-toggle collapsed"
diff --git a/unittests/test_os_message.py b/unittests/test_os_message.py
index 3b43b1e3de5..1ae72078d14 100644
--- a/unittests/test_os_message.py
+++ b/unittests/test_os_message.py
@@ -1,12 +1,17 @@
+import hashlib
+from types import SimpleNamespace
 from unittest.mock import patch
 
 import requests
 from django.core.cache import cache
 from django.template import Context, Template
 from django.test import RequestFactory, SimpleTestCase, override_settings
+from django.urls import reverse
 
 from dojo import context_processors
 from dojo.announcement import os_message
+from dojo.models import User, UserContactInfo
+from unittests.dojo_test_case import DojoTestCase
 
 
 class _Resp:
@@ -163,6 +168,30 @@ def test_swallows_parse_exception(self):
              patch("dojo.announcement.os_message.parse_os_message", side_effect=RuntimeError("boom")):
             self.assertIsNone(os_message.get_os_banner())
 
+    @override_settings(OS_MESSAGE_ENABLED=False)
+    def test_disabled_returns_none_without_fetching(self):
+        with patch("dojo.announcement.os_message.fetch_os_message") as mock_fetch, \
+             patch("dojo.announcement.os_message.requests.get") as mock_get:
+            self.assertIsNone(os_message.get_os_banner())
+        mock_fetch.assert_not_called()
+        mock_get.assert_not_called()
+
+    @override_settings(OS_MESSAGE_ENABLED=True)
+    def test_enabled_returns_parsed_banner(self):
+        with patch("dojo.announcement.os_message.fetch_os_message", return_value="# Headline\n") as mock_fetch:
+            result = os_message.get_os_banner()
+        mock_fetch.assert_called_once()
+        self.assertEqual(result["message"], "Headline")
+        self.assertIsNone(result["expanded_html"])
+
+    @override_settings(OS_MESSAGE_ENABLED=True)
+    def test_enabled_includes_dismiss_token(self):
+        text = "# Headline\n"
+        with patch("dojo.announcement.os_message.fetch_os_message", return_value=text):
+            result = os_message.get_os_banner()
+        expected = hashlib.sha256(text.encode("utf-8")).hexdigest()[:16]
+        self.assertEqual(result["dismiss_token"], expected)
+
 
 @override_settings(CACHES={"default": {"BACKEND": "django.core.cache.backends.locmem.LocMemCache"}})
 class TestGlobalizeVarsOsBanner(SimpleTestCase):
@@ -241,3 +270,78 @@ def test_os_and_session_banners_combined(self):
         self.assertEqual(len(result["additional_banners"]), 2)
         self.assertEqual(result["additional_banners"][0]["source"], "os")
         self.assertEqual(result["additional_banners"][1]["source"], "product_announcement")
+
+    def _authed_request(self, *, dismissed_hash="", ui_use_tailwind=True):
+        request = RequestFactory().get("/")
+        request.user = SimpleNamespace(
+            is_authenticated=True,
+            usercontactinfo=SimpleNamespace(
+                os_message_dismissed_hash=dismissed_hash,
+                ui_use_tailwind=ui_use_tailwind,
+            ),
+        )
+        return request
+
+    @staticmethod
+    def _os_entries(result):
+        return [b for b in result.get("additional_banners", []) if b["source"] == "os"]
+
+    def test_os_banner_dismissible_for_authenticated_user(self):
+        banner = {"message": "Hi", "expanded_html": None, "dismiss_token": "deadbeef"}
+        request = self._authed_request(dismissed_hash="")
+        with patch.object(context_processors, "get_os_banner", return_value=banner):
+            entries = self._os_entries(context_processors.globalize_vars(request))
+        self.assertEqual(len(entries), 1)
+        self.assertTrue(entries[0]["dismissible"])
+        self.assertEqual(entries[0]["dismiss_token"], "deadbeef")
+
+    def test_os_banner_hidden_when_dismissed_hash_matches(self):
+        banner = {"message": "Hi", "expanded_html": None, "dismiss_token": "deadbeef"}
+        request = self._authed_request(dismissed_hash="deadbeef")
+        with patch.object(context_processors, "get_os_banner", return_value=banner):
+            entries = self._os_entries(context_processors.globalize_vars(request))
+        self.assertEqual(entries, [])
+
+    def test_os_banner_shown_when_dismissed_hash_differs(self):
+        banner = {"message": "Hi", "expanded_html": None, "dismiss_token": "newhash"}
+        request = self._authed_request(dismissed_hash="oldhash")
+        with patch.object(context_processors, "get_os_banner", return_value=banner):
+            entries = self._os_entries(context_processors.globalize_vars(request))
+        self.assertEqual(len(entries), 1)
+        self.assertTrue(entries[0]["dismissible"])
+
+    def test_os_banner_not_dismissible_for_anonymous(self):
+        banner = {"message": "Hi", "expanded_html": None, "dismiss_token": "deadbeef"}
+        with patch.object(context_processors, "get_os_banner", return_value=banner):
+            entries = self._os_entries(context_processors.globalize_vars(self.request))
+        self.assertEqual(len(entries), 1)
+        self.assertFalse(entries[0]["dismissible"])
+
+
+class TestDismissOsMessageView(DojoTestCase):
+    fixtures = ["dojo_testdata.json"]
+
+    def setUp(self):
+        self.user = User.objects.get(username="admin")
+        self.client.force_login(self.user)
+        self.url = reverse("dismiss_os_message")
+
+    def test_post_persists_hash_on_usercontactinfo(self):
+        response = self.client.post(self.url, {"token": "abc123def456"}, HTTP_X_REQUESTED_WITH="XMLHttpRequest")
+        self.assertEqual(response.status_code, 204)
+        contact = UserContactInfo.objects.get(user=self.user)
+        self.assertEqual(contact.os_message_dismissed_hash, "abc123def456")
+
+    def test_get_not_allowed(self):
+        self.assertEqual(self.client.get(self.url).status_code, 405)
+
+    def test_invalid_token_is_ignored(self):
+        response = self.client.post(self.url, {"token": "NOT-HEX!"}, HTTP_X_REQUESTED_WITH="XMLHttpRequest")
+        self.assertEqual(response.status_code, 204)
+        contact = UserContactInfo.objects.filter(user=self.user).first()
+        self.assertIn(getattr(contact, "os_message_dismissed_hash", ""), ("", None))
+
+    def test_requires_authentication(self):
+        self.client.logout()
+        response = self.client.post(self.url, {"token": "abc123"})
+        self.assertIn(response.status_code, (302, 403))

From 932f5e0fe2a7de73575a7390c8a478ccfd7c9235 Mon Sep 17 00:00:00 2001
From: Greg Anderson <greg.anderson@owasp.org>
Date: Thu, 25 Jun 2026 21:36:04 -0600
Subject: [PATCH 2/5] style(announcement): left-align the OS banner dismiss as
 a bordered button

Moves the dismiss (x) to lead the banner, before the headline, so it is clearly separated from the expand caret and avoids misclicks. Replaces the reused Bootstrap '.close' class (which collided with auto-generated v3 UI styles) with a dedicated 'os-message-dismiss' class styled as a small bordered button.

Lays out the OS banner as a centered flex row scoped to [data-source="os"], so the styling applies only to this banner; other banners and the messages notifications are unaffected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 dojo/static/dojo/css/dojo.css    | 45 ++++++++++++++++++++++++++++++++
 dojo/templates/base.html         |  4 +--
 dojo/templates_classic/base.html |  4 +--
 3 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/dojo/static/dojo/css/dojo.css b/dojo/static/dojo/css/dojo.css
index 8871ec262be..a7f0eb4b3cf 100644
--- a/dojo/static/dojo/css/dojo.css
+++ b/dojo/static/dojo/css/dojo.css
@@ -1025,6 +1025,51 @@ span.endpoint_product {
     margin-top: 8px;
 }
 
+/* OS message banner dismiss (×): inline, grouped with the headline/caret
+   (not floated into the empty right side). Scoped so it only affects the
+   OS promo banner, which is the only banner carrying these classes. */
+/* Lay out the OS promo banner as a single centered row so the dismiss button,
+   headline, and expand caret line up vertically. Scoped to data-source="os"
+   so the other banners are untouched. */
+.announcement-banner[data-source="os"] {
+    display: flex;
+    align-items: center;
+    flex-wrap: wrap;
+}
+
+.announcement-banner[data-source="os"] .banner-expanded {
+    flex-basis: 100%;  /* expanded text drops to its own row */
+}
+
+.announcement-banner .os-message-dismiss-form {
+    display: inline-flex;
+    margin-right: 10px;
+}
+
+.announcement-banner .os-message-dismiss {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    width: 18px;
+    height: 18px;
+    padding: 0;
+    background: transparent;
+    border: 1px solid rgba(0, 0, 0, 0.3);
+    border-radius: 3px;
+    color: inherit;
+    cursor: pointer;
+    font-size: 13px;
+    line-height: 1;
+    opacity: 0.7;
+}
+
+.announcement-banner .os-message-dismiss:hover,
+.announcement-banner .os-message-dismiss:focus {
+    opacity: 1;
+    background: rgba(0, 0, 0, 0.06);
+    outline: none;
+}
+
 /* Removed: custom-search-form media queries — old topbar search sizing */
 
 /* Removed: Old sidebar/layout media queries for #page-wrapper, #footer-wrapper,
diff --git a/dojo/templates/base.html b/dojo/templates/base.html
index b3ee380b913..05620ae6e77 100644
--- a/dojo/templates/base.html
+++ b/dojo/templates/base.html
@@ -507,9 +507,7 @@
                             <form method="post" action="{% url 'dismiss_os_message' %}" class="os-message-dismiss-form">
                                 {% csrf_token %}
                                 <input type="hidden" name="token" value="{{ banner.dismiss_token }}">
-                                <button type="submit" class="close" aria-label="Close">
-                                    <span aria-hidden="true">&times;</span>
-                                </button>
+                                <button type="submit" class="os-message-dismiss" aria-label="Dismiss" title="Dismiss this message">&times;</button>
                             </form>
                         {% endif %}
                         {{ banner.message|safe }}{% if banner.url %} <a href="{{ banner.url }}">{{ banner.link_text }}</a>{% endif %}
diff --git a/dojo/templates_classic/base.html b/dojo/templates_classic/base.html
index abd595f2ff7..a8574ef6c01 100644
--- a/dojo/templates_classic/base.html
+++ b/dojo/templates_classic/base.html
@@ -657,9 +657,7 @@
                             <form method="post" action="{% url 'dismiss_os_message' %}" class="os-message-dismiss-form">
                                 {% csrf_token %}
                                 <input type="hidden" name="token" value="{{ banner.dismiss_token }}">
-                                <button type="submit" class="close" aria-label="Close">
-                                    <span aria-hidden="true">&times;</span>
-                                </button>
+                                <button type="submit" class="os-message-dismiss" aria-label="Dismiss" title="Dismiss this message">&times;</button>
                             </form>
                         {% endif %}
                         {{ banner.message|safe }}{% if banner.url %} <a href="{{ banner.url }}">{{ banner.link_text }}</a>{% endif %}

From b4d948e56b9599bc23bd3d145a993cb955632388 Mon Sep 17 00:00:00 2001
From: Greg Anderson <greg.anderson@owasp.org>
Date: Thu, 25 Jun 2026 22:14:48 -0600
Subject: [PATCH 3/5] test(announcement): version the dismiss view test fixture
 for V3_FEATURE_LOCATIONS

TestDismissOsMessageView loaded dojo_testdata.json directly, which raises NotImplementedError under V3_FEATURE_LOCATIONS=True (the fixture contains deprecated Endpoint records). Adding the @versioned_fixtures decorator swaps it to dojo_testdata_locations.json under V3, matching the convention used by the rest of the suite. Test-only change; verified passing locally under both V3=True and V3=False.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 unittests/test_os_message.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/unittests/test_os_message.py b/unittests/test_os_message.py
index 1ae72078d14..f0da702a6a8 100644
--- a/unittests/test_os_message.py
+++ b/unittests/test_os_message.py
@@ -11,7 +11,7 @@
 from dojo import context_processors
 from dojo.announcement import os_message
 from dojo.models import User, UserContactInfo
-from unittests.dojo_test_case import DojoTestCase
+from unittests.dojo_test_case import DojoTestCase, versioned_fixtures
 
 
 class _Resp:
@@ -318,6 +318,7 @@ def test_os_banner_not_dismissible_for_anonymous(self):
         self.assertFalse(entries[0]["dismissible"])
 
 
+@versioned_fixtures
 class TestDismissOsMessageView(DojoTestCase):
     fixtures = ["dojo_testdata.json"]
 

From 468ab6bbf69b29b801d3028046a9776b64233b23 Mon Sep 17 00:00:00 2001
From: Greg Anderson <greg.anderson@owasp.org>
Date: Fri, 26 Jun 2026 01:51:35 -0600
Subject: [PATCH 4/5] feat(i18n): runtime translation plumbing + per-user
 language selection

Enables Django i18n in the OSS UI and lights up the existing (audited) pt_BR/ru catalogs. settings: add LocaleMiddleware, LANGUAGES (en, pt-br, ru), LOCALE_PATHS. Per-user language: UserContactInfo.language (migration 0271) + a profile selector. The DB is the cross-device source of truth; the django_language cookie caches it so LocaleMiddleware resolves per request with no DB access. The cookie is seeded from the DB only when absent (~once per browser session) and refreshed on change; /api/ requests are skipped (they localize via Accept-Language).

Build: compile .mo into the image via msgfmt (the .mo are gitignored), debian + alpine. Also fixes 3 malformed entries in the pre-existing pt_BR catalog so it compiles.

Only en/pt-br/ru are offered (audited); es/ja/de/fr are added once translated. Stored DB values and serialized API responses stay English regardless of language.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 Dockerfile.django-alpine                      |  8 +++
 Dockerfile.django-debian                      | 11 ++++
 .../0271_usercontactinfo_language.py          | 18 ++++++
 dojo/forms.py                                 |  6 ++
 dojo/locale/pt_BR/LC_MESSAGES/django.po       | 12 +++-
 dojo/middleware.py                            | 59 +++++++++++++++++++
 dojo/models.py                                |  1 +
 dojo/settings/settings.dist.py                | 15 +++++
 dojo/user/views.py                            |  7 ++-
 9 files changed, 133 insertions(+), 4 deletions(-)
 create mode 100644 dojo/db_migrations/0271_usercontactinfo_language.py

diff --git a/Dockerfile.django-alpine b/Dockerfile.django-alpine
index c16c09d7a17..5a0d7af15e7 100644
--- a/Dockerfile.django-alpine
+++ b/Dockerfile.django-alpine
@@ -91,6 +91,14 @@ RUN \
   mkdir -p dojo/migrations && \
   chmod g=u dojo/migrations && \
   true
+
+# Compile translation catalogs (.mo) into the image (the .mo files are gitignored
+# and generated at build). msgfmt is run directly so no Django settings/env are
+# needed; gettext is only required at build time, so install and remove it here.
+RUN \
+  apk add --no-cache --virtual .build-i18n gettext && \
+  find dojo/locale -name 'django.po' -execdir msgfmt django.po -o django.mo \; && \
+  apk del .build-i18n
 USER root
 RUN \
     addgroup --gid ${gid} ${appuser} && \
diff --git a/Dockerfile.django-debian b/Dockerfile.django-debian
index ac234b48b44..3b521c541ab 100644
--- a/Dockerfile.django-debian
+++ b/Dockerfile.django-debian
@@ -95,6 +95,17 @@ RUN \
   mkdir -p dojo/migrations && \
   chmod g=u dojo/migrations && \
   true
+
+# Compile translation catalogs (.mo) into the image (the .mo files are gitignored
+# and generated at build). msgfmt is run directly so no Django settings/env are
+# needed; gettext is only required at build time, so install and purge it here.
+RUN \
+  apt-get -y update && \
+  apt-get -y install --no-install-recommends gettext && \
+  find dojo/locale -name 'django.po' -execdir msgfmt django.po -o django.mo \; && \
+  apt-get -y purge --auto-remove gettext && \
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists
 USER root
 RUN \
     addgroup --gid ${gid} ${appuser} && \
diff --git a/dojo/db_migrations/0271_usercontactinfo_language.py b/dojo/db_migrations/0271_usercontactinfo_language.py
new file mode 100644
index 00000000000..ea0eacc27fe
--- /dev/null
+++ b/dojo/db_migrations/0271_usercontactinfo_language.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.14 on 2026-06-26 00:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0270_usercontactinfo_os_message_dismissed_hash'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='usercontactinfo',
+            name='language',
+            field=models.CharField(blank=True, default='', help_text='Preferred language for the DefectDojo UI. Leave blank to use the instance default.', max_length=12, verbose_name='Language'),
+        ),
+    ]
diff --git a/dojo/forms.py b/dojo/forms.py
index cb90d0f57de..b958273d74e 100644
--- a/dojo/forms.py
+++ b/dojo/forms.py
@@ -2378,6 +2378,12 @@ class Meta:
 
 
 class UserContactInfoForm(forms.ModelForm):
+    language = forms.ChoiceField(
+        required=False,
+        choices=[("", _("Use instance default")), *settings.LANGUAGES],
+        label=_("Language"),
+        help_text=_("Preferred language for the DefectDojo UI."),
+    )
     reset_api_token = forms.BooleanField(
         required=False,
         label=_("Reset API token"),
diff --git a/dojo/locale/pt_BR/LC_MESSAGES/django.po b/dojo/locale/pt_BR/LC_MESSAGES/django.po
index 0fa06c190c8..fb477b2c0b7 100644
--- a/dojo/locale/pt_BR/LC_MESSAGES/django.po
+++ b/dojo/locale/pt_BR/LC_MESSAGES/django.po
@@ -3537,14 +3537,18 @@ msgstr "Vulnerabilidades de alta gravidade"
 msgid ""
 "\n"
 "                                        %(name)s is affected by critical vulnerabilities."
-msgstr "%(name)s é afetado por vulnerabilidades críticas."
+msgstr ""
+"\n"
+"%(name)s é afetado por vulnerabilidades críticas."
 
 #: dojo/templates/dojo/metrics.html
 #, python-format
 msgid ""
 "\n"
 "                                        %(name)s is affected by high severity vulnerabilities."
-msgstr "%(name)s é afetado por vulnerabilidades de alta gravidade."
+msgstr ""
+"\n"
+"%(name)s é afetado por vulnerabilidades de alta gravidade."
 
 #: dojo/templates/dojo/metrics.html
 msgid "Full Metrics"
@@ -3789,7 +3793,9 @@ msgid ""
 "\n"
 "    Showing entries %(start_index)s to %(end_index)s of %(count)s\n"
 "    "
-msgstr "Mostrando entradas %(start_index)s a %(end_index)s de %(count)s"
+msgstr ""
+"\n"
+"Mostrando entradas %(start_index)s a %(end_index)s de %(count)s"
 
 #: dojo/templates/dojo/paging_snippet.html
 msgid "Page Size"
diff --git a/dojo/middleware.py b/dojo/middleware.py
index a576244312a..061d74582f1 100644
--- a/dojo/middleware.py
+++ b/dojo/middleware.py
@@ -10,6 +10,7 @@
 from django.db import models
 from django.http import HttpResponseRedirect
 from django.urls import reverse
+from django.utils import translation
 from watson.middleware import SearchContextMiddleware
 from watson.search import search_context_manager
 
@@ -194,6 +195,64 @@ def __call__(self, request):
         return self.get_response(request)
 
 
+def set_language_cookie(response, language):
+    """Persist (or clear) the UI-language cookie that Django's LocaleMiddleware reads."""
+    if language:
+        response.set_cookie(
+            settings.LANGUAGE_COOKIE_NAME,
+            language,
+            max_age=settings.LANGUAGE_COOKIE_AGE,
+            path=settings.LANGUAGE_COOKIE_PATH,
+            domain=settings.LANGUAGE_COOKIE_DOMAIN,
+            secure=settings.LANGUAGE_COOKIE_SECURE,
+            httponly=settings.LANGUAGE_COOKIE_HTTPONLY,
+            samesite=settings.LANGUAGE_COOKIE_SAMESITE,
+        )
+    else:
+        response.delete_cookie(
+            settings.LANGUAGE_COOKIE_NAME,
+            path=settings.LANGUAGE_COOKIE_PATH,
+            domain=settings.LANGUAGE_COOKIE_DOMAIN,
+        )
+    return response
+
+
+class LanguagePreferenceMiddleware:
+
+    """
+    Seed the language cookie from the user's stored preference when it is missing.
+
+    UserContactInfo.language is the durable, cross-device source of truth. The DB
+    is read only when the django_language cookie is absent (roughly once per
+    browser session); thereafter Django's LocaleMiddleware serves the cookie with
+    no per-request DB access. API requests are skipped: they localize via
+    Accept-Language and their clients typically do not keep cookies, so seeding
+    from the DB there would add a query to every API call.
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        seed = ""
+        user = getattr(request, "user", None)
+        if (
+            user is not None
+            and getattr(user, "is_authenticated", False)
+            and settings.LANGUAGE_COOKIE_NAME not in request.COOKIES
+            and not request.path.startswith("/api/")
+        ):
+            contact = getattr(user, "usercontactinfo", None)
+            seed = getattr(contact, "language", "") if contact is not None else ""
+            if seed:
+                translation.activate(seed)
+                request.LANGUAGE_CODE = seed
+        response = self.get_response(request)
+        if seed:
+            set_language_cookie(response, seed)
+        return response
+
+
 class PgHistoryMiddleware(pghistory.middleware.HistoryMiddleware):
 
     """
diff --git a/dojo/models.py b/dojo/models.py
index 8de198110af..89f31385f19 100644
--- a/dojo/models.py
+++ b/dojo/models.py
@@ -261,6 +261,7 @@ class UserContactInfo(models.Model):
     token_last_reset = models.DateTimeField(null=True, blank=True, help_text=_("Timestamp of the most recent API token reset for this user."))
     password_last_reset = models.DateTimeField(null=True, blank=True, help_text=_("Timestamp of the most recent password reset for this user."))
     os_message_dismissed_hash = models.CharField(max_length=64, blank=True, default="", editable=False, help_text=_("Hash of the most recently dismissed open-source promo banner; the banner reappears when the message changes."))
+    language = models.CharField(max_length=12, blank=True, default="", verbose_name=_("Language"), help_text=_("Preferred language for the DefectDojo UI. Leave blank to use the instance default."))
 
 
 class System_Settings(models.Model):
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
index d0afa0a88db..0cbb5443426 100644
--- a/dojo/settings/settings.dist.py
+++ b/dojo/settings/settings.dist.py
@@ -331,6 +331,16 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 # to load the internationalization machinery.
 USE_I18N = env("DD_USE_I18N")
 
+# Languages offered in the UI. Only languages with an audited catalog are listed;
+# es/ja/de/fr are added once their translations land (their .po files are generated
+# for translators). Stored DB values and serialized API values always remain English
+# regardless of the selected language; only displayed text changes.
+LANGUAGES = [
+    ("en", "English"),
+    ("pt-br", "Português (Brasil)"),
+    ("ru", "Русский"),
+]
+
 # If you set this to False, Django will not use timezone-aware datetimes.
 USE_TZ = env("DD_USE_TZ")
 
@@ -381,6 +391,9 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 DOJO_ROOT = env("DD_ROOT")
 
+# Where Django looks for translation catalogs: dojo/locale/<lang>/LC_MESSAGES/.
+LOCALE_PATHS = [Path(DOJO_ROOT) / "locale"]
+
 # Absolute filesystem path to the directory that will hold user-uploaded files.
 # Example: "/var/www/example.com/media/"
 MEDIA_ROOT = env("DD_MEDIA_ROOT")
@@ -795,10 +808,12 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     "dojo.middleware.APITrailingSlashMiddleware",
     "dojo.middleware.DojoSytemSettingsMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
+    "django.middleware.locale.LocaleMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django_permissions_policy.PermissionsPolicyMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "dojo.middleware.LanguagePreferenceMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django_htmx.middleware.HtmxMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
diff --git a/dojo/user/views.py b/dojo/user/views.py
index ce3d8449a39..7374bd0ed10 100644
--- a/dojo/user/views.py
+++ b/dojo/user/views.py
@@ -43,6 +43,7 @@
     UserContactInfoForm,
 )
 from dojo.labels import get_labels
+from dojo.middleware import set_language_cookie
 from dojo.models import Alerts, Dojo_User, Product, Product_Type, UserContactInfo
 from dojo.user.authentication import reset_token_for_user
 from dojo.utils import add_breadcrumb, get_page_items, get_setting, get_system_setting
@@ -228,7 +229,11 @@ def view_profile(request):
             # just-saved usercontactinfo (e.g. ui_use_tailwind) instead of any
             # state cached on the POST request. Also prevents form
             # resubmission on refresh.
-            return HttpResponseRedirect(reverse("view_profile"))
+            response = HttpResponseRedirect(reverse("view_profile"))
+            # Reflect a language change immediately on this device by refreshing
+            # the cookie LocaleMiddleware reads; other devices pick the preference
+            # up from UserContactInfo on their next browser session.
+            return set_language_cookie(response, contact.language)
     add_breadcrumb(title=_("User Profile - %(user_full_name)s") % {"user_full_name": user.get_full_name()}, top_level=True, request=request)
     return render(request, "dojo/profile.html", {
         "user": user,

From 004cff31e3ccce0235571c82aee55d25125b7029 Mon Sep 17 00:00:00 2001
From: Greg Anderson <greg.anderson@owasp.org>
Date: Fri, 26 Jun 2026 01:58:45 -0600
Subject: [PATCH 5/5] test(i18n): cover language cookie helper, preference
 middleware, and config

Adds unittests/test_i18n.py: set_language_cookie sets/clears the cookie; LanguagePreferenceMiddleware seeds+activates from the DB only when the cookie is absent, and is a no-op for present cookies, /api/ paths, anonymous users, and users with no stored preference; and config checks (LocaleMiddleware enabled, preference middleware after auth, offered languages, LOCALE_PATHS). 11 tests, SimpleTestCase (no DB).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 unittests/test_i18n.py | 100 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 unittests/test_i18n.py

