Notifications regarding problems with Jira should ignore WARNING level events

[d-mankowski-synerise]

DefectDojo version: 2.41.3

We did set Jira minimum severity to High in System settings, enabled MS Teams notifications and in System Notification Settings enabled notifications regarding JIRA problems:

And the problem is, we receive tons of messages about Finding below the minimum JIRA severity threshold:

But this is not an error, nor a problem with integration with Jira (that would be, e.g. lack of permissions or expired token). In celery-worker this is a WARNING level.

[13/Jan/2025 12:33:00] WARNING [dojo.jira_link.helper:779] <class 'dojo.models.Finding'>: CVE-2024-50602 Libexpat1 2.4.7-1ubuntu0.4 cannot be pushed to JIRA: Finding below the minimum JIRA severity threshold (High)..

IMO only ERROR level events should be sent (just as it says in the description in the UI).

[valentijnscholten]

The reason for these messages to be to be displayed in Slack and other notifications as that most of the JIRA integration code runs in the background. So if in the UI a user explcitly requests a push to JIRA for a finding, there has to be some feedback on why it wasn't succesful. I looked into adding a alert_only flag to the call to the notification manager to only create an alert but not the other types of notiifcations such as Slack, Email, etc. But I'm not sure if this is the right thing today as some people might rely on error messages being sent there, for example for any imports or other scripts running overnight via the API.

We could do this specifically for the below_minimum_threshold, only posting an Alert for that so it is still shown in the UI. But not trigger any other notification types. This has always been somewhat of a strange error checked in a strange place.

There are also other error messages generated by the JIRA logic. There is currently no way to distinguigh different levels of severity.
It could be an option to start adding a severity to these message. But the current notification system has now way of disttinguishing between these leverls nor any configuration options in the UI or API for this. If we want to go this route, it might be better to switch to a notification framework that supports all this.

Would be good to get some feedback from the Defect Dojo maintainers on this one @Maffooch . Shall we add this alert_only flag specifically for the below_minimum_threshold case? We could also look into preventing this case by "shifting left" the check on severity, but that would require some more work and testing.

EDIT: Looking some more at the code I think we could the same for these error codes:

• not_active_or_verified
• error_empty
• error_inactive
• error_unsupported

[Maffooch]

There is definitely some improvements that could be made on the notifications as they stand today, but that will likely be a marge larger conversation. Your proposal here seems to like a great small win for now for each of the cases outlined in the bulleted list

We could do this specifically for the below_minimum_threshold, only posting an Alert for that so it is still shown in the UI. But not trigger any other notification types.