Enhancement: Add Under Review for Jira mappings

[testaccount90009]

:warning: Note on feature completeness :warning:

We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

Description

Add Under Review to the Jira configuration and 'open_status'. Some teams work within sprint cycles, so if they are integrated with Jira and their DefectDojo product, it would be nice to have 'Under Review' as an 'In-Progress' and 'Active' status / resolution, so that things currently being worked on, can be tracked. This adds flexibility to the 'Open' 'Closed' 'False Positive' or 'Risk Accepted' by adding the 'Under Review' mapping resolution for Jira so that teams can manage vulnerabilities that are in-progress or 'under review'

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR. Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

• [x] Make sure to rebase your PR against the very latest dev.
• [x] Features/Changes should be submitted against the dev.
• [ ] Bugfixes should be submitted against the bugfix branch.
• [x] Give a meaningful name to your PR, as it may end up being used in the release notes.
• [ ] Your code is flake8 compliant.
• [ ] Your code is python 3.11 compliant.
• [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.
• [ ] Add applicable tests to the unit tests.
• [ ] Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

• Import Scans (for new scanners/importers)
• enhancement
• performance
• feature
• bugfix
• maintenance (a.k.a chores)
• dependencies
• New Migration (when the PR introduces a DB migration)
• settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev

• Replace pick by fixup on the commits you want squashed out
• Replace pick by reword on the first commit if you want to change the commit message
• Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

[dryrunsecurity[bot]]

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	:white_check_mark:	0 findings
Configured Codepaths Analyzer	:x:	3 findings
IDOR Analyzer	:white_check_mark:	0 findings
Sensitive Files Analyzer	:white_check_mark:	0 findings
SQL Injection Analyzer	:white_check_mark:	0 findings
Authn/Authz Analyzer	:white_check_mark:	0 findings
Secrets Analyzer	:white_check_mark:	0 findings

[!Note] :red_circle: Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. **Summary:** The provided code changes are focused on updates to the JIRA integration functionality in the Defect Dojo application. The changes include adding a new field to the `jira_conf` model to map JIRA resolution names to an "Under Review" finding status, and updating the `OPEN_STATUS` list to include a new "Under Review" status. From an application security perspective, these changes do not introduce any obvious security concerns. The code updates follow secure practices, such as performing checks to ensure JIRA is enabled and configured, handling JIRA-related errors, sanitizing data before sending it to JIRA, and implementing role-based access control. The new field and status update are reasonable additions to the existing JIRA integration functionality and do not directly impact the security of the application. **Files Changed:** 1. `dojo/db_migrations/0014_jira_conf_resolution_mappings.py`: - Added a new field called `under_review_mapping_resolution` to the `jira_conf` model, which is used to store a comma-separated list of JIRA resolution names that map to an "Under Review" finding in the application. - The new field is marked as `blank=True` and `null=True`, which is a common practice to allow for optional configuration values. - The database migration code follows the standard Django migration pattern, which is a secure and maintainable way to manage database schema changes. 2. `dojo/jira_link/helper.py`: - Updated the `OPEN_STATUS` list to include a new "Under Review" status. - The code handles JIRA integration in a secure manner, such as performing checks to ensure JIRA is enabled and configured, handling JIRA-related errors, sanitizing data before sending it to JIRA, and implementing role-based access control. Overall, these code changes appear to be routine updates to the JIRA integration functionality in the Defect Dojo application and do not raise any immediate security concerns. However, it is always recommended to thoroughly review the code changes and test the application's security posture after any significant updates.

Powered by DryRun Security