Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(api): Enable to set recommendation and decision in risk_acceptance #12303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 29, 2025
Merged

fix(api): Enable to set recommendation and decision in risk_acceptance #12303

merged 1 commit into from
Apr 29, 2025

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Apr 23, 2025
edited
Loading

Issue

Until now, the API endpoint POST /api/v2/risk_acceptance/ (which also applies to PUT and PATCH) has not accepted recommendation and decision. As a result, DD used the default value (fix for recommendation and accept for decision). There was no error message.
For GET requests, DD translated the chosen value (one of A, V, M, F, T) to human-readable form.
It sounds nice, but not if it means that fields are not writable.
Screenshot 2025-04-23 at 16 43 24
Screenshot 2025-04-23 at 16 45 00

Solution

This PR dropped SerializerMethodFields with get_... methods, which locked these fields to read-only mode. Now, during the creation of RiskAcc, the user is able to define recommendation and decision.
Screenshot 2025-04-23 at 16 59 22

But

The only "disadvantage" is that it is now unable to see a human-readable form anymore.
Screenshot 2025-04-23 at 16 58 59

No buts

APIs are not for humans but for machines, so simple values should not be the issue.
Translation is still possible based on the description in the OpenAPI spec:

$ curl 'http://localhost:8080/api/v2/oa3/schema/?format=json' 2>/dev/null | jq '.paths."/api/v2/risk_acceptance/".get.parameters[] | select(.name=="recommendation").description' -r
Recommendation from the security team.

* `A` - Accept (The risk is acknowledged, yet remains)
* `V` - Avoid (Do not engage with whatever creates the risk)
* `M` - Mitigate (The risk still exists, yet compensating controls make it less of a threat)
* `F` - Fix (The risk is eradicated)
* `T` - Transfer (The risk is transferred to a 3rd party)

or

$ curl -X 'OPTIONS' 'http://localhost:8080/api/v2/risk_acceptance/' -H 'accept: application/json' -H 'Authorization: Token xxx' 2>/dev/null | jq .actions.POST.recommendation.choices
[
  {
    "value": "A",
    "display_name": "Accept (The risk is acknowledged, yet remains)"
  },
  {
    "value": "V",
    "display_name": "Avoid (Do not engage with whatever creates the risk)"
  },
  {
    "value": "M",
    "display_name": "Mitigate (The risk still exists, yet compensating controls make it less of a threat)"
  },
  {
    "value": "F",
    "display_name": "Fix (The risk is eradicated)"
  },
  {
    "value": "T",
    "display_name": "Transfer (The risk is transferred to a 3rd party)"
  }
]

@github-actions github-actions bot added the apiv2 label Apr 23, 2025
@kiblik kiblik force-pushed the api_risk_acc_enable_write_recommendