Skip to content

JIRA helper: respect simple/full risk acceptance on webhook processiing #12594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtesauro merged 1 commit into from
Jun 12, 2025
Merged

JIRA helper: respect simple/full risk acceptance on webhook processiing #12594

mtesauro merged 1 commit into from
Jun 12, 2025

Conversation

@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Jun 11, 2025
edited
Loading

I noticed that Findings that were "Risk Accepted" in JIRA did not set the finding.risk_accepted field. Also a full Risk_Acceptance was created even if that feature was disabled for the product. This PR corrects this.

This code is executed when a webhook is coming from JIRA or when the management command jira_status_reconciliation is run.

@valentijnscholten valentijnscholten added this to the 2.47.2 milestone Jun 11, 2025
@valentijnscholten valentijnscholten changed the title JIRA helper: respect simple/full risk acceptance JIRA helper: respect simple/full risk acceptance on webhook processiing Jun 11, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review June 11, 2025 20:33
@dryrunsecurity
Copy link

dryrunsecurity bot commented Jun 11, 2025

DryRun Security

This pull request introduces a potential information disclosure vulnerability through debug logging in the Jira link helper, where sensitive identifiers like jira_issue.jira_key could be exposed if debug logging is accidentally enabled in a production environment.

Information disclosure via debug logging in dojo/jira_link/helper.py
Vulnerability Information disclosure via debug logging
Description The patch introduces new logger.debug statements that include jira_issue.jira_key. While debug logs are generally not a high risk, if debug logging is inadvertently enabled in production, sensitive internal identifiers or system details can be exposed. This falls under information disclosure.

django-DefectDojo/dojo/jira_link/helper.py

Lines 1674 to 1697 in a6166b2

jira_instance = get_jira_instance(finding)
if resolved:
if jira_instance and resolution_name in jira_instance.accepted_resolutions and (finding.test.engagement.product.enable_simple_risk_acceptance or finding.test.engagement.enable_full_risk_acceptance):
if not finding.risk_accepted:
logger.debug(f"Marking related finding of {jira_issue.jira_key} as accepted.")
finding.risk_accepted = True
finding.active = False
finding.mitigated = None
finding.is_mitigated = False
finding.false_p = False
if finding.test.engagement.product.enable_full_risk_acceptance:
logger.debug(f"Creating risk acceptance for finding linked to {jira_issue.jira_key}.")
ra = Risk_Acceptance.objects.create(
accepted_by=assignee_name,
owner=finding.reporter,
decision_details=f"Risk Acceptance automatically created from JIRA issue {jira_issue.jira_key} with resolution {resolution_name}",
)
finding.test.engagement.risk_acceptance.add(ra)
ra_helper.add_findings_to_risk_acceptance(User.objects.get_or_create(username="JIRA")[0], ra, [finding])
status_changed = True
elif jira_instance and resolution_name in jira_instance.false_positive_resolutions:
if not finding.false_p:

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch requested review from dogboat and hblankenship June 12, 2025 00:09
mtesauro
mtesauro approved these changes Jun 12, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 826dca6 into DefectDojo:bugfix Jun 12, 2025
77 checks passed
xansec pushed a commit to xansec/django-DefectDojo that referenced this pull request Jun 18, 2025
@valentijnscholten @xansec
JIRA helper respect simple/full risk acceptance (DefectDojo#12594)
5e6695b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

+1 more reviewer

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.47.2

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch