-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support custom fields in DefectDojo findings to fill specific custom fields in Jira #10149
base: dev
Are you sure you want to change the base?
Conversation
merge upstream master into local master
Merge Upstream dev into local dev
# Conflicts: # dojo/api_v2/serializers.py # dojo/engagement/views.py # dojo/importers/importer/importer.py # dojo/importers/reimporter/reimporter.py # dojo/tools/generic/parser.py # unittests/test_importers_closeold.py # unittests/test_importers_importer.py # unittests/tools/test_generic_parser.py
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🔴 Risk threshold exceeded. Adding a reviewer if one is configured in notification list: @mtesauro @grendel513 Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Summary: The changes in this pull request focus on enhancing the functionality and security of the DefectDojo application, particularly in the areas of Jira integration, custom field handling, and report parsing. The key changes include:
From a security perspective, the changes appear to be focused on improving the overall robustness and security of the application. The handling of custom fields, the validation of user input, and the improvements to the Jira integration are all positive steps in ensuring the secure operation of the DefectDojo application. However, it's important to ensure that all user-supplied data is properly validated and sanitized throughout the application to prevent potential security vulnerabilities, such as injection attacks or unintended data exposure. Additionally, the use of hardcoded values and the potential for sensitive information exposure should be carefully reviewed and addressed. Files Changed:
Powered by DryRun Security |
Hi @FallenAtticus thank you for producing this feature! I will discuss it with other moderators of the project to determine how we will proceed with it |
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Description
In this PR I want to enhance the generic report importer of DefectDojo to extract some custom fields/columns from report files in order to send this custom fields to Jira to fill the mapped custom fields with the values from the report.
Let's assume you have a report with all of the required columns but also have some more columns you also want to have in your findings.
If you supply the following custom field mapping during the import / reimport:
{"customfield_12345": "CustomColumnA", "customfield_12346": "CustomColumnB"}
The importer would map the columns into a new json map with the custom field ids as key and the value of each report row as value. For example:
{"customfield_12345": "USD123.00", "customfield_12346": "96%"}
This json is stored in a new field in the finding table called "custom_fields".
Jira will merge the finding custom fields with existing product custom fields and send it to Jira.
Test results
I have added a bunch of unittests for this change.
Documentation
I am not sure if the documentation needs to be updated. Please let me know.
Checklist
This checklist is for your information.
dev
.dev
.bugfix
branch.