Thanks to visit codestin.com
Credit goes to github.com

Skip to content

close old findings: don't overwrite mitigated timestamp #12204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 10, 2025
Merged

close old findings: don't overwrite mitigated timestamp #12204

merged 1 commit into from
Apr 10, 2025

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Apr 9, 2025
edited
Loading

Sometimes (as in #12168) findings get mitigated during import because the finding is mitigated in the scan report. That scan report can also contain a mitigated timestamp. Currently DefectDojo always overwrites this timestamp during reimport. This PR changes that to no overwrite it.

This is just a quickfix as the root cause is that the findings are already closed and don't need to be seen as old findings are they are still in the report. We'll work on that in a later PR.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Apr 9, 2025

DryRun Security Summary

A patch to the mitigate_finding method prevents overwriting existing mitigation timestamps, improving data integrity and reducing the risk of timestamp manipulation during import processes.

Expand for full summary

Summary: A patch to the mitigate_finding method in the BaseImporter class adds a condition to prevent overwriting existing mitigation timestamps, enhancing data integrity.

Security Findings:
• Potential Race Condition Mitigation

  • Prevents overwriting existing mitigation timestamps
  • Reduces risk of timestamp manipulation during multiple import/mitigation processes
  • Adds defensive programming approach to preserve original mitigation data

No additional security vulnerabilities were identified in the provided summary.

View PR in the DryRun Dashboard.

@Maffooch Maffooch added this to the 2.45.1 milestone Apr 10, 2025
mtesauro
mtesauro approved these changes Apr 10, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 3c8ef5e into DefectDojo:bugfix Apr 10, 2025
76 checks passed
@valentijnscholten valentijnscholten mentioned this pull request Apr 17, 2025
Merged
Maffooch pushed a commit that referenced this pull request Apr 21, 2025
@valentijnscholten @Maffooch
close old findings: don't overwrite mitigated timestamp (#12204)
b0dfad1
Maffooch pushed a commit that referenced this pull request Apr 21, 2025
@valentijnscholten @Maffooch
close old findings: don't overwrite mitigated timestamp (#12204)
5dc7f86
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

@dogboat dogboat Awaiting requested review from dogboat

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.45.1
Development

Successfully merging this pull request may close these issues.
5 participants
@valentijnscholten @cneill @mtesauro @hblankenship @Maffooch