fix NoneType exception in case of simple risk acceptance

[lme-nca]

Description

This is a fix for the issue described here: #10237 which was introduced by myself in the original fix for the metrics here: #9013

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	❌	1 finding
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	1 finding
Secrets Analyzer	✅	0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on improving the deduplication functionality of the DefectDojo application. The key changes include:

1. Making the do_dedupe_finding_task function asynchronous using the Celery task system, which improves the overall application performance.
2. Introducing three different deduplication algorithms: "unique_id_from_tool", "hash_code", and "unique_id_from_tool_or_hash_code", providing more flexibility in identifying duplicate findings.
3. Adding the are_endpoints_duplicates function to check if the endpoints associated with two findings are duplicates based on a configurable set of fields.
4. Introducing the is_deduplication_on_engagement_mismatch function to handle cases where the "deduplication on engagement" configuration is different between the new finding and the existing finding being compared.
5. Updating the set_duplicate function to handle various edge cases, such as preventing a finding from being marked as a duplicate of itself, ensuring that transitive duplication is flattened, and skipping the deduplication process if the existing finding has been mitigated.

From an application security perspective, these changes focus on improving the deduplication functionality, which is an important aspect of managing security findings. Proper deduplication helps to reduce the noise and clutter in the application, making it easier for security teams to focus on the unique and relevant findings. Additionally, the changes related to the "deduplication on engagement" configuration and the handling of endpoints can help to ensure that the deduplication process is more accurate and reliable, reducing the chances of false positives or missed duplicates.

Files Changed:

• dojo/utils.py: This file contains the changes related to the deduplication functionality of the DefectDojo application. The key changes include making the do_dedupe_finding_task function asynchronous, introducing new deduplication algorithms, adding the are_endpoints_duplicates and is_deduplication_on_engagement_mismatch functions, and updating the set_duplicate function to handle various edge cases.

Powered by DryRun Security

[mtesauro]

Approved