Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(Risk_Acceptance): Remove redundancy in strings of Treatments #10361

Merged
merged 1 commit into from
Jun 21, 2024

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jun 7, 2024

Make strings translatable and remove redundancy

Copy link

dryrunsecurity bot commented Jun 7, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request appear to be focused on enhancing the risk acceptance functionality in the DefectDojo application. The key changes include updating the TREATMENT_CHOICES field to use a more descriptive dictionary, adding new fields to capture the security team's recommendation and the risk owner's decision, allowing the upload of proof documents, specifying the risk owner, and introducing expiration handling features for risk acceptances.

From an application security perspective, these changes are positive as they provide more structure and control around the risk acceptance process. The ability to capture the security team's recommendation, the risk owner's decision, and supporting documentation can help organizations better manage and track their risk acceptance decisions. Additionally, the expiration handling features, such as automatically reactivating findings and restarting SLAs when a risk acceptance expires, can help ensure that risks are properly reevaluated and addressed over time, improving the overall security posture of the organization.

Files Changed:

  • dojo/models.py: This file contains the Risk_Acceptance model, which has been updated with the following changes:
    • The TREATMENT_CHOICES field has been updated to use the TREATMENT_TRANSLATIONS dictionary to provide more descriptive choices.
    • New fields have been added, including recommendation, recommendation_details, decision, decision_details, path, owner, expiration_date, expiration_date_warned, expiration_date_handled, reactivate_expired, restart_sla_expired, and notes.
    • These changes enhance the risk acceptance functionality by allowing the capture of the security team's recommendation, the risk owner's decision, supporting documentation, risk ownership, and expiration handling features.

Powered by DryRun Security

@kiblik kiblik marked this pull request as ready for review June 10, 2024 11:46
@Maffooch
Copy link
Contributor

Have you check if the API needs to be updated? I cannot tell without doing some testing

https://github.com/DefectDojo/django-DefectDojo/blob/501d172aee0c165c8ed8efe1c9fe496a006f437b/dojo/api_v2/serializers.py#L1479C1-L1485C72

@kiblik kiblik force-pushed the risk_acc_treatments branch from 468d38c to d028dc7 Compare June 14, 2024 07:40
@kiblik kiblik closed this Jun 14, 2024
@kiblik kiblik reopened this Jun 14, 2024
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@kiblik
Copy link
Contributor Author

kiblik commented Jun 15, 2024

Have you check if the API needs to be updated? I cannot tell without doing some testing

https://github.com/DefectDojo/django-DefectDojo/blob/501d172aee0c165c8ed8efe1c9fe496a006f437b/dojo/api_v2/serializers.py#L1479C1-L1485C72

Yes, it works.

@kiblik
Copy link
Contributor Author

kiblik commented Jun 15, 2024

Btw, Django 5.0 supports more flexible form (not just list of tuples but using of a dict).
After upgrade to 5.0 I would rewrite all models to dicts like here.

@cneill cneill merged commit 9dcb7f9 into DefectDojo:dev Jun 21, 2024
238 of 239 checks passed
@kiblik kiblik deleted the risk_acc_treatments branch June 21, 2024 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants