Skip to content

risk acceptance expiration: keep link with findings #12737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: dev
Choose a base branch
from
Open

risk acceptance expiration: keep link with findings #12737

wants to merge 5 commits into from

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Jul 2, 2025
edited
Loading

Partially reverts #11401 to not remove findings from a Risk Acceptance when it expires.

The change to process_resolution_from_jira is just a code readability improvement.

The change to view_eng.html makes the number of findings cell in the Risk Acceptance table clickable.

The main reason for #11401 in january was to make sure expired risk acceptances were getting reflected in JIRA, so this PR adds some calls for that.

The PR also triggers a JIRA sync after a simple risk accept.

The PR also makes some changes to move the save() call out of the jira helper class.

[sc-11552]

@github-actions github-actions bot added the ui label Jul 2, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 2, 2025
edited
Loading

DryRun Security

This pull request contains a potential authorization bypass vulnerability in the Jira resolution processing logic, where an attacker could potentially manipulate risk acceptance without proper authorization review, located in the dojo/jira_link/helper.py file.

Authorization Bypass in dojo/jira_link/helper.py
Vulnerability Authorization Bypass
Description In the Jira resolution processing logic, the code allows marking a finding as risk accepted based on Jira resolution name and configuration flags. This could allow an attacker to manipulate risk acceptance without proper authorization review.

django-DefectDojo/dojo/jira_link/helper.py

Lines 1769 to 1782 in ffe989c

jira_instance = get_jira_instance(finding)
if resolved:
if (
jira_instance
and resolution_name in jira_instance.accepted_resolutions
and (
finding.test.engagement.product.enable_simple_risk_acceptance
or finding.test.engagement.enable_full_risk_acceptance
)
):
if not finding.risk_accepted:
logger.debug(f"Marking related finding of {jira_issue.jira_key} as accepted.")
finding.risk_accepted = True

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten marked this pull request as draft July 2, 2025 21:14
@valentijnscholten valentijnscholten force-pushed the risk-acceptance-dont-break-link branch from 11281ad to 8dd0306 Compare July 3, 2025 16:10
@github-actions github-actions bot added docker New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests parser helm lint labels Jul 3, 2025
@valentijnscholten valentijnscholten changed the base branch from bugfix to dev July 3, 2025 16:15
@github-actions github-actions bot removed docker New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests integration_tests parser helm lint labels Jul 3, 2025
@valentijnscholten valentijnscholten force-pushed the risk-acceptance-dont-break-link branch from 8dd0306 to 5a371f0 Compare July 3, 2025 17:38
@valentijnscholten valentijnscholten added this to the 2.49.0 milestone Jul 3, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review July 3, 2025 18:03
hblankenship
hblankenship approved these changes Jul 11, 2025
View reviewed changes
@Maffooch Maffooch requested a review from dogboat July 11, 2025 23:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

@dogboat dogboat Awaiting requested review from dogboat

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
ui unittests
Projects
None yet
Milestone
2.49.0
Development

Successfully merging this pull request may close these issues.
3 participants
@valentijnscholten @hblankenship @Maffooch