Per-Project SLA Config #6413
Per-Project SLA Config #6413
Conversation
github-actions
bot
added
apiv2
docker
integration_tests
New Migration
![accesslint[bot]](https://avatars.githubusercontent.com/in/1502?s=60&v=4){kind=small}
|
@37b The integration tests are failing for adding a product. I imagine selenium is barfing on the extra element because it likely uses xpath to identify elements. |
Saw that. Looking at a fix when I get back from holiday. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
@37b targeting next release for getting this merged. Thank you for your PR! |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
For me it has more sense to assign, adapted SLA per product type than single product. |
|
@dsever I thought about that at first but it's less flexible. We have different SLAs for different risk profiles which don't closely align with product type (in our org). With this approach the SLA could be named to match the product type so at least to casual users they are aligned for your use case while under the hood they are separate. |
I'm highly anticipating SLA per product. We've taken the suggestion in documentation of having Product Types be Business Units. In each business unit, any given product will have a criticality rating. I'm looking to iterate over our products and set the SLA per product based on the criticality rating. Changing the rating per Product Type would require regrouping products into Product Types by criticality. Definitely agree with the above that SLA per Product allows the same SLA to be set across a Product Type without preventing this use case. |
From my point of view non of this is adaptable enough to solve SLA problem in general, I was thinking something like this https://owasp.slack.com/archives/C014H3ZV9U6/p1655809862156139 we have already created backlog for this in the company and would like to have it as PoC, to have kind of advance SLA logic. |
@dsever Are you saying you want the SLA to change on the fly based on other criteria set on the product? That kind of approach can be done via scripts/API using the basic per-product SLA implementation. It could possibly also be added as a feature flag for those who want more complex logic built into the tool. The idea was to keep it simple and see what works/doesn't work so it can be iterated upon. |
Then brain\logic is outside of the platform, script needs to pick product/product type metadata and make an decision what to apply, this is not so convenient. I'm just describing our use case, and why we want to enable more programmable advance SLA definitions. |
There was a problem hiding this comment.
I think this is good from a first iteration pov. The logic of changing SLA conf based on criticality and other vars within the product will likely mean something slightly different to everybody. Maybe it would be good to keep it a manual change for now, and then based on community use and standards, we could set some sane defaults.
|
IMO this PR makes DefectDojo better. I would like to see the SLA configuration per Product Type, but this should be easy to add in another PR. Having it even more configurable like @dsever proposed would be the next step. |
|
No objections from me! Will merge this after release. |
This PR includes functionality to set the SLA per Product (if wanted). I am looking for others to test this out and provide feedback.
During migration the current SLA settings are copied moved into a new Default SLA Configuration that is used for all Products that otherwise do not specify a custom SLA.
Additional SLA Configurations can be created and applied to Products individually.