Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Comments

♻️ Remove async import#12042

Merged
Maffooch merged 8 commits intoDefectDojo:devfrom
manuel-sommer:remove_async_import
Jun 2, 2025
Merged

♻️ Remove async import#12042
Maffooch merged 8 commits intoDefectDojo:devfrom
manuel-sommer:remove_async_import

Conversation

@manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Mar 18, 2025
edited
Loading

No description provided.

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs labels Mar 18, 2025
@dryrunsecurity
Copy link

dryrunsecurity bot commented Mar 18, 2025
edited
Loading

DryRun Security Summary

The pull request removes deprecated asynchronous finding import features across multiple files, reducing security risks and simplifying system configuration by eliminating experimental code paths and potential concurrency-related vulnerabilities.

Expand for full summary

PR Summary: Removal of deprecated asynchronous finding import feature across multiple files, including documentation updates, code cleanup in importers, and configuration settings modifications.

Security Findings:

  • Removal of experimental async processing methods reduces potential race conditions and concurrency-related security risks
  • Eliminates configuration settings for async finding imports, simplifying the system's configuration
  • Reduces attack surface by removing deprecated and experimental code paths
  • Removes potential entry points for unintended behavior in import processes
  • Cleans up unused imports that could potentially introduce security complexities

No direct security vulnerabilities were introduced by these changes.

Code Analysis

We ran 7 analyzers against 6 files and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 7 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@manuel-sommer manuel-sommer reopened this Mar 18, 2025
@valentijnscholten
Copy link
Member

valentijnscholten commented Mar 19, 2025

Can I suggest to change the title to "Remove async import"?

@manuel-sommer manuel-sommer changed the title ♻️ Deprecate async import ♻️ Remove async import Mar 19, 2025
@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Mar 19, 2025

Done

@Maffooch
Copy link
Contributor

Maffooch commented Mar 24, 2025

@manuel-sommer thank you for doing this! It will definitely save us some time in the future. We are planning to remove this functionality in the June release to provide folks enough awareness and time. The earliest we could merge this would be shortly after the May release

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Mar 24, 2025

Sure, feel free to merge it later. :-)

@github-actions
Copy link
Contributor

github-actions bot commented Mar 27, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Mar 27, 2025

I will resolve the conflicts once this will be picked up again.

@Maffooch Maffooch added this to the 2.47.0 milestone Apr 7, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Apr 15, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@dryrunsecurity
Copy link

dryrunsecurity bot commented Apr 15, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request involves sensitive edits to multiple importer files in the dojo/importers directory, with potential implications for async import functionality, performance, and system configuration flexibility, including the removal of deprecated features and configurations.

⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
💭 Unconfirmed Findings (4)
Vulnerability Potential Feature Deprecation Impact
Description Removal of async import functionality in documentation file, which could cause compatibility issues for users who have not migrated away from async import, potentially leading to unexpected behavior or data import failures.
Vulnerability Potential Performance Regression
Description Synchronous replacement of async endpoint processing in endpoint_manager.py, which may impact performance for large endpoint volumes by removing distributed processing across Celery workers.
Vulnerability Reduced Flexibility in Endpoint Processing
Description Loss of dynamic configuration for endpoint processing due to removal of configurable async import settings, reducing system adaptability.
Vulnerability Deprecated Feature Configuration Removal
Description Elimination of deprecated configurations in settings.dist.py to prevent unintended behavior and potential misconfigurations with outdated experimental features.

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@github-actions
Copy link
Contributor

github-actions bot commented May 5, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions
Copy link
Contributor

github-actions bot commented May 6, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented May 6, 2025

Hi @mtesauro and @Maffooch ,
I rebased. Ready to be reviewed.

mtesauro
mtesauro approved these changes May 8, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

valentijnscholten
valentijnscholten reviewed May 8, 2025
View reviewed changes
dojo/settings/settings.dist.py
DD_SONARQUBE_API_PARSER_HOTSPOTS=(bool, True),
# when enabled, finding importing will occur asynchronously, default False
# This experimental feature has been deprecated as of DefectDojo 2.44.0 (March release). Please exercise caution if using this feature with an older version of DefectDojo, as results may be inconsistent.
DD_ASYNC_FINDING_IMPORT=(bool, False),
Copy link
Member

@valentijnscholten valentijnscholten May 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If True, would it make sense to create an announcement banner or other alert to notify the users / admins that they are using a feature that is no longer present?

Copy link
Contributor Author

@manuel-sommer manuel-sommer May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have the time right now to implement this.

valentijnscholten
valentijnscholten reviewed May 8, 2025
View reviewed changes
Copy link
Member

@valentijnscholten valentijnscholten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice cleanup, left two comments which are not really blocking the merge, just some thoughts.

@Maffooch Maffooch requested a review from hblankenship May 8, 2025 15:17
@Maffooch Maffooch requested a review from dogboat May 22, 2025 04:27
@Maffooch Maffooch merged commit 9225090 into DefectDojo:dev Jun 2, 2025
77 of 78 checks passed
@manuel-sommer manuel-sommer deleted the remove_async_import branch June 2, 2025 09:26
xansec pushed a commit to xansec/django-DefectDojo that referenced this pull request Jun 18, 2025
@manuel-sommer @xansec
♻️ Remove async import (DefectDojo#12042)
8eec1b6 
* ♻️ Deprecate async import

* simplify

* update

* fix unittest

* add docs

* update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@hblankenship hblankenship Awaiting requested review from hblankenship

@dogboat dogboat Awaiting requested review from dogboat

Assignees

No one assigned

Labels

docs settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR

Projects

None yet

Milestone

2.47.0

Development

Successfully merging this pull request may close these issues.

5 participants

@manuel-sommer @valentijnscholten @Maffooch @mtesauro @blakeaowens