Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dissallow already linked issue #11298

Merged
merged 3 commits into from
Dec 3, 2024
Merged

dissallow already linked issue #11298

merged 3 commits into from
Dec 3, 2024

Conversation

hblankenship
Copy link
Collaborator

[sc-5525]

Fixes #9930

When using the jira_finding_mappings API endpoint, trying to update a finding's Jira mapping with a Jira issue that is already assigned to another finding will now raise a validation error.

@github-actions github-actions bot added the apiv2 label Nov 20, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 20, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the management and validation of JIRA issue links within the Defect Dojo application, introducing a new function to check if a finding is already linked to a specific JIRA issue and adding a validation check to the JIRAIssueSerializer to prevent the creation of duplicate JIRA issue links, which are important security measures to maintain the integrity and consistency of the data within the application.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the management and validation of JIRA issue links within the Defect Dojo application. The changes introduce a new function to check if a finding is already linked to a specific JIRA issue and add a validation check to the JIRAIssueSerializer to prevent the creation of duplicate JIRA issue links. These changes are important security measures that help maintain the integrity and consistency of the data within the application.

While the changes do not directly introduce any obvious security vulnerabilities, it's essential to ensure that any database queries and user input are properly sanitized and validated to prevent potential security issues, such as SQL injection attacks. Additionally, the other serializers in the dojo/api_v2/serializers.py file should be reviewed periodically to ensure that they continue to provide appropriate validation and security measures for the various data models used in the Defect Dojo application.

Files Changed:

  1. dojo/jira_link/helper.py:

    • A new function jira_already_linked() has been added to check if a finding is already linked to a specific JIRA issue.
    • The function queries the JIRA_Issue model and excludes any JIRA issues associated with an engagement, ensuring that only direct finding-to-JIRA issue links are considered.
    • This change helps maintain the integrity of the relationship between findings and JIRA issues.

  2. dojo/api_v2/serializers.py:

    • A validation check has been added to the JIRAIssueSerializer to ensure that if a finding is provided, the JIRA issue represented by the jira_key and jira_id fields is not already linked to another finding.
    • This change prevents the creation of duplicate JIRA issue links, improving the overall data integrity and security of the system.
    • The file contains numerous other serializers used throughout the Defect Dojo application, covering a wide range of functionality, which should be reviewed periodically to ensure appropriate validation and security measures.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

Maffooch
Maffooch requested changes Nov 26, 2024
View reviewed changes
Copy link
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the function to return the whole finding rather than just the ID. It could be useful in the future

dojo/jira_link/helper.py Outdated Show resolved Hide resolved
dojo/api_v2/serializers.py Outdated Show resolved Hide resolved
mtesauro
mtesauro approved these changes Nov 28, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit cdc060e into bugfix Dec 3, 2024
75 checks passed
@Maffooch Maffooch deleted the hb-jira-mapping-api-fix branch December 3, 2024 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
apiv2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hblankenship @cneill @mtesauro @Maffooch @blakeaowens