Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jira issue type migration quickfix #11831

Merged
merged 3 commits into from
Feb 25, 2025
Merged

jira issue type migration quickfix #11831

merged 3 commits into from
Feb 25, 2025

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Feb 16, 2025
edited
Loading

Fixes #11821 (for now the easy way).

A proper fix may take some time, this fix will allow users to add extra JIRA Issue Types again via DD_JIRA_EXTRA_ISSUE_TYPES

Usually you shouldn't edit existing migration files. But in this case these "choices" have no effect on the actual database model. Django ORM doesn't propagate these choices to the database. It performs the validation in Python code.

@github-actions github-actions bot added the New Migration Adding a new migration file. Take care when merging. label Feb 16, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review February 16, 2025 19:12
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request updates database migration files and Docker test configurations but introduces several security concerns including exposed credentials, debug settings, and validation gaps in the Jira issue type configuration system.

Expand for full summary

This PR modifies database migration files for Jira issue type settings and updates Docker Compose configurations for unit testing.

Security Findings:

  1. Potential configuration dependency risks in migration files, with issue types now dynamically configured through settings
  2. Database credentials exposed in docker-compose.override.unit_tests.yml with hardcoded username/password (defectdojo/defectdojo)
  3. Debug mode set to 'True' in unit tests configuration, potentially exposing sensitive system information
  4. Possible configuration manipulation risk due to external issue type configuration
  5. No explicit input validation for issue type choices in migration files

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Feb 19, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit b41e14c into DefectDojo:bugfix Feb 25, 2025
73 checks passed
quirinziessler pushed a commit to quirinziessler/django-DefectDojo that referenced this pull request Feb 26, 2025
@valentijnscholten @quirinziessler
jira issue type migration quickfix (DefectDojo#11831)
69742ac 
* jira issue type migration quickfix

* jira issue type migration quickfix: add env variable to unit test

* jira issue type migration quickfix: add env variable to unit test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees
No one assigned
Labels
docker New Migration Adding a new migration file. Take care when merging.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch