search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.66k stars 1.53k forks source link

Exception on invalid environment #10207

Open kiblik opened 5 months ago

kiblik commented 5 months ago

Be informative DD raises an exception (HTTP-500 - internal server error) if a user uses a name of an non-existing environment in (re)imports

Bug description

ImportScanSerializer.set_context and ReImportScanSerializer.set_context uses

        context["environment"] = Development_Environment.objects.get(
            name=data.get("environment", "Development")
        )

which is able to handle not defined environment but does not handle non-existenting one

Steps to reproduce

curl -X 'POST' \
  'http://xxx:8080/api/v2/reimport-scan/' \
...
  -F 'environment=non_existing_enviro' \
...

Expected behavior There are 2 options

Deployment method (select with an X)

Environment information

Logs 


uwsgi-1         | [14/May/2024 19:26:39] ERROR [dojo.api_v2.exception_handler:43] Development_Environment matching query does not exist.
uwsgi-1         | Traceback (most recent call last):
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch
uwsgi-1         |     response = handler(request, *args, **kwargs)
uwsgi-1         |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/rest_framework/mixins.py", line 19, in create
uwsgi-1         |     self.perform_create(serializer)
uwsgi-1         |   File "/app/dojo/api_v2/views.py", line 2792, in perform_create
uwsgi-1         |     serializer.save(push_to_jira=push_to_jira)
uwsgi-1         |   File "/app/dojo/api_v2/serializers.py", line 2538, in save
uwsgi-1         |     context = self.set_context(data)
uwsgi-1         |               ^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/app/dojo/api_v2/serializers.py", line 2415, in set_context
uwsgi-1         |     context["environment"] = Development_Environment.objects.get(
uwsgi-1         |                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/django/db/models/manager.py", line 85, in manager_method
uwsgi-1         |     return getattr(self.get_queryset(), name)(*args, **kwargs)
uwsgi-1         |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1         |   File "/usr/local/lib/python3.11/site-packages/django/db/models/query.py", line 650, in get
uwsgi-1         |     raise self.model.DoesNotExist(
uwsgi-1         | dojo.models.Development_Environment.DoesNotExist: Development_Environment matching query does not exist.
uwsgi-1         | [14/May/2024 19:26:39] ERROR [django.request:241] Internal Server Error: /api/v2/reimport-scan/
nelsonleblanc-rl commented 4 months ago

im actually seeing this error on import with undefined environment in 2.33.7

edit: looks like this dd instance did not get the default environments created, somehow

Jon-the-2nd commented 1 week ago

I had the same issue on 2.37.0 and 2.38.1 when no environment is provided in an import-scan call and no environment with the name 'Development' exists. Hence, renaming the default list of environments effectively breaks any API calls to import-scan without the environment parameter. As I found out the hard way, this includes the Dependency Track integration.

I'd expect the environment parameter to be mandatory, or else it should be possible to set a 'default' environment which would then be used if no environment is set in the API call. If a non-existing environment is provided, an HTTP 400 would be ok imho. I wouldn't go auto-creating environments as this is an admin responsibility.