Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruff: Add and fix FBT002 (+ merge all FBT rules) #11261

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Nov 14, 2024

Copy link

dryrunsecurity bot commented Nov 14, 2024

DryRun Security Summary

The pull request focuses on enhancing the security, reliability, and functionality of the Defect Dojo application through improvements in rate limiting, endpoint management, reporting, JIRA integration, and code maintainability across multiple files.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of functionality across the Defect Dojo application, with a focus on improving the security and reliability of various features. The changes include enhancements to the rate-limiting functionality, improvements to the endpoint management and reporting capabilities, updates to the JIRA integration, and various other bug fixes and code refactoring.

From an application security perspective, the key areas of focus are:

  1. Rate Limiting: The changes to the rate-limiting decorator, including the addition of the block parameter and the account lockout functionality, help strengthen the application's security by providing more control over the rate-limiting behavior and mitigating the impact of potential attacks.

  2. Endpoint Management: The updates to the endpoint management functionality, such as the handling of different filtering options and the improvements to the JIRA integration, help ensure that the application's security-related data is properly managed and integrated with external systems.

  3. Reporting and Data Processing: The changes to the report generation, data processing, and serialization functionality help improve the overall security and reliability of the application by ensuring that user input is properly validated and that sensitive information is handled securely.

  4. Code Readability and Maintainability: The use of keyword-only arguments and other code refactoring efforts help improve the readability and maintainability of the codebase, which can indirectly contribute to the application's security by making it easier to identify and address potential issues.

Overall, the changes in this pull request demonstrate a strong focus on improving the security and reliability of the Defect Dojo application, with a comprehensive approach that covers various aspects of the application's functionality.

Files Changed:

  1. dojo/decorators.py: Enhancements to the rate-limiting functionality, including the addition of the block parameter and the account lockout functionality.
  2. dojo/endpoint/views.py: Updates to the endpoint management functionality, including the handling of different filtering options and improvements to the JIRA integration.
  3. dojo/components/sql_group_concat.py: Implementation of a custom Django Aggregate function, with a focus on ensuring input validation and sanitization.
  4. dojo/api_v2/serializers.py: Improvements to the handling of the import and re-import processes, including the auto-creation of product types, products, and engagements.
  5. dojo/finding/helper.py: Updates to the finding group management functionality, including the ability to push findings or finding groups to JIRA.
  6. dojo/filters.py: Enhancements to the filtering and search capabilities, including the addition of new filter fields and improvements to the tagging functionality.
  7. dojo/engagement/views.py: Modifications to the risk acceptance management functionality, including the addition of the edit_mode parameter.
  8. dojo/finding/views.py: Updates to the finding management functionality, including the use of keyword-only arguments in the prefetch_for_findings and apply_cwe_mitigation functions.
  9. dojo/jira_link/helper.py: Improvements to the JIRA integration functionality, including the addition of new parameters to control the behavior of various JIRA-related functions.
  10. dojo/middleware.py: Updates to the system settings management functionality, including the addition of the no_cache parameter to the get() method of the System_Settings_Manager class.

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 1 finding
IDOR Analyzer 1 finding

Overall Riskiness

🟡 Please give this pull request extra attention during review.

View PR in the DryRun Dashboard.

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the ruff_FBT branch 4 times, most recently from d91b726 to c55dbe4 Compare December 10, 2024 15:48
@kiblik kiblik marked this pull request as ready for review December 10, 2024 15:50
@kiblik kiblik requested review from mtesauro and Maffooch and removed request for mtesauro December 10, 2024 15:51
@kiblik kiblik force-pushed the ruff_FBT branch 2 times, most recently from af4b1d6 to 44a9881 Compare December 11, 2024 10:18
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant