Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Display reviewers on finding pages. #11165

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Display reviewers on finding pages. #11165

wants to merge 1 commit into from

Conversation

pedrohdjs
Copy link

Description

This PR adds a list of reviewers (assigned with the "request peer review" feature) to the UI in the finding pages.
I believe this would make for better finding visualization, and this is something that some users might miss, as noted in issue #10434's discussion.

Test results

I have tested (manually) all of the finding listing pages. Except when the findings are filtered by closed, all of the assigned reviewers should be displayed in the rightmost column.

Disclaimer

Please, note that this is my first open source contribution PR ever, so, explaining stuff assuming I know very little about open source might be a good call.

eli5

I'm open to any feedback and to implement any changes that might be necessary. Although I read the contribution guidelines, it's likely that I might have done some things wrong here, and I realize that this feature ideally should've gone through a pre-approval, but, since implementing it was fairly straightforward after I got (kind of 😅 ) used to the codebase and I wouldn't lose a lot of work if the PR is denied, I thought I'd give it a shot.

@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests ui parser helm labels Oct 30, 2024
@pedrohdjs pedrohdjs changed the base branch from master to dev October 30, 2024 18:07
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

This pull request covers a wide range of updates and improvements to the DefectDojo application, focusing on security, performance, and maintainability, including updating base images, improving documentation, enhancing the import and processing of security findings, refactoring core components, and updating configuration files.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates and improvements to the DefectDojo application, focusing on various aspects such as security, performance, and maintainability. The changes include updating base images, improving documentation, enhancing the import and processing of security findings, refactoring core components, and updating configuration files.

From an application security perspective, the changes demonstrate a strong emphasis on security best practices, including:

  1. Keeping base images and dependencies up-to-date to address known vulnerabilities.
  2. Improving input validation and data sanitization to prevent common web application vulnerabilities.
  3. Enhancing the handling of sensitive information, such as credentials and API keys.
  4. Implementing robust error handling and logging mechanisms.
  5. Improving the security and reliability of the import and processing of security findings.
  6. Updating configuration files and documentation to ensure secure deployment and usage of the application.

Overall, the changes in this pull request appear to be a positive step towards improving the security and overall quality of the DefectDojo application.

Files Changed:

  1. Dockerfile.nginx-alpine and Dockerfile.nginx-debian: These files have been updated to use a newer version of the NGINX base image, which is a security-conscious decision to ensure the application is running on the latest version with the latest security patches.
  2. docs/content/en/getting_started/upgrading/2.40.md: This documentation update provides important information about the upgrade to DefectDojo version 2.40.0, including the deprecation of Postgres 12 and the need for users to plan their Postgres upgrade accordingly.
  3. Dockerfile.integration-tests-debian: This Dockerfile has been updated to use the latest versions of dependencies, such as the OpenAPI Generator CLI and Chrome/ChromeDriver, which is important for maintaining the security and reliability of the integration tests.
  4. docs/content/en/integrations/parsers/file/ptart.md: This documentation update provides information about the integration of the PTART (Pentest and Security Auditing Reporting Tool) with the DefectDojo application, which can help organizations streamline their security testing and reporting processes.
  5. .github/workflows/k8s-tests.yml: The changes in this file focus on improving the deployment and testing of the DefectDojo application in a Kubernetes environment, with a strong emphasis on security considerations, such as using the latest versions of tools, testing across different Kubernetes versions, and implementing comprehensive deployment and testing checks.
  6. components/package.json and components/yarn.lock: These files have been updated to use the latest version of the pdfmake dependency, which is a routine update to address potential security vulnerabilities or improvements.
  7. The remaining files (dojo/apps.py, dojo/api_v2/serializers.py, dojo/finding_group/views.py, dojo/forms.py, dojo/home/views.py, dojo/importers/auto_create_context.py, dojo/importers/base_importer.py, dojo/importers/default_importer.py, dojo/importers/default_reimporter.py, dojo/metrics/utils.py, dojo/importers/options.py, dojo/remote_user.py, dojo/risk_acceptance/api.py, dojo/reports/views.py, dojo/system_settings/views.py, dojo/models.py, dojo/settings/settings.dist.py, and dojo/settings/.settings.dist.py.sha256sum) cover a wide range of updates and improvements to the core functionality of the DefectDojo application, with a focus on security-related aspects, such as input validation, data handling, and secure configuration management.

Code Analysis

We ran 9 analyzers against 2 files and 3 analyzers had findings. 6 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 21 findings
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 6 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@pedrohdjs
Copy link
Author

I mistakenly first created this pr targeting the master branch. That might've triggered this failed check. I suggest re-running if possible (@mtesauro could you kindly do so, please?).

@devGregA
Copy link
Contributor

Hi @pedrohdjs! Just wanted to pop in say thank you for the contribution and congrats on your first PR! I'm sure it will go smoothly. I have to leave the reviewing to the rest of the team because my python-foo isn't what it used to be, but just wanted to say hello and thank you.

@mtesauro
Copy link
Contributor

mtesauro commented Nov 2, 2024

@pedrohdjs Your PR is OK even if this test is failing:

image

That test is used to notify the core contributors that a PR is being done in an 'interesting' area of DefectDojo code from a non-core contributor. It's basically a flag to have us look a bit more closely at the PRs where that fails.

You're good to go with the tests as they are right now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
apiv2 docker docs helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pedrohdjs @devGregA @mtesauro