♻️ Remove async import #12042
♻️ Remove async import #12042
Conversation
DryRun Security SummaryThe pull request removes deprecated asynchronous finding import features across multiple files, reducing security risks and simplifying system configuration by eliminating experimental code paths and potential concurrency-related vulnerabilities. Expand for full summaryPR Summary: Removal of deprecated asynchronous finding import feature across multiple files, including documentation updates, code cleanup in importers, and configuration settings modifications. Security Findings:
No direct security vulnerabilities were introduced by these changes. Code AnalysisWe ran
Overall Riskiness🔴 Risk threshold exceeded. We've notified @mtesauro, @grendel513. |
|
Can I suggest to change the title to "Remove async import"? |
|
Done |
|
@manuel-sommer thank you for doing this! It will definitely save us some time in the future. We are planning to remove this functionality in the June release to provide folks enough awareness and time. The earliest we could merge this would be shortly after the May release |
|
Sure, feel free to merge it later. :-) |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
I will resolve the conflicts once this will be picked up again. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
🔴 Risk threshold exceeded.This pull request involves sensitive edits to multiple importer files in the dojo/importers directory, with potential risks including the removal of async processing methods, reduced performance scalability, and decreased flexibility in processing strategies for DefectDojo's import functionality.
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
💭 Unconfirmed Findings (4)
| Vulnerability | Potential Deprecated Feature Removal Risk |
|---|---|
| Description | Removal of async processing methods in base_importer.py could break existing custom importers that rely on the experimental async feature, potentially causing unexpected behavior during import processes. |
| Vulnerability | Potential Loss of Performance Scalability |
|---|---|
| Description | Removal of async processing and chunking logic in endpoint_manager.py may reduce the system's ability to distribute endpoint processing across workers, potentially impacting performance for large-scale imports. |
| Vulnerability | Reduced Flexibility in Processing Strategy |
|---|---|
| Description | Elimination of configurable async processing settings in endpoint_manager.py limits the application's adaptability to different performance requirements and processing strategies. |
| Vulnerability | Potential Inconsistent Behavior in Older Versions |
|---|---|
| Description | Removal of configuration for the experimental feature in settings.dist.py could lead to unexpected results and compatibility issues in older DefectDojo versions. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
| @@ -87,22 +87,3 @@ You can execute the following command to see the configuration: | |||
|
|
|||
| `docker compose exec celerybeat bash -c "celery -A dojo inspect stats"` | |||
| and see what is in effect. | |||
|
|
|||
| ### Asynchronous Import | |||
There was a problem hiding this comment.
Would it make sense to leave a short section behind that informs users the feature has been removed in 2.47.0? There might be users searching for async import in the docs.
| @@ -273,12 +273,6 @@ | |||
| DD_RATE_LIMITER_ACCOUNT_LOCKOUT=(bool, False), | |||
| # when enabled SonarQube API parser will download the security hotspots | |||
| DD_SONARQUBE_API_PARSER_HOTSPOTS=(bool, True), | |||
| # when enabled, finding importing will occur asynchronously, default False | |||
| # This experimental feature has been deprecated as of DefectDojo 2.44.0 (March release). Please exercise caution if using this feature with an older version of DefectDojo, as results may be inconsistent. | |||
| DD_ASYNC_FINDING_IMPORT=(bool, False), | |||
There was a problem hiding this comment.
If True, would it make sense to create an announcement banner or other alert to notify the users / admins that they are using a feature that is no longer present?
No description provided.