Ruff: Add and fix S113

[kiblik]

Add RUFF rule S113 https://docs.astral.sh/ruff/rules/request-without-timeout/

Regular parts have been easy to identify. Issues in sessions have not been marked yet but I fixed them.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the security and reliability of various API integrations within the DefectDojo application, including the addition of timeout parameters, improved error handling, and updates to configuration settings, which help mitigate potential security risks and ensure the long-term security and reliability of the application.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and reliability of various
API integrations within the DefectDojo application. The key changes include the addition of
timeout parameters for API requests, improved error handling, and updates to configuration
settings. These changes help mitigate potential security risks, such as denial-of-service
vulnerabilities and improper handling of API responses.

The changes cover a wide range of API integrations, including Bugcrowd, Cobalt, SonarQube,
Edgescan, Risk Recon, and the Microsoft Graph API. In each case, the addition of timeout
parameters is a positive security enhancement, as it prevents the application from getting
stuck waiting for unresponsive API calls.

Additionally, the changes include improvements to error handling, which help the application
gracefully handle API errors and provide more meaningful feedback to users. The updates to
configuration settings, such as the DD_REQUESTS_TIMEOUT and DD_REQUIRE_PASSWORD_ON_USER
settings, also contribute to the overall security and maintainability of the application.

While the changes do not introduce any obvious security vulnerabilities, it's important to
continue reviewing the application's security posture, especially when integrating with
third-party services and APIs. Ongoing monitoring, testing, and updating of security
configurations and practices are crucial to ensure the long-term security and reliability
of the DefectDojo application.

Files Changed:

• dojo/jira_link/helper.py: The changes add a timeout parameter to the requests.post()
  call when closing a JIRA epic, which is a positive security enhancement.
• dojo/management/commands/import_github_languages.py: The changes add a timeout parameter
  to the HTTP request to the GitHub colors JSON file and include robust exception handling,
  both of which are good security practices.
• dojo/notifications/helper.py: The changes add timeouts to various HTTP requests and
  handle the sending of notifications to Slack, Microsoft Teams, and configured webhook
  endpoints in a secure manner.
• dojo/settings/.settings.dist.py.sha256sum: The changes update the SHA-256 hash file,
  which is likely used to verify the integrity of the corresponding configuration file.
  This change is expected and does not introduce any apparent security risks.
• dojo/pipeline.py: The changes add a timeout parameter to the API call to the Microsoft
  Graph API, which is a positive security enhancement. However, the code still relies on
  external API calls, which introduces potential security risks that should be considered.
• dojo/tools/api_bugcrowd/api_client.py, dojo/tools/api_cobalt/api_client.py,
  dojo/tools/api_sonarqube/api_client.py, dojo/tools/api_edgescan/api_client.py,
  dojo/tools/api_risk_recon/api.py: These changes all involve adding timeout parameters
  to API requests, which is a security best practice to prevent the application from
  getting stuck waiting for unresponsive API calls.
• dojo/settings/settings.dist.py: The changes include adding a new setting
  DD_REQUESTS_TIMEOUT to set the timeout for HTTP requests, as well as updates to
  notification system settings and a new setting to require a password when creating
  or updating users.
• ruff.toml: The changes update the Ruff linter configuration, adding a rule to
  check for the use of time.sleep() and removing a rule related to assert statements.
  These changes are focused on improving code quality and performance, rather than
  addressing specific security vulnerabilities.

Code Analysis

We ran 9 analyzers against 12 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.