Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update JIRA for Finding Group When Risk Acceptance Expires #11401

Open
wants to merge 6 commits into
base: bugfix
Choose a base branch
from

Conversation

hblankenship
Copy link
Collaborator

[sc-9132]

When a risk exception expires, and reopens all of the associated findings, those changes should be reflected in jira.

Copy link

dryrunsecurity bot commented Dec 10, 2024

DryRun Security Summary

The pull request focuses on improving the JIRA integration, risk acceptance management, and finding-related functionality in the DefectDojo application by enhancing code reliability, traceability, and maintainability through targeted changes in three key files.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the functionality and reliability of the JIRA integration, the management of risk acceptances, and the organization of the finding-related functionality in the DefectDojo application.

The changes to the jira_link/helper.py file aim to enhance the handling of JIRA integration by ensuring that findings are only pushed to JIRA if they are not part of a group, and by pushing the entire group to JIRA after saving the individual findings. This helps to improve the overall reliability and traceability of the JIRA integration.

The changes to the risk_acceptance/helper.py file introduce several functions to manage the expiration, reinstatement, and deletion of risk acceptances, as well as the addition and removal of findings from risk acceptances. These changes help to maintain visibility and traceability of risk acceptance-related events through JIRA integration and updates to the application's understanding of the risk posture of associated endpoints.

The changes to the finding/views.py file are a significant refactor that introduces a more modular and organized structure for handling the various aspects of finding management, such as filtering, ordering, displaying, editing, and performing various actions on findings. This refactor aims to improve the maintainability and extensibility of the finding-related functionality in the application.

From an application security perspective, these changes do not directly impact the security of the application, but they do contribute to the overall reliability, traceability, and maintainability of the DefectDojo application, which can indirectly benefit the security of the application.

Files Changed:

  1. dojo/jira_link/helper.py:

    • Introduced the save_and_push_to_jira function to handle the JIRA integration, including determining if a finding is part of a group, checking for existing JIRA issues, and pushing findings to JIRA.
    • The changes aim to improve the handling of JIRA integration, ensuring that findings are only pushed to JIRA if they are not part of a group, and pushing the entire group to JIRA after saving the individual findings.
  2. dojo/risk_acceptance/helper.py:

    • Introduced functions to manage the expiration, reinstatement, and deletion of risk acceptances, as well as the addition and removal of findings from risk acceptances.
    • The changes help to maintain visibility and traceability of risk acceptance-related events through JIRA integration and updates to the application's understanding of the risk posture of associated endpoints.
  3. dojo/finding/views.py:

    • Introduced a refactor of the finding-related functionality, including the addition of a BaseListFindings class and several subclasses to handle different types of finding lists.
    • Added a ViewFinding class to handle the display of a single finding and its related information, and an EditFinding class to handle the editing of a finding.
    • Introduced numerous utility functions to handle various actions related to findings, such as closing, reopening, risk-accepting, and managing finding duplicates.
    • The changes aim to improve the organization and maintainability of the finding-related functionality in the DefectDojo application.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

Copy link
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works well! Small nitpick about code org, but otherwise good

Comment on lines 374 to 392
def update_risk_acceptance_jira(finding):
# Manage the jira status changes
push_to_jira = False
# Determine if the finding is in a group. if so, not push to jira yet
finding_in_group = finding.has_finding_group
# Check if there is a jira issue that needs to be updated
jira_issue_exists = finding.has_jira_issue or (finding.finding_group and finding.finding_group.has_jira_issue)
# Only push if the finding is not in a group
if jira_issue_exists:
# Determine if any automatic sync should occur
push_to_jira = jira_helper.is_push_all_issues(finding) \
or jira_helper.get_jira_instance(finding).finding_jira_sync
# Save the finding
finding.save(push_to_jira=(push_to_jira and not finding_in_group))

# we only push the group after saving the finding to make sure
# the updated data of the finding is pushed as part of the group
if push_to_jira and finding_in_group:
jira_helper.push_to_jira(finding.finding_group)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be better placed in dojo/jira_link/helper.py under a different name like save_and_push_to_jira

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants