Description
We have an automation to create Risk Acceptances via the API (i.e using endpoint api/v2/risk_acceptance/). For that we are using the following payload:
{
"name": "Test Risk Acceptance",
"recommendation": "A",
"recommendation_details": "This is just a test risk acceptance",
"decision": "A",
"decision_details": "This is just a test risk acceptance",
"accepted_by": "example@example.com",
"expiration_date": "2025-06-30T09:49:52.017Z",
"reactivate_expired": true,
"restart_sla_expired": false,
"owner": 8,
"accepted_findings": [
234564
]
}
By DefectDojo design, Risk Acceptances are part of Engagement. In the Engagement view, there's a section that list all Risk Acceptances that are part of that Engagement. However, when a Risk Acceptance is created via the API, such Risk Acceptance will not be listed under the list of Risk Acceptances for that Engagement.
On the other hand, when Risk Acceptance is created via the UI, by clicking the + button, see screenshot below, it works as expected and the Risk Acceptance is listed.
Can we please have the same behavior as the UI when creating Risk Acceptances via the API?
This issue probably arises because the API uses the default DRF behavior for creating Risk Acceptances, relying on the serializer without custom logic, while the UI method add_risk_acceptance includes additional logic for handling related objects