Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

defect dojo verified status is now setup from configuration #985

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

defect dojo verified status is now setup from configuration #985

wants to merge 1 commit into from

Conversation

worming004
Copy link

Description

Added a new configurable property to manage the "Verified" flag in DefectDojo integration. This allows users to control whether or not the "Verified" flag should be set when uploading findings to DefectDojo.

Port from DependencyTrack/dependency-track#4273

Addressed Issue

Close DependencyTrack/hyades#1601

Additional Details

Thanks for Malaydewangan09 for the original work. Due to the fork of https://github.com/DependencyTrack/dependency-track and https://github.com/DependencyTrack/hyades-apiserver, I was not able to preserve author name in commits

Checklist

  • [ x] I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have updated the migration changelog accordingly
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

sahibamittal
sahibamittal reviewed Nov 28, 2024
View reviewed changes
src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoClient.java Outdated
@@ -66,7 +66,7 @@ public void uploadDependencyTrackFindings(final String token, final String engag
.addPart("file", inputStreamBody)
.addPart("engagement", new StringBody(engagementId, ContentType.MULTIPART_FORM_DATA))
.addPart("scan_type", new StringBody("Dependency Track Finding Packaging Format (FPF) Export", ContentType.MULTIPART_FORM_DATA))
.addPart("verified", new StringBody("true", ContentType.MULTIPART_FORM_DATA))
.addPart(Boolean.toString(verifyFindings), new StringBody("true", ContentType.MULTIPART_FORM_DATA))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The key must remain "verified" and the value should be updated to verifyFindings.
Currently it's set as true only.

sahibamittal
sahibamittal reviewed Nov 28, 2024
View reviewed changes
src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoClient.java Outdated
@@ -173,7 +173,7 @@ public void reimportDependencyTrackFindings(final String token, final String eng
.addPart("file", inputStreamBody)
.addPart("engagement", new StringBody(engagementId, ContentType.MULTIPART_FORM_DATA))
.addPart("scan_type", new StringBody("Dependency Track Finding Packaging Format (FPF) Export", ContentType.MULTIPART_FORM_DATA))
.addPart("verified", new StringBody("true", ContentType.MULTIPART_FORM_DATA))
.addPart(Boolean.toString(verifyFindings), new StringBody("true", ContentType.MULTIPART_FORM_DATA))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, the key must remain "verified" and the value should be updated to verifyFindings. Currently it's set as true only.

@nscuro
Copy link
Member

nscuro commented Nov 28, 2024

@worming004 Due to the fork of DependencyTrack/dependency-track and DependencyTrack/hyades-apiserver, I was not able to preserve author name in commits

You can retain the original author's credit by adding them via Co-Authored-By to your commit. Here's an example: 318cb58

@nscuro nscuro added v4-port PRs that were ported from the Dependency-Track v4.x code base enhancement New feature or request labels Nov 29, 2024
@nscuro nscuro added this to the 5.6.0 milestone Nov 29, 2024
@worming004 worming004 force-pushed the feature/port-defectdojo-verified-conf branch from f78de37 to 860b137 Compare December 1, 2024 15:11
@worming004
Copy link
Author

I've amended the commit and reworded it with a signature from @Malaydewangan09. The correction is also made in this amend, ensuring co-authorship will appears correctly in main branch

@worming004 worming004 force-pushed the feature/port-defectdojo-verified-conf branch 3 times, most recently from 80a5770 to 41d5607 Compare December 2, 2024 07:51
@worming004 worming004 force-pushed the feature/port-defectdojo-verified-conf branch from 41d5607 to d3c52cd Compare December 2, 2024 08:01
@worming004
Copy link
Author

I can't find a way to make it works with DCO step.

Is it possible that it is caused by co-author @Malaydewangan09 as he never signed-off this repo ?
He signed-off https://github.com/DependencyTrack/dependency-track, but not hyades-apiserver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sahibamittal sahibamittal sahibamittal left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request v4-port PRs that were ported from the Dependency-Track v4.x code base
Projects
None yet
Milestone
5.6.0
Development

Successfully merging this pull request may close these issues.

Port defectdojo.verified from Dependency-Track
3 participants
@worming004 @nscuro @sahibamittal