Add toggle to dictate enforcement of verified status (#11131)

* enforce verified initial changes

* fix views, migrations

* ruff life

* poor design, None used as value

* adding an if created another query?

* cleaner and removes most copy+paste

* add new test case

* Fix jira tests

* Fix ruff

* Add product grade test

---------

Co-authored-by: Cody Maffucci <[email protected]>

dojo/db_migrations/0218_system_settings_enforce_verified_status_and_more.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.0.9 on 2024-10-22 19:53
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0217_jira_project_enabled'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='system_settings',
+            name='enforce_verified_status',
+            field=models.BooleanField(default=True, help_text='When enabled, features such as product grading, jira integration, metrics, and reports will only interact with verified findings.', verbose_name='Enforce Verified Status'),
+        ),
+        migrations.AlterField(
+            model_name='jira_project',
+            name='push_all_issues',
+            field=models.BooleanField(blank=True, default=False, help_text='Automatically create JIRA tickets for verified findings, assuming enforce_verified_status is True, or for all findings otherwise. Once linked, the JIRA ticket will continue to sync, regardless of status in DefectDojo.'),
+        ),
+    ]

dojo/forms.py

@@ -3076,7 +3076,7 @@ def clean(self):
         elif self.cleaned_data.get("push_to_jira", None):
             active = self.finding_form["active"].value()
             verified = self.finding_form["verified"].value()
-            if not active or not verified:
+            if not active or (not verified and get_system_setting("enforce_verified_status", True)):
                 logger.debug("Findings must be active and verified to be pushed to JIRA")
                 error_message = "Findings must be active and verified to be pushed to JIRA"
                 self.add_error("push_to_jira", ValidationError(error_message, code="not_active_or_verified"))

dojo/github.py

@@ -123,7 +123,7 @@ def add_external_issue_github(find, prod, eng):
     github_conf = github_pkey.git_conf
 
     # We push only active and verified issues
-    if "Active" in find.status() and "Verified" in find.status():
+    if "Active" in find.status() and ("Verified" in find.status() and get_system_setting("enforce_verified_status", True)):
         eng = Engagement.objects.get(test=find.test)
         prod = Product.objects.get(engagement=eng)
         github_product_key = GITHUB_PKey.objects.get(product=prod)

dojo/jira_link/helper.py

@@ -145,9 +145,11 @@ def can_be_pushed_to_jira(obj, form=None):
 
         logger.debug("can_be_pushed_to_jira: %s, %s, %s", active, verified, severity)
 
-        if not active or not verified:
-            logger.debug("Findings must be active and verified to be pushed to JIRA")
-            return False, "Findings must be active and verified to be pushed to JIRA", "not_active_or_verified"
+        isenforced = get_system_setting("enforce_verified_status", True)
+
+        if not active or (not verified and isenforced):
+            logger.debug("Findings must be active and verified, if enforced by system settings, to be pushed to JIRA")
+            return False, "Findings must be active and verified, if enforced by system settings, to be pushed to JIRA", "not_active_or_verified"
 
         jira_minimum_threshold = None
         if System_Settings.objects.get().jira_minimum_severity:

dojo/management/commands/jira_async_updates.py

@@ -1,11 +1,11 @@
 import logging
 
 from django.core.management.base import BaseCommand
-from django.utils import timezone
 from jira.exceptions import JIRAError
 
 import dojo.jira_link.helper as jira_helper
 from dojo.models import Dojo_User, Finding, Notes, User
+from dojo.utils import get_system_setting, timezone
 
 """
 Author: Aaron Weaver
@@ -22,7 +22,11 @@ class Command(BaseCommand):
     def handle(self, *args, **options):
 
         findings = Finding.objects.exclude(jira_issue__isnull=True)
-        findings = findings.filter(verified=True, active=True)
+        if get_system_setting("enforce_verified_status", True):
+            findings = findings.filter(verified=True, active=True)
+        else:
+            findings = findings.filter(active=True)
+
         findings = findings.prefetch_related("jira_issue")
         # finding = Finding.objects.get(id=1)
         for finding in findings:

dojo/management/commands/push_to_jira_update.py

@@ -23,7 +23,10 @@ class Command(BaseCommand):
     def handle(self, *args, **options):
 
         findings = Finding.objects.exclude(jira_issue__isnull=True)
-        findings = findings.filter(verified=True, active=True)
+        if get_system_setting("enforce_verified_status", True):
+            findings = findings.filter(verified=True, active=True)
+        else:
+            findings = findings.filter(active=True)
 
         for finding in findings:
             logger.info("Checking issue:" + str(finding.id))

dojo/metrics/utils.py

@@ -109,8 +109,10 @@ def finding_queries(
     weekly_counts = query_counts_for_period(MetricsPeriod.WEEK, weeks_between)
 
     top_ten = get_authorized_products(Permissions.Product_View)
-    top_ten = top_ten.filter(engagement__test__finding__verified=True,
-                             engagement__test__finding__false_p=False,
+    if get_system_setting("enforce_verified_status", True):
+        top_ten = top_ten.filter(engagement__test__finding__verified=True)
+
+    top_ten = top_ten.filter(engagement__test__finding__false_p=False,
                              engagement__test__finding__duplicate=False,
                              engagement__test__finding__out_of_scope=False,
                              engagement__test__finding__mitigated__isnull=True,