Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruff: Fix issues via "target-version" #10846

Merged
merged 1 commit into from
Oct 9, 2024
Merged

Ruff: Fix issues via "target-version" #10846

merged 1 commit into from
Oct 9, 2024

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Sep 2, 2024

Set "target-version" and auto-fix related parts

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 2, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the functionality and security of various components within the DefectDojo application, including finding management, risk acceptance, report generation, remote user authentication, and the handling of security scan results from various tools.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the functionality and security of various components within the DefectDojo application. The changes cover a wide range of areas, including finding management, risk acceptance, report generation, remote user authentication, and the handling of security scan results from various tools.

From an application security perspective, the key improvements include:

  1. Enhancing the handling of findings, such as better tracking of accepted risks, improved JIRA integration, and more robust deduplication and processing of scan results.
  2. Strengthening the security of the risk acceptance functionality, including better validation and authorization controls.
  3. Improving the security and reliability of the report generation process, with better input validation and character limit handling.
  4. Implementing a secure remote user authentication mechanism that only allows access from trusted proxy servers.
  5. Ensuring that the parsing and processing of security scan results, such as from Checkmarx One, Nmap, and SARIF, is done in a secure and robust manner.

Overall, the changes in this pull request demonstrate a strong focus on improving the application's security posture, maintainability, and reliability. The application security engineer should continue to review the entire codebase and monitor for any potential security vulnerabilities or areas for further improvement.

Files Changed:

  1. dojo/api_v2/serializers.py: The changes introduce a new function to ensure that findings being added to a risk acceptance have the same engagement, which helps maintain the integrity of the risk acceptance process.
  2. dojo/apps.py: The changes update the condition for selecting default fields to be indexed by the Watson search engine, which does not introduce any direct security concerns.
  3. dojo/engagement/views.py: The changes enhance the engagement management functionality, including the handling of risk acceptance, threat models, and JIRA integration, with a focus on security-related aspects such as permissions and authorization.
  4. dojo/home/views.py: The changes in this file are minor and do not introduce any significant security concerns.
  5. dojo/finding/views.py: The changes improve the finding management functionality, including the handling of accepted risks, JIRA and GitHub integration, and bulk updates, with a strong emphasis on security-related aspects.
  6. dojo/importers/auto_create_context.py: The changes enhance the handling of resources during the import and reimport processes, with a focus on input validation, transaction management, and access control.
  7. dojo/importers/default_importer.py: The changes improve the processing of findings during the import process, including the handling of deduplication, closing of old findings, and asynchronous processing.
  8. dojo/importers/endpoint_manager.py: The changes enhance the management of endpoints associated with findings, including the use of asynchronous processing and endpoint status updates.
  9. dojo/importers/default_reimporter.py: The changes improve the reimport process, including the handling of deduplication, finding status updates, and asynchronous processing.
  10. dojo/metrics/utils.py: The changes improve the functionality and maintainability of the metrics-related code, without introducing any obvious security concerns.
  11. dojo/importers/options.py: The changes enhance the handling of data types and compression/decompression of model objects within the ImporterOptions class, which can have indirect security benefits.
  12. dojo/models.py: The changes improve the performance and efficiency of the components property in the Finding model, without introducing any security concerns.
  13. dojo/remote_user.py: The changes implement a secure remote user authentication mechanism, with appropriate checks and configurations to ensure that the authentication process is only performed for trusted sources.
  14. dojo/risk_acceptance/api.py: The changes enhance the risk acceptance functionality, including better tracking of accepted risks and the handling of inactive and risk-accepted findings.
  15. dojo/reports/views.py: The changes improve the report generation process, including better URL handling and character limit management, which can help mitigate potential security issues.
  16. dojo/system_settings/views.py: The changes enhance the validation logic for the system settings form, helping to prevent potential security issues or unexpected behavior.
  17. dojo/tools/appcheck_web_application_scanner/engines/appcheck.py: The changes improve the handling of request and response data in the AppCheck scanning engine parser.
  18. dojo/test/views.py: The changes are mostly related to refactoring and improving the type annotations, without

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 7 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the ruff_target-version branch from 0098323 to 125fce2 Compare September 16, 2024 20:23
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the ruff_target-version branch from 125fce2 to 4f162af Compare September 16, 2024 21:07
@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the ruff_target-version branch from 4f162af to d6cb3c5 Compare September 17, 2024 16:25
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

mtesauro
mtesauro approved these changes Sep 18, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the ruff_target-version branch from d6cb3c5 to c86ef2a Compare September 27, 2024 18:39
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the ruff_target-version branch from c86ef2a to d045e72 Compare September 27, 2024 18:53
@kiblik kiblik requested a review from cneill September 27, 2024 18:57
@mtesauro
Copy link
Contributor

mtesauro commented Oct 3, 2024

@kiblik We got the 4 approvals for this one - just the merge conflicts and we're good to go 👍

@kiblik kiblik force-pushed the ruff_target-version branch from d045e72 to d806751 Compare October 8, 2024 12:51
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mtesauro mtesauro merged commit bd507d3 into DefectDojo:dev Oct 9, 2024
73 checks passed
@kiblik kiblik deleted the ruff_target-version branch October 9, 2024 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

@grendel513 grendel513 grendel513 approved these changes

Assignees
No one assigned
Labels
apiv2 parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kiblik @mtesauro @grendel513 @cneill @Maffooch