Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jira push error reasons should not be propagated to all channels #11738

Open
wants to merge 3 commits into
base: bugfix
Choose a base branch
from
Open

jira push error reasons should not be propagated to all channels #11738

wants to merge 3 commits into from
+79 −52

Conversation

valentijnscholten
Copy link
Member

Description

Historically the current notification system always propagates all messages to all channels configured for the notification type / source.
Some messages however are not relevant for all channels, for example reasons why findings cannot be pushed to JIRA.
But we do need to display these alerts in the UI because that's the only place where users can see feedback of these errors/warnings.
This PR introduces an alert_only flag to indicate that notifications should only be an alert.
It does reuse all the existing NotificationManager logic around System vs Personal notifications, templating and recipients.

This PR also fixes a bug where the "See All Alerts / Clear All Alerts" buttons where not shown due to a Javascript error.

Fixes #11575

Test results
Creating a unit test for this is currently not possible, unless I create a whole bunch of code to Mock more things.
I'm not sure if that's worth it for this small corner case situation.
I did test the different scenario's, and can still create JIRA issues: https://defectdojo.atlassian.net/browse/DOJOTEST-24

@github-actions github-actions bot added the ui label Feb 5, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Feb 5, 2025
edited
Loading

DryRun Security Summary

The code changes in DefectDojo encompass improvements to the notification system, user interface, and Jira integration, focusing on enhanced security features, better usability, and more reliable integration capabilities through selective notification handling, improved UI functionality, and enhanced Jira synchronization.

Expand for full summary

Summary:

The provided code changes cover several improvements and enhancements to the DefectDojo application, with a focus on the notification system, user interface, and Jira integration. From an application security perspective, these changes introduce several positive improvements:

  1. Selective Notification Handling: The addition of the alert_only parameter in the notification system allows critical security-related notifications to be sent as alerts, ensuring they are not missed even if other notification channels are temporarily unavailable or misconfigured.
  2. Improved UI and Functionality: The changes to the user interface and navigation menus provide users with better access to key features, such as managing findings, engagements, and product settings. The improved HTML escaping function also helps prevent potential cross-site scripting (XSS) vulnerabilities.
  3. Enhanced Jira Integration: The changes to the Jira integration, including improved error handling, status synchronization, and attachment handling, help ensure that the integration between DefectDojo and Jira is more reliable and provides better visibility into any issues that may arise.

Overall, these code changes appear to be focused on improving the security, usability, and reliability of the DefectDojo application, which is an important tool for managing application security processes.

Files Changed:

  1. dojo/notifications/helper.py: This file was updated to introduce a new alert_only parameter in the create_notification function, allowing certain notifications to be sent as alerts only. This helps ensure that critical security-related notifications are not missed.
  2. dojo/templates/base.html: The changes in this file focus on improving the user interface and navigation, providing users with better access to key features such as managing findings, engagements, and product settings. The updated htmlEscape function also helps prevent potential XSS vulnerabilities.
  3. dojo/finding/views.py: The changes in this file improve the logging and error reporting for issues related to pushing findings to Jira, providing more specific information about why a finding or finding group could not be pushed.
  4. dojo/jira_link/helper.py: This file was updated to improve the Jira integration, including conditional Jira pushes, Jira issue metadata retrieval, status synchronization, attachment handling, and error handling and notification. These changes help ensure the reliability and visibility of the Jira integration.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Feb 7, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@valentijnscholten @mtesauro @Maffooch