Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Integrate with Linear for issue tracking #11404

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

bsterne
Copy link

@bsterne bsterne commented Dec 11, 2024

Description

This PR implements an integration with Linear

  • lets you configure one or more Linear instances to push findings to
  • adds a menu item on View Finding to Create Linear Issue (not limited to one)
  • Associates any Linear Issues created with the relevant Finding

Test results

Unit and integration tests are all passing. Haven't added new tests yet, but am happy to add them.

Documentation

Will add new docs to the documentation folder) once I validate this is the right direction for the feature.

@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. ui labels Dec 11, 2024
Copy link

@accesslint accesslint bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are accessibility issues in these changes.

Linear Instances
<div class="dropdown pull-right">
{% if "dojo.add_linear_instance"|has_configuration_permission:request %}
<button class="btn btn-primary dropdown-toggle" type="button" id="dropdownMenu1"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this element is missing an accessible name or label. That makes it hard for people using screen readers or voice control to use the control.

Copy link

DryRun Security Summary

The pull request introduces a new integration between DefectDojo and Linear project management tool, focusing on secure implementation with proper access controls, input validation, and authorization checks to enable users to create Linear issues directly from the DefectDojo application.

Expand for full summary

Summary:

The code changes in this pull request introduce a new integration between the DefectDojo application and the Linear project management tool. The changes include the following key points:

  1. Linear Integration: The changes add new models (Linear_Issue and Linear_Instance) to store the configuration and mapping between findings in DefectDojo and issues in Linear. This allows users to create Linear issues directly from the DefectDojo application.

  2. Security Considerations: The changes include several security-focused implementations, such as:

    • Proper access control and authorization checks to ensure only authorized users can perform actions like creating, editing, or deleting Linear instances.
    • Input validation and sanitization to prevent potential injection vulnerabilities (e.g., SQL injection, command injection) when interacting with the Linear integration.
    • Secure storage and handling of sensitive data, such as the Linear API key, to prevent unauthorized access or exposure.
    • Logging and monitoring mechanisms to track security-relevant events related to the Linear integration.
  3. Ongoing Review: While the changes appear to be implemented with security in mind, it is crucial to conduct a thorough review of the entire codebase, including the new "Linear" functionality, to identify any potential security vulnerabilities or unintended consequences. This includes reviewing input validation, access control, error handling, and the overall integration with the Linear tool.

Files Changed:

  • dojo/finding/urls.py: Adds a new URL pattern for creating a Linear issue for a specific finding. Security considerations include access control and input validation.
  • dojo/db_migrations/0219_linear_integration.py: Introduces new models (Linear_Issue and Linear_Instance) to integrate with Linear. Security considerations include secure storage of the Linear API key and validation of the additional JSON input.
  • dojo/db_migrations/0220_alter_linear_instance_addl_json_input.py: Modifies the addl_json_input field in the Linear_Instance model. Security considerations include thorough input validation and sanitization of the JSON data.
  • dojo/finding/views.py: Includes functionality for managing findings, such as bulk update, deletion, and merging. Security considerations include access control, authorization, and secure integration with external tools like JIRA and GitHub.
  • dojo/linear/views.py: Implements views for managing Linear instances, including creating, editing, and deleting. Security considerations include user authorization and input validation.
  • dojo/forms.py: Adds a new LinearFindingForm to associate findings with Linear instances. Security considerations include input validation and sanitization.
  • Additional files related to templates, URLs, and other supporting functionality for the Linear integration.

Overall, the code changes appear to be focused on improving the integration between DefectDojo and Linear, with a strong emphasis on security considerations. However, it is crucial to conduct a thorough security review of the entire implementation to identify and address any potential vulnerabilities.

Code Analysis

We ran 9 analyzers against 18 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 15 findings
Sensitive Files Analyzer 3 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
New Migration Adding a new migration file. Take care when merging. ui
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant