Fix/sonarqube service key optional#14520
Closed
tejas0077 wants to merge 51 commits intoDefectDojo:bugfixfrom
Closed
Fix/sonarqube service key optional#14520tejas0077 wants to merge 51 commits intoDefectDojo:bugfixfrom
tejas0077 wants to merge 51 commits intoDefectDojo:bugfixfrom
Conversation
….56.0-2.57.0-dev Release: Merge back 2.56.0 into dev from: master-into-dev/2.56.0-2.57.0-dev
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.2 to 0.15.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.2...0.15.4) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….21.0 (docker-compose.override.dev.yml) (DefectDojo#14415) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…mpose.yml) (DefectDojo#14399) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…idator action from v2.0.0 to v2.1.0 (.github/workflows/renovate.yaml) (DefectDojo#14407) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…v1.35.2 (.github/workflows/k8s-tests.yml) (DefectDojo#14417) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ithub/workflows/k8s-tests.yml) (DefectDojo#14418) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…43.51.2 (.github/workflows/renovate.yaml) (DefectDojo#14419) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…3.12 to v (dockerfile.integration-tests-debian) (DefectDojo#14420) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps vulners from 3.1.6 to 3.1.7. --- updated-dependencies: - dependency-name: vulners dependency-version: 3.1.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…efectDojo#14318) * feature: quick verify finding * keyboard shortcuts to verify/close finding * address feedback * sync to JIRA in verify_finding * lint --------- Co-authored-by: Filipe Pina <63779195+fopinappb@users.noreply.github.com>
* helpful error message rather than crash when trying to view non-URL in URL view * Update dojo/url/ui/views.py --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.47 to 2.0.48. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-version: 2.0.48 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…efectDojo#14423) Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2026.1.1 to 2026.3.1. - [Commits](tfranzel/drf-spectacular-sidecar@2026.1.1...2026.3.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-version: 2026.3.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….github/workflows/validate_docs_build.yml) (DefectDojo#14437) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…thub/workflows/release-x-manual-tag-as-latest.yml) (DefectDojo#14438) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….56.1-2.57.0-dev Release: Merge back 2.56.1 into dev from: master-into-dev/2.56.1-2.57.0-dev
Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 8.0.0 to 8.1.0. - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](python-gitlab/python-gitlab@v8.0.0...v8.1.0) --- updated-dependencies: - dependency-name: python-gitlab dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….56.1-2.57.0-dev Release: Merge back 2.56.1 into dev from: master-into-dev/2.56.1-2.57.0-dev
…43.60.4 (.github/workflows/renovate.yaml) (DefectDojo#14463) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… v4 (.github/workflows/release-x-manual-tag-as-latest.yml) (DefectDojo#14447) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…0 to v6.4.0 (.github/workflows/release-drafter.yml) (DefectDojo#14455) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [setuptools](https://github.com/pypa/setuptools) from 82.0.0 to 82.0.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](pypa/setuptools@v82.0.0...v82.0.1) --- updated-dependencies: - dependency-name: setuptools dependency-version: 82.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…Dojo#14434) * minor changes: django.conf.settings over dojo.settings * missed bit * auditlog not used anymore
Co-authored-by: valentijnscholten <4426050+valentijnscholten@users.noreply.github.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
…tDojo#14446) Co-authored-by: vishnuclawd-007 <vishnuclawd-007@users.noreply.github.com>
* test: add IriusRisk parser sample scan files Authored by T. Walker - DefectDojo * feat: add IriusRisk parser stub for auto-discovery Authored by T. Walker - DefectDojo * test: add IriusRisk parser unit tests (failing, TDD) Authored by T. Walker - DefectDojo * feat: implement IriusRisk CSV threat parser Authored by T. Walker - DefectDojo * docs: add IriusRisk parser documentation Authored by T. Walker - DefectDojo * fix: address gap analysis findings for IriusRisk parser - Update test CSVs from 12 to 14 columns (add MITRE reference, STRIDE-LM) - Parse MITRE reference: CWE-NNN extracts to cwe field, other values to references - Include STRIDE-LM in description when populated - Add Critical to severity mapping - Change static_finding to False per connector spec - Update documentation to reflect all changes - Add tests for CWE extraction, references, STRIDE-LM, and Critical severity Authored by T. Walker - DefectDojo * fix: remove computed unique_id_from_tool from IriusRisk parser Per PR review feedback, parsers must not compute unique_id_from_tool. Removed SHA-256 hash generation and related tests. Deduplication now relies on DefectDojo's default hashcode algorithm. Updated docs to reflect the change. Authored by T. Walker - DefectDojo * docs: remove parser line numbers from IriusRisk documentation Per PR review feedback, removed line number references from field mapping tables and prose sections to reduce maintenance burden when parser code changes. Authored by T. Walker - DefectDojo * fix: increase title truncation threshold from 150 to 500 characters Per PR review feedback, expanded title field to use more of the available 511 characters. Added test data with 627-char threat to verify truncation behavior. Updated docs accordingly. Authored by T. Walker - DefectDojo * feat: add hashcode deduplication config for IriusRisk parser Register IriusRisk Threats Scan in HASHCODE_FIELDS_PER_SCANNER and DEDUPLICATION_ALGORITHM_PER_PARSER so deduplication uses title and component_name rather than the legacy algorithm. These stable fields ensure reimports match existing findings even when risk levels or countermeasure progress change between scans. Update docs to match. Authored by T. Walker - DefectDojo * chore: retrigger CI checks Authored by T. Walker - DefectDojo --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
…7 (.github/workflows/release-x-manual-docker-containers.yml) (DefectDojo#14451) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ojo#14482) Bumps [pdfmake](https://github.com/bpampuch/pdfmake) from 0.3.5 to 0.3.6. - [Release notes](https://github.com/bpampuch/pdfmake/releases) - [Changelog](https://github.com/bpampuch/pdfmake/blob/master/CHANGELOG.md) - [Commits](bpampuch/pdfmake@0.3.5...0.3.6) --- updated-dependencies: - dependency-name: pdfmake dependency-version: 0.3.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…r-compose.yml) (DefectDojo#13582) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* perf: batch duplicate marking in batch deduplication Instead of saving each duplicate finding individually, collect all modified findings during a batch deduplication run and flush them in a single bulk_update call. Original (existing) findings are still saved individually to preserve auto_now timestamp updates and post_save signal behavior, but are deduplicated by id so each is saved at most once per batch. Reduces DB writes from O(2N) individual saves to 1 bulk_update + O(unique originals) saves for a batch of N duplicates. Performance test shows -23 queries on a second import with duplicates. * perf: restrict SELECT columns for batch deduplication via only() Add Finding.DEDUPLICATION_FIELDS — the union of all Finding fields needed across every deduplication algorithm — and apply it as an only() clause in get_finding_models_for_deduplication. This avoids loading large text columns (description, mitigation, impact, references, steps_to_reproduce, severity_justification, etc.) when loading findings for the batch deduplication task, reducing data transferred from the database without affecting query count. build_candidate_scope_queryset is intentionally excluded: it is also used for reimport matching (which accesses severity, numerical_severity and other fields outside this set) and applying only() there would cause deferred-field extra queries. * perf(dedup): defer large text fields on candidate queryset - Add Finding.DEDUPLICATION_DEFERRED_FIELDS constant listing large text columns (description, mitigation, impact, references, etc.) that are never read during deduplication or candidate matching. - Apply .defer(*Finding.DEDUPLICATION_DEFERRED_FIELDS) in build_candidate_scope_queryset to avoid loading those columns for the potentially large candidate pool fetched per dedup batch. Reduces deduplication second-import query count from 213 to 183 (-30). --------- Co-authored-by: Matt Tesauro <mtesauro@gmail.com>
…#14449) * perf(fp-history): batch false positive history processing Replaces the N+1 query pattern in false positive history with a single product-scoped DB query per batch, and switches per-finding save() calls to QuerySet.update() to eliminate redundant signal overhead. Changes: - Extract _fp_candidates_qs() as the single algorithm-dispatch helper shared by both single-finding and batch lookup paths - Add do_false_positive_history_batch() which fetches all FP candidates in one query and marks findings with a single UPDATE - do_false_positive_history() now delegates to the batch function - post_process_findings_batch (import/reimport) calls the batch function instead of a per-finding loop - _bulk_update_finding_status_and_severity (bulk edit) groups findings by (product, dedup_alg) and calls the batch function once per group; retroactive reactivation also batched the same way - Fix dead-code bug in process_false_positive_history: the condition finding.false_p and not finding.false_p was always False because form.save(commit=False) mutates the finding in place; fixed by capturing old_false_p before the form save - Replace all per-finding save()/save_no_options() in FP history paths with QuerySet.update() (bypasses signals identically to the old calls) - Move all FP history helpers from dojo/utils.py to dojo/finding/deduplication.py alongside the matching dedupe helpers All update() calls carry a comment explaining the signal-bypass equivalence with the previous save(skip_validation=True) calls. Adds 4 unit tests covering: batch single-query behaviour, retroactive batch FP marking, retroactive reactivation (previously dead code), and the no-reactivation guard. * perf(fp-history): add .only() to candidate fetch, fix update() comments Limit _fetch_fp_candidates_for_batch to only the fields actually read from candidate objects (id, false_p, active, hash_code, unique_id_from_tool, title, severity), avoiding loading unused columns. Correct update() comments to clarify that .only() does not constrain QuerySet.update() — Django generates UPDATE SQL independently — so the sync requirement is only for fields *read* from candidate objects. * test(fp-history): assert exact query count in batch tests assertNumQueries(7) on both batch tests covers: System_Settings, 4 lazy-load chain (test/engagement/product/test_type from findings[0]), candidates SELECT with .only(), and the bulk UPDATE — fixed regardless of batch size or number of retroactively marked findings. * test(fp-history): assert query count stays flat with N affected findings New test creates 5 pre-existing findings and asserts the batch still uses exactly 7 queries regardless — proving the old O(N) per-finding save loop is gone and a single bulk UPDATE covers all affected rows.
…8.0.1 (.github/workflows/rest-framework-tests.yml) (DefectDojo#14490) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…to v0.13.1 (.github/workflows/cancel-outdated-workflow-runs.yml) (DefectDojo#14491) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
github-actions
bot
added
docker
settings_changes
🔴 Risk threshold exceeded.This pull request modifies multiple sensitive codepaths (API serializers and views, finding helpers/URLs/views, and finding-related templates) with detections flagged as sensitive edits; review these changes carefully and consider configuring allowed authors or paths in .dryrunsecurity.yaml if they are expected.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/views.py (drs_f739cfa1)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/helper.py (drs_1570c1f5)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/urls.py (drs_75104e1e)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/views.py (drs_29629b3e)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/verify_finding.html (drs_dc9a8a39)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html (drs_ea785b16)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py (drs_89ec9cdd)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/views.py (drs_32059875)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/helper.py (drs_45db8a27)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/urls.py (drs_8dface8e)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/views.py (drs_8e935998)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/verify_finding.html (drs_5b5d7c69)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html (drs_a59853f8)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
We've notified @mtesauro.
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
Contributor
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
tejas0077
force-pushed
the
fix/sonarqube-service-key-optional
branch
from
e6b3582 to
d0c1e74
Compare
Contributor
Author
|
Closing this in favour of a clean PR with only the relevant change. |
Member
|
Can you rebase |
Contributor
Author
|
Closing in favour of clean PR #14530. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When a SonarQube API Scan Configuration is added without a Service Key 1,
the find_project method was called with None as the project name, causing
a confusing 400 error from SonarQube saying the component parameter is missing.
This fix adds a clear ValidationError with a helpful message when project_name
is None, so the user knows exactly what to fix instead of getting a cryptic error.
Also added the missing ValidationError import to api_client.py.
Fixes #13959
Test results
Manually traced the code path. The fix raises a clear ValidationError before
the API call is made when project_name is None.
Documentation
No documentation changes needed.
Checklist
Make sure to rebase your PR against the very latest dev.
Bugfixes should be submitted against the bugfix branch.
Give a meaningful name to your PR.
Add the proper label to categorize your PR.