Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for issue #10207 non-existent env import #11053

Merged
merged 6 commits into from
Oct 19, 2024
Merged

Fix for issue #10207 non-existent env import #11053

merged 6 commits into from
Oct 19, 2024

Conversation

hblankenship
Copy link
Collaborator

@hblankenship hblankenship commented Oct 11, 2024
edited by Maffooch
Loading

When a user passes a currently non-existent Development_Environment into import or re-import, and auto_create_context is true, it will now be created if it does not already exist instead of failing with a 500 server error.

Comments also added to indicate the expectation that the call to get_or_create succeeds.

[sc-7806]

@github-actions github-actions bot added the apiv2 label Oct 11, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 11, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the documentation and functionality of the import and re-import features in the DefectDojo application, with security-relevant improvements such as better validation of user-supplied inputs and centralization of the auto-creation of product types, products, and engagements.

Expand for full summary

Summary:

The changes in this pull request are focused on improving the documentation and functionality of the import and re-import features in the DefectDojo application. The key changes include updates to the documentation to clarify the behavior of the auto_create_context parameter, as well as significant refactoring of the ImportScanSerializer and ReImportScanSerializer classes in the API.

From an application security perspective, the changes do not directly address any specific security vulnerabilities, but they do introduce several security-relevant improvements. These include better validation of user-supplied inputs, such as the scan_date and file fields, as well as the centralization of the auto-creation of product types, products, and engagements through the AutoCreateContextManager. Additionally, the handling of the push_to_jira flag helps to ensure that users have control over whether findings are pushed to JIRA, which can be an important security consideration.

Overall, the changes in this pull request appear to be focused on improving the usability and robustness of the import and re-import functionality in DefectDojo, which can indirectly benefit the application's security by helping users understand and properly utilize these features.

Files Changed:

  1. docs/content/en/integrations/importing.md: The documentation has been updated to clarify the behavior of the auto_create_context parameter and provide more information about the import and re-import functionality, including the availability of the do_not_reactivate option and the handling of the scan_date field.

  2. dojo/api_v2/serializers.py: This file has undergone significant refactoring, with the ImportScanSerializer and ReImportScanSerializer classes being consolidated into a common CommonImportScanSerializer class. The changes include improved validation of user-supplied inputs, the centralization of the auto-creation of product types, products, and engagements, and the handling of the push_to_jira flag.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions github-actions bot added the docs label Oct 11, 2024
mtesauro
mtesauro approved these changes Oct 12, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch changed the title Fix for issue #10207 non-existent env import [sc-7806] Fix for issue #10207 non-existent env import Oct 15, 2024
mtesauro
mtesauro approved these changes Oct 16, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Maffooch
Maffooch approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pulled this down and tested locally. Great job!

@mtesauro mtesauro merged commit c310a1f into bugfix Oct 19, 2024
75 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grendel513 grendel513 grendel513 approved these changes

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@rossops rossops Awaiting requested review from rossops

Assignees
No one assigned
Labels
apiv2 docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@hblankenship @grendel513 @cneill @mtesauro @rossops @Maffooch @blakeaowens