Add a filter for Findings for Has Any JIRA (grouped or single)

[hblankenship]

[sc-4131]

Added a filter for Has Any JIRA which will filter the findings on having group jira or jira_issue. This will also allow a dashboard tile to exist that shows all findings with any type of JIRA issue.

[dryrunsecurity]

DryRun Security Summary

The pull request introduces a new filter called FindingHasJIRAFilter in the dojo/filters.py file, which allows users to filter findings based on whether they have a JIRA issue associated with them, and the key points of interest are the potential performance impact, the importance of ensuring proper access control, and the need for a consistent user experience.

Expand for full summary

Summary:

The code changes in this pull request introduce a new filter called FindingHasJIRAFilter to the dojo/filters.py file. This filter allows users to filter findings based on whether they have a JIRA issue associated with them or not. From an application security perspective, this is a useful feature that can help security teams better manage and track their findings.

The key points of interest are the potential performance impact of the new filter, the importance of ensuring proper access control, and the need for a consistent user experience. The code appears to be using the get_authorized_findings function to handle access control, which is a good practice. However, it's important to ensure that the filter is optimized and that the database queries are efficient, especially for large datasets. Additionally, the integration of the new filter should provide a seamless and consistent experience for the users.

Files Changed:

• dojo/filters.py: This file has been updated to include a new filter called FindingHasJIRAFilter. This filter allows users to filter findings based on whether they have a JIRA issue associated with them or not. The key points of interest from an application security perspective are the potential performance impact, the importance of ensuring proper access control, and the need for a consistent user experience.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[cneill]

This will only return Findings that are either missing jira_issue or missing finding_group__jira_issue. Shouldn't it simply return everything, unfiltered?

[Maffooch]

This function is only called when the input supplied does not match what is expected, and low key sorta fails. I believe the thought process is along the lines of "if something unexpected happens, removing all findings with jira links would be a good indicator". This is just me speculating though. Would need @hblankenship to confirm

On the other side, returning all results (as if the filter was never applied) is a totally valid approach as well

[hblankenship]

I apologize for not getting to this earlier. Testing shows that the option returns the same thing not applying the filter returns. The reason it returns them all, despite what it looks like, is because jira_issue is None for finding_group__jira_issue findings and finding_group__jira_issue is None for jira_issue items. I have modified it to just return without filtering to alleviate the confusion.

[mtesauro]

Approved

Under the assumption that the pending comment from @cneill is resolved