DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.69k stars 1.55k forks source link

Don't retry JIRA calls on 401 unauthorized #3164

Closed valentijnscholten closed 2 years ago

valentijnscholten commented 3 years ago

Currently DD retries calls to JIRA 3 times. For 401 unauthorized errors this is not needed/desired. And maybe not even for other calls as well because it may result in 3 findings being created. It might be better to show the error to the user and let the use decide to retry / refresh / etc.

 dojo_async_task: running task in the foreground as block_execution is set to True for admin
trying to create a new jira issue for 49871:app-1.0.0-SNAPSHOT.war: Groovy-2.2.2.jar | CVE-2015-3253
Trying to create a new JIRA issue for finding 49871...
Starting new HTTPS connection (1): jira-uat.isaac.nl:443
https://jira:443 "GET /rest/api/2/serverInfo HTTP/1.1" 401 None
Got recoverable error from GET https://jira-uat.isaac.nl/rest/api/2/serverInfo, will retry [1/3] in 6.240514827858767s. Err: 401
https://jira:443 "GET /rest/api/2/serverInfo HTTP/1.1" 401 None
Got recoverable error from GET https://jira-uat.isaac.nl/rest/api/2/serverInfo, will retry [2/3] in 24.53720235545771s. Err: 401
https://jira:443 "GET /rest/api/2/serverInfo HTTP/1.1" 401 None
Got recoverable error from GET https://jira-uat.isaac.nl/rest/api/2/serverInfo, will retry [3/3] in 54.21921545508111s. Err: 401
https://jira:443 "GET /rest/api/2/serverInfo HTTP/1.1" 401 None
JiraError HTTP 401 url: https://jira-uat.isaac.nl/rest/api/2/serverInfo
        text:
jhewi commented 3 years ago

@valentijnscholten @Maffooch After reviewing this issue and reproducing the same errors in Dojo with a JIRA cloud instance it appears that a solution is out of reach. When it comes to the basic authentication errors like 401 and 403, the 3 default JIRA calls cannot be controlled from the Dojo side. Unfortunately, any code fixes or modifications to the relevant files in DefectDojo won’t change what JIRA has for its connection calls.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

darthwalsh commented 2 months ago

On our project, we're calling https://jira.example.com/rest/api/2/issue/ABC-123 in a loop in a cron job, and roughly 1 in a thousand calls fails with HTTP 401 (even though the previous call and the next cron job with same auth had successful responses).

according to HTTP you shouldn't retry on these, but I haven't seen any Jira REST API docs for whether a retry loop is a good approach or not...