Update JIRA for Finding Group When Risk Acceptance Expires

[hblankenship]

[sc-9132]

When a risk exception expires, and reopens all of the associated findings, those changes should be reflected in jira.

[dryrunsecurity]

DryRun Security Summary

The pull request enhances the JIRA integration in DefectDojo by improving security, functionality, and reliability through secure credential handling, risk acceptance management, issue synchronization, and comprehensive testing.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and functionality of the JIRA integration within the DefectDojo application. The changes cover various aspects, including handling sensitive credentials, managing risk acceptances, synchronizing findings and issues between the two systems, and enhancing the overall integration capabilities.

Key highlights from the code changes:

1. Secure JIRA Configuration: The changes ensure that sensitive credentials, such as the JIRA username and API token, are no longer stored in plain text, improving the overall security of the integration.

2. Risk Acceptance Handling: The code updates the "Reopen Finding" functionality to properly handle risk acceptances, including clearing the risk acceptance when a finding is reopened and updating the associated JIRA issues.

3. JIRA Integration Enhancements: The changes introduce improvements to the JIRA integration, such as handling the creation, updating, and synchronization of JIRA issues, managing JIRA issue metadata, and handling attachments and comments.

4. Engagement Epic Handling: The code includes functionality to manage the synchronization of DefectDojo engagements with JIRA epics, allowing for better organization and tracking of security findings at the engagement level.

5. Comprehensive Testing: The changes include a significant number of unit tests to ensure the proper functioning of the JIRA integration, covering various scenarios like pushing findings to JIRA, handling duplicates, and updating JIRA issues.

Overall, the code changes in this pull request demonstrate a strong focus on improving the security, reliability, and functionality of the JIRA integration within the DefectDojo application, which is a crucial feature for organizations that rely on both tools to manage their application security processes.

Files Changed:

1. dojo/fixtures/dojo_testdata.json: The changes in this file improve the security of the JIRA integration by replacing plain-text credentials with placeholders, and updating the JIRA project key.

2. dojo/finding/views.py: The changes in this file enhance the "Reopen Finding" functionality, ensuring that the associated risk acceptance is cleared, the finding is properly saved and updated in JIRA, and any external issues are also reopened.

3. dojo/risk_acceptance/helper.py: The changes in this file focus on improving the handling of expired risk acceptances, including reactivating the associated findings, posting JIRA comments, and creating notifications.

4. dojo/jira_link/helper.py: The changes in this file provide a comprehensive implementation of the JIRA integration functionality within DefectDojo, covering various aspects such as JIRA configuration management, issue metadata handling, attachment handling, and comment handling.

5. unittests/test_jira_import_and_pushing_api.py: The changes in this file introduce a significant number of unit tests to ensure the proper functioning of the JIRA integration, covering various scenarios like pushing findings to JIRA, handling duplicates, and updating JIRA issues.

Code Analysis

We ran 9 analyzers against 6 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[Maffooch]

Works well! Small nitpick about code org, but otherwise good

[mtesauro]

Approved