Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notes on Findings for Simple Risk Acceptance #11482

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Notes on Findings for Simple Risk Acceptance #11482

wants to merge 1 commit into from

Conversation

hblankenship
Copy link
Collaborator

When creating/removing a simple risk exception, we create a "paper trail" by adding a note to the finding indicating the action taken.

[sc-7578]

@github-actions github-actions bot added the apiv2 label Dec 31, 2024
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request enhances the Defect Dojo API version 2's risk acceptance functionality by adding a RiskAcceptanceSerializer class and a process_risk_acceptance() method to improve risk acceptance logic, validation, and centralization.

Expand for full summary

Summary:

The changes in this pull request are focused on improving the risk acceptance functionality in the Defect Dojo API version 2. The key changes include the addition of a RiskAcceptanceSerializer class, which handles the creation, update, and retrieval of risk acceptance information, and the addition of a process_risk_acceptance() method in the FindingSerializer class to centralize the risk acceptance logic.

From an application security perspective, the changes in the RiskAcceptanceSerializer class ensure that the findings being added to a risk acceptance are from the same engagement, which helps maintain the integrity of the risk acceptance process. The centralization of the risk acceptance logic in the FindingSerializer class also helps reduce the potential for inconsistencies or security vulnerabilities.

Files Changed:

  • dojo/api_v2/serializers.py: This file contains the serializers for the Defect Dojo API version 2. The changes include:
    • Addition of the dojo.risk_acceptance.helper import to allow the use of functions from the risk_acceptance.helper module.
    • Updates to the RiskAcceptanceSerializer class, including the addition of create() and update() methods that use helper functions from the risk_acceptance.helper module, and the addition of get_recommendation(), get_decision(), and get_path() methods to provide additional information about the risk acceptance.
    • Addition of the process_risk_acceptance() method in the FindingSerializer class to handle the risk acceptance logic, such as simple risk acceptance and risk unacceptance.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 1 finding

View PR in the DryRun Dashboard.

@hblankenship hblankenship marked this pull request as draft December 31, 2024 16:37
@hblankenship hblankenship marked this pull request as ready for review December 31, 2024 16:37
mtesauro
mtesauro approved these changes Jan 2, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
apiv2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hblankenship @mtesauro