SLA Config: Add new config that does not enforce SLA

[Maffooch]

It would be nice ship dojo with an SLA config that easily omits SLA configs on a per product basis

[sc-7952]

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on updating the Service Level Agreement (SLA) configuration and the initialization process for the DefectDojo application, with a focus on enhancing the overall security posture of the application.

Expand for full summary

Summary:

The code changes in this pull request are primarily focused on the application's Service Level Agreement (SLA) configuration and the initialization process for the DefectDojo application. The changes do not introduce any obvious security concerns, but there are a few security-related aspects that should be considered.

The changes to the dojo/fixtures/sla_configurations.json file introduce two new SLA configurations: a "Default SLA Configuration" and a "No SLA Enforced" configuration. While these changes do not directly impact the security of the application, it's important to ensure that the ability to create, modify, or delete SLA configurations is properly restricted to authorized users or roles. Additionally, the SLA configurations should be carefully reviewed to prevent the risk of denial of service due to unrealistic or overly restrictive response times.

The changes to the docker/entrypoint-initializer.sh file focus on the secure initialization and configuration of the DefectDojo application. The script ensures that the admin user is created securely, generates a random password, and configures the JIRA webhook secret and auditlog settings. These security-focused changes help to enhance the overall security posture of the application.

Files Changed:

1. dojo/fixtures/sla_configurations.json:

   • This file contains the configuration settings for Service Level Agreement (SLA) within the application.
   • The changes introduce two new SLA configurations: a "Default SLA Configuration" and a "No SLA Enforced" configuration.
   • The "Default SLA Configuration" sets the SLA response times and enforces the SLA, while the "No SLA Enforced" configuration sets the SLA response times but does not enforce them.
   • From a security perspective, it's important to ensure that the ability to create, modify, or delete SLA configurations is properly restricted, and that the configurations do not introduce a risk of denial of service.

2. docker/entrypoint-initializer.sh:

   • This script is responsible for initializing and configuring the DefectDojo application.
   • The changes add a new fixture, sla_configurations, to the list of fixtures that are imported during the initialization process.
   • The script also updates the dojo_system_settings table to set the jira_webhook_secret value, which is a security-sensitive operation.
   • The script ensures that the admin user is created securely, generates a random password, and configures the JIRA webhook secret and auditlog settings, all of which are important security-related aspects.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved