Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update audit log with actual requested reviewers #11289

Merged
merged 1 commit into from
Nov 22, 2024

Conversation

hblankenship
Copy link
Collaborator

[sc-2885]

When a user requests a review of a Finding, there is a record of who requested a review but nothing about who was requested to review it.

This PR adds this record.

@github-actions github-actions bot added the ui label Nov 18, 2024
Copy link

DryRun Security Summary

The code changes in this pull request focus on enhancing the display of finding history and registering various models for audit logging to improve the security and auditability of the DefectDojo application.

Expand for full summary

Summary:

The code changes in this pull request focus on two main areas: 1) Enhancing the display of finding history in the display_tags.py file, and 2) Registering various models for audit logging in the models.py file.

The changes to the display_tags.py file allow the action_log_entry filter to handle a wider range of history data formats, including both lists and dictionaries. This improves the robustness and informativeness of the finding history display. From a security perspective, the changes do not introduce any obvious concerns, as the filter is using safe deserialization and properly escaping the output.

The changes to the models.py file register several models for audit logging, ensuring that any modifications made to these entities are automatically logged in the database. This provides an important audit trail for security teams to monitor and investigate any changes or suspicious activities. The exclusion of sensitive fields, such as passwords, from the audit logging process is a security-conscious decision.

Overall, these code changes enhance the security and auditability of the DefectDojo application, which is a crucial aspect of an effective application security program.

Files Changed:

  1. dojo/templatetags/display_tags.py:

    • The action_log_entry filter now handles cases where the history value is a dictionary, in addition to lists.
    • The filter extracts the "operation" and "objects" keys from the dictionary and displays them in a formatted string.
    • This change improves the robustness and informativeness of the finding history display.
  2. dojo/models.py:

    • The auditlog.register() function is used to enable automatic logging of changes to various models in the database.
    • The models being registered for audit logging include Dojo_User, Endpoint, Engagement, Finding, Finding_Group, Product_Type, Product, Test, Risk_Acceptance, Finding_Template, Cred_User, and Notification_Webhooks.
    • Sensitive fields, such as passwords, are excluded from the audit logging process to maintain confidentiality.
    • This change enhances the security and auditability of the DefectDojo application.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 7fbd92d into bugfix Nov 22, 2024
74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants