Risk Acceptance: Make API set/unset risk acceptance status

[Maffooch]

When creating/updating/deleting a risk acceptance, the status of the finding is not set/unset even though the finding is added to the risk acceptance object.

[sc-6143]

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	3 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on improving the handling of risk acceptance functionality in the application. The key changes include:

1. Ensuring that when a risk acceptance is deleted, any findings associated with it are also properly removed. This helps maintain the integrity of the application's data and prevents potential security issues that could arise from orphaned findings.

2. Overriding the create and update methods in the RiskAcceptanceSerializer class to handle the addition and removal of findings associated with a risk acceptance instance. This ensures that the risk acceptance process is applied consistently and that findings from different engagements are not mixed, which could potentially lead to security issues.

3. Introducing a new validation check in the validate method of the RiskAcceptanceSerializer class. This check ensures that the findings associated with a risk acceptance instance belong to the same engagement, preventing the mixing of findings from different engagements.

Overall, these changes appear to be a reasonable improvement to the application's security and risk management capabilities, as they help maintain the integrity and consistency of the application's data related to risk acceptance.

Files Changed:

• dojo/api_v2/views.py: The changes in this file are related to the RiskAcceptanceViewSet class. The main change is the addition of a destroy method that handles the deletion of a risk acceptance. When a risk acceptance is deleted, the code first removes any findings that are associated with that risk acceptance, and then proceeds to delete the risk acceptance object itself. This ensures that the integrity of the application's data is maintained.

• dojo/api_v2/serializers.py: The changes in this file are related to the RiskAcceptanceSerializer class. The key changes include overriding the create and update methods to handle the addition and removal of findings associated with a risk acceptance instance, as well as introducing a new validation check to ensure that the findings associated with a risk acceptance instance belong to the same engagement.

Powered by DryRun Security

[cneill]

Just a minor comment/question on this exception message, otherwise looks good

[mtesauro]

Approved

[Maffooch]

Tests have gotten stuck. Closing and reopening to trigger again

[Maffooch]

The settings.dist.py SHA was messed up