Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Jira Form: Make express the default #11041

Merged
merged 4 commits into from
Oct 11, 2024
Merged

New Jira Form: Make express the default #11041

merged 4 commits into from
Oct 11, 2024

Conversation

Maffooch
Copy link
Contributor

Users are intimidated and confused by all of the options present in the new jira instance form. I think we should move to making the express form the default one, and rebrand the original as "Advanced"

[sc-7860]

@github-actions github-actions bot added the ui label Oct 10, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 10, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the JIRA integration functionality within the Dojo application, including renaming and modifying JIRA configuration views, updating JIRA webhook handling, refactoring JIRA integration forms, updating UI templates, and modifying unit tests, while ensuring proper security measures are in place to prevent potential vulnerabilities.

Expand for full summary

Summary:

The code changes in this pull request are primarily focused on the JIRA integration functionality within the Dojo application. The changes include:

  1. Renaming and modifying the JIRA configuration views, including the introduction of an "Advanced" JIRA configuration option.
  2. Updating the JIRA webhook handling to process different types of JIRA events, such as comment creation and issue updates.
  3. Refactoring the JIRA integration forms, including the addition of a new issue_template_dir field.
  4. Updating the UI templates for the JIRA configuration process, including the addition of a new "Advanced" JIRA configuration template.
  5. Modifying the unit tests to reflect the changes in the JIRA configuration URLs.

From an application security perspective, the changes do not appear to introduce any obvious security vulnerabilities. However, it's important to ensure that the JIRA integration is properly implemented and secured, with a focus on the following areas:

  1. Input validation and sanitization to prevent common web application vulnerabilities, such as SQL injection and cross-site scripting (XSS).
  2. Appropriate access controls and authorization mechanisms to prevent unauthorized access to sensitive JIRA-related functionality.
  3. Secure handling and storage of JIRA instance credentials and other sensitive information.
  4. Robust logging and monitoring to detect and respond to any security incidents related to the JIRA integration.

Overall, the changes seem to be focused on improving the JIRA integration functionality within the Dojo application, and they do not raise any immediate security concerns. However, a comprehensive security review of the entire JIRA integration implementation is still recommended to identify and address any potential vulnerabilities.

Files Changed:

  1. dojo/templates/dojo/jira.html: The "Add Jira Instance (Express)" option has been renamed to "Add Jira Instance", and the "Add Jira Instance" option has been renamed to "Add Jira Instance (Advanced)".
  2. dojo/jira_link/urls.py: A new URL pattern, ^jira/advanced, has been added, which maps to the AdvancedJiraView view. The re_path(r"^jira/express", views.ExpressJiraView.as_view(), name="express_jira") URL pattern has been removed.
  3. dojo/jira_link/views.py: The ExpressJiraView class has been renamed to NewJiraView, and the NewJiraView class has been renamed to AdvancedJiraView. The webhook function has been updated to handle different types of JIRA webhook events.
  4. dojo/forms.py: The JIRAForm class has been renamed to AdvancedJIRAForm, and a new JIRAForm class has been introduced. The issue_template_dir field has been added to both forms.
  5. dojo/templates/dojo/new_jira.html: The title attribute has been added to the "Submit" button, and a message informing the user about finding severity mappings and other options has been added.
  6. dojo/templates/dojo/new_jira_advanced.html: This is a new template file that is used to display a form for adding a new JIRA configuration in an advanced mode.
  7. unittests/test_jira_config_product.py: The URL used in the add_jira_instance function has been changed from "add_jira" to "add_jira_advanced".

Code Analysis

We ran 9 analyzers against 8 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 5 findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Oct 10, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

cneill
cneill reviewed Oct 10, 2024
View reviewed changes
Copy link
Contributor

@cneill cneill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be good to rename things everywhere for consistency, so that we don't get confused in the future if we forget that we did this rename. A few I was able to find by grepping for "express":

  • dojo/templates/dojo/express_new_jira.html ➡️ new_jira.html
  • dojo/templates/dojo/new_jira.html ➡️ new_jira_advanced.html
  • dojo/forms.py - references to JIRAForm and ExpressJIRAForm
  • dojo/jira_link/urls.py reference to /jira/express
  • dojo/jira_link/views.py references to ExpressJiraView

@Maffooch
Copy link
Contributor Author

Sure can do

@Maffooch Maffooch merged commit 316d61a into DefectDojo:bugfix Oct 11, 2024
73 checks passed
@Maffooch Maffooch deleted the new-jira branch October 11, 2024 15:03
pedrohdjs pushed a commit to pedrohdjs/django-DefectDojo-sorting that referenced this pull request Oct 21, 2024
@Maffooch
New Jira Form: Make express the default (DefectDojo#11041)
2750331 
* New Jira Form: Make express the default

* rename some stuff

* ruff

* correct tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill left review comments

@blakeaowens blakeaowens blakeaowens approved these changes

@hblankenship hblankenship hblankenship approved these changes

@mtesauro mtesauro mtesauro approved these changes

@grendel513 grendel513 grendel513 approved these changes

Assignees
No one assigned
Labels
enhancement ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Maffooch @grendel513 @cneill @mtesauro @hblankenship @blakeaowens