Ruff: add and fix FBT001 & FBT003

[kiblik]

Implement fixes for 2 out of 3 FBT rules

https://docs.astral.sh/ruff/rules/#flake8-boolean-trap-fbt

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	1 finding
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request cover a wide range of updates and improvements to the DefectDojo application, with a focus on enhancing the security and reliability of various components. The changes span multiple files and address various aspects of the application, including risk acceptance management, report generation, Jira integration, and parser functionality for different security scanning tools.

Key security-related improvements include:

1. Improved handling of risk acceptance expirations, reinstatements, and deletions, ensuring the proper updating of findings and associated endpoints.
2. Enhancements to the report generation functionality, including the ability to filter reports by host view and improved handling of findings, endpoints, and tracking parameters.
3. Strengthened Jira integration, with better management of finding groups and the ability to push findings to Jira tickets.
4. Refinements to various parsers, such as the Qualys Web Application Scan and StackHawk parsers, to ensure accurate handling of vulnerabilities, weaknesses, and false positives.
5. Comprehensive unit testing to validate the security and reliability of the changes, including input validation, permissions handling, and data schema validation.

Overall, the changes in this pull request demonstrate a strong focus on improving the application's security posture, enhancing the accuracy and reliability of the data it manages, and providing a more secure and user-friendly experience for the application's users.

Files Changed:

1. dojo/engagement/services.py: Updates the close_engagement function to include a push_to_jira parameter when calling the jira_helper.close_epic() function.
2. dojo/importers/base_importer.py: Modifies the mitigate_finding method to include a finding_groups_enabled parameter, which ensures proper handling of finding groups when mitigating findings.
3. dojo/finding/views.py: Updates the apply_cwe_mitigation function to include an update parameter, allowing the function to be called without updating the findings.
4. dojo/importers/auto_create_context.py: Enhances the get_or_create_product and get_or_create_engagement functions to improve input validation, atomic transactions, and least-privilege access control.
5. dojo/importers/default_importer.py and dojo/importers/default_reimporter.py: Updates the close_old_findings function to properly handle finding groups when closing old findings.
6. dojo/importers/options.py: Modifies the validate method in the ImporterOptions class to use keyword-only arguments, improving the flexibility and maintainability of the input validation process.
7. dojo/management/commands/push_to_jira_update.py: Updates the update_jira_issue() function call to pass a list containing a single boolean value, potentially improving the handling of Jira issue updates.
8. dojo/metrics/utils.py: Enhances the metrics reporting functionality by allowing the inclusion or exclusion of closed findings and endpoints in the aggregated data.
9. dojo/settings/.settings.dist.py.sha256sum and dojo/settings/settings.dist.py: Updates the configuration file template and its corresponding hash sum, indicating changes to the application's configuration settings.
10. dojo/reports/views.py: Improves the report generation functionality by introducing a host_view parameter and enhancing the handling of various object types.
11. dojo/risk_acceptance/helper.py: Enhances the risk acceptance management functionality, including expiring, reinstating, and deleting risk acceptances, as well as adding and removing findings from risk acceptances.
12. dojo/tools/xanitizer/parser.py: Improves the formatting and presentation of security findings generated from Xanitizer scans.
13. dojo/tools/blackduck_component_risk/parser.py: Enhances the handling of license-related risks and security vulnerabilities in the Blackduck Component Risk integration.
14. dojo/tools/qualys_webapp/parser.py: Improves the handling of unique vulnerabilities, information gathering items, date formats, and severity mapping in the Qualys Web Application Scan integration.
15. tests/announcement_banner_test.py: Adds test cases for the announcement banner feature, including the handling of dismissable and non-dismissable announcements, different styles, and HTML content

Powered by DryRun Security

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

DryRun Security Summary

The pull request covers a wide range of improvements to the DefectDojo application, including enhancements to risk acceptance management, security scan report parsing, and comprehensive testing of the application's core features, all focused on improving the security, reliability, and maintainability of the application.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of functionality within the DefectDojo application, including improvements to the handling of risk acceptances, the parsing of various security scan reports (Qualys, StackHawk, Blackduck), and the testing of the application's core features.

The changes demonstrate a strong focus on enhancing the application's security capabilities, such as:

1. Improving the expiration, reinstatement, and deletion of risk acceptances, along with the associated updates to finding and endpoint statuses.
2. Enhancing the parsing of security scan reports to extract more detailed and accurate information about vulnerabilities, including license and security risks.
3. Expanding the test coverage to include edge cases, error handling, and security-related considerations (e.g., input validation, JIRA integration, handling of sensitive data).

Overall, the changes in this pull request appear to be focused on improving the security, reliability, and maintainability of the DefectDojo application, which is a critical tool for managing application security risks. The attention to detail and the comprehensive testing approach are commendable and should help ensure the ongoing security and integrity of the application.

Files Changed:

1. dojo/importers/base_importer.py: Updates the mitigate_finding method to handle finding groups when mitigating findings.
2. dojo/engagement/services.py: Ensures that the push_to_jira parameter is explicitly set when closing JIRA epics associated with engagements.
3. dojo/finding/views.py: Enhances the apply_cwe_mitigation function to provide more flexibility in updating findings with CWE templates.
4. dojo/importers/auto_create_context.py: Introduces a new auto_create_context parameter to automatically create products and engagements if they don't exist.
5. dojo/importers/options.py: Improves the validation and handling of importer options.
6. dojo/importers/default_importer.py: Ensures that the finding_groups_enabled flag is properly passed to the mitigate_finding function.
7. dojo/importers/default_reimporter.py: Updates the close_old_findings method to correctly handle finding groups when mitigating findings.
8. dojo/management/commands/push_to_jira_update.py: Modifies the update_jira_issue function call to include the appropriate parameters.
9. dojo/reports/views.py: Introduces the host_view parameter to the generate_report function to control the report generation for endpoints or hosts.
10. dojo/settings/.settings.dist.py.sha256sum: Updates the SHA-256 hash sum of the configuration file.
11. dojo/metrics/utils.py: Optimizes the performance and functionality of the metrics-related features.
12. dojo/settings/settings.dist.py: Enhances the configuration of the Celery message broker using environment variables.
13. dojo/tools/qualys_webapp/parser.py: Improves the parsing and handling of Qualys WebApp Scan reports.
14. dojo/risk_acceptance/helper.py: Enhances the management of risk acceptances, including expiration, reinstatement, and finding updates.
15. dojo/tools/blackduck_component_risk/parser.py: Introduces a new parser for handling Blackduck Component Risk findings.
16. dojo/tools/xanitizer/parser.py: Refactors the generate_description function in the Xanitizer parser to improve readability and maintainability.
17. tests/announcement_banner_test.py: Adds test cases for the announcement banner feature, including input sanitization and UI behavior.
18. tests/base_test_class.py: Updates the setup of the Chrome driver options for the test suite.
19. ruff.toml: Adds new linting rules and exceptions to the Ruff configuration.
20. unittests/test_apiv2_limit_reqresp.py: Enhances the test coverage for the API endpoint that handles request-response pairs.
21. unittests/test_apply_finding_template.py: Adds test cases for the "apply_template_to_finding" functionality.
22. `unittests/test

Code Analysis

We ran 9 analyzers against 27 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

@kiblik DOH! This one too. ☹️

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.