diff --git a/unittests/test_i18n.py b/unittests/test_i18n.py
new file mode 100644
index 00000000000..b7b49725e4c
--- /dev/null
+++ b/unittests/test_i18n.py
@@ -0,0 +1,100 @@
+from types import SimpleNamespace
+
+from django.conf import settings
+from django.http import HttpResponse
+from django.test import RequestFactory, SimpleTestCase
+from django.utils import translation
+
+from dojo.middleware import LanguagePreferenceMiddleware, set_language_cookie
+
+COOKIE = settings.LANGUAGE_COOKIE_NAME
+
+
+def _user(language="", *, authenticated=True):
+    return SimpleNamespace(
+        is_authenticated=authenticated,
+        usercontactinfo=SimpleNamespace(language=language),
+    )
+
+
+class TestSetLanguageCookie(SimpleTestCase):
+
+    def test_sets_cookie_when_language_given(self):
+        response = set_language_cookie(HttpResponse(), "pt-br")
+        self.assertEqual(response.cookies[COOKIE].value, "pt-br")
+
+    def test_clears_cookie_when_blank(self):
+        # delete_cookie clears the value so LocaleMiddleware falls back to default.
+        response = set_language_cookie(HttpResponse(), "")
+        self.assertEqual(response.cookies[COOKIE].value, "")
+
+
+class TestLanguagePreferenceMiddleware(SimpleTestCase):
+
+    def setUp(self):
+        self.factory = RequestFactory()
+        self.addCleanup(translation.deactivate)
+
+    def _run(self, request):
+        captured = {}
+
+        def get_response(req):
+            captured["active"] = translation.get_language()
+            return HttpResponse()
+
+        response = LanguagePreferenceMiddleware(get_response)(request)
+        return response, captured
+
+    def test_seeds_and_activates_when_cookie_absent(self):
+        request = self.factory.get("/dashboard")
+        request.user = _user("pt-br")
+        response, captured = self._run(request)
+        self.assertEqual(request.LANGUAGE_CODE, "pt-br")
+        self.assertEqual(captured["active"], "pt-br")
+        self.assertEqual(response.cookies[COOKIE].value, "pt-br")
+
+    def test_noop_when_cookie_present(self):
+        request = self.factory.get("/dashboard")
+        request.COOKIES[COOKIE] = "ru"
+        request.user = _user("pt-br")
+        response, _ = self._run(request)
+        self.assertNotIn(COOKIE, response.cookies)
+        self.assertFalse(hasattr(request, "LANGUAGE_CODE"))
+
+    def test_skips_api_requests(self):
+        request = self.factory.get("/api/v2/findings/")
+        request.user = _user("pt-br")
+        response, _ = self._run(request)
+        self.assertNotIn(COOKIE, response.cookies)
+
+    def test_skips_anonymous_users(self):
+        request = self.factory.get("/dashboard")
+        request.user = _user("pt-br", authenticated=False)
+        response, _ = self._run(request)
+        self.assertNotIn(COOKIE, response.cookies)
+
+    def test_noop_when_no_stored_preference(self):
+        request = self.factory.get("/dashboard")
+        request.user = _user("")
+        response, _ = self._run(request)
+        self.assertNotIn(COOKIE, response.cookies)
+
+
+class TestI18nConfiguration(SimpleTestCase):
+
+    def test_locale_middleware_enabled(self):
+        self.assertIn("django.middleware.locale.LocaleMiddleware", settings.MIDDLEWARE)
+
+    def test_language_preference_middleware_runs_after_auth(self):
+        mw = settings.MIDDLEWARE
+        self.assertIn("dojo.middleware.LanguagePreferenceMiddleware", mw)
+        self.assertGreater(
+            mw.index("dojo.middleware.LanguagePreferenceMiddleware"),
+            mw.index("django.contrib.auth.middleware.AuthenticationMiddleware"),
+        )
+
+    def test_only_audited_languages_are_offered(self):
+        self.assertEqual({code for code, _name in settings.LANGUAGES}, {"en", "pt-br", "ru"})
+
+    def test_locale_paths_point_at_dojo_locale(self):
+        self.assertTrue(any(str(path).endswith("dojo/locale") for path in settings.LOCALE_PATHS))