Add scm type to import-scan api method with auto_create_context

[dmarushkin]

Hi guys!

I use private gitlab for my codebase, then I try to load any report into defectdojo via api import-scan with auto_create_context option it does not set scm-type for new project and file links for finding in UI do not render well.

So due to docs I should capcure response for loaded scan, parse created project_id and send another request to api/v2/metadata/ with payload {"project": <captured_project_id>, "name": "scm-type", "value":"gitlab"}. That's not convenient at all )

Please consider this change with additional field product_scm_type in api/v2/import-scan api method. If you set auto_create_context, project and product_scm_type, it will create meta field "scm-type" for the project with project itself and UI file links will be rendered fine acording with used scm.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[dryrunsecurity]

DryRun Security Summary

The pull request enhances the Defect Dojo application by adding support for handling the product's source code management (SCM) type, improving validation, enabling engagement deduplication, and adding an optional product_scm_type field to the API's ImportScanView class.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the functionality of the Defect Dojo application, particularly in the areas of import and reimport processes. The key changes include:

1. New Functionality: The AutoCreateContextManager class now supports handling the product_scm_type field, which allows the system to store the source code management (SCM) type for a product.
2. Validation Improvements: The code includes validation steps to ensure that the product_scm_type field is a valid string.
3. Engagement Deduplication: The get_or_create_engagement method now accepts a deduplication_on_engagement parameter, which can be used to enable deduplication of engagements based on the product and engagement name.
4. API Changes: The ImportScanView class in the API now includes an optional product_scm_type field, allowing users to specify the SCM type of the product when importing a scan report.

From an application security perspective, the changes do not introduce any obvious security vulnerabilities. However, it's important to ensure that the input validation and sanitization processes throughout the application, especially in areas handling user-provided data, are robust and secure to mitigate risks such as SQL injection or cross-site scripting (XSS) attacks.

Files Changed:

1. dojo/importers/auto_create_context.py: This file contains changes related to the AutoCreateContextManager class, which is responsible for managing the safe fetching and creation of various resources used in the import and reimport processes. The changes include adding support for the product_scm_type field, improving validation, and enabling engagement deduplication.
2. dojo/api_v2/views.py: The changes in this file add an optional product_scm_type field to the ImportScanView class, allowing users to specify the SCM type of the product when importing a scan report.
3. dojo/api_v2/serializers.py: This file includes the addition of a new product_scm_type field to the ImportScanSerializer class, which is responsible for handling the data submitted during the import of a scan report.

Code Analysis

We ran 9 analyzers against 3 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	10 findings
Authn/Authz Analyzer	1 finding

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[Maffooch]

Hi @dmarushkin thank you for your contribution! Though I like the approach you took, keeping the auto create context relevant to the necessities that the test and findings need is crucial in making this feature maintainable and easy to understand for newcomers.

[dmarushkin]

@Maffooch Actualy I looked for way to set default scm-type for all new projects in system settings and the way to set it for each particular project in meta-vars looks like counter-intuitive... Adding it in autocreate context was less affort change.

What do you think about adding scm-type as another row in system settings as drop down list of supported options with default value? In finding render first choise is vaule from metavars, second is the one from settings.

[Maffooch]

I think it may be better to stick with the work around that you proposed earlier for this particular use case

So due to docs I should capcure response for loaded scan, parse created project_id and send another request to api/v2/metadata/ with payload {"project": <captured_project_id>, "name": "scm-type", "value":"gitlab"}.

[dmarushkin]

Ok, not a problem, thanks for your time here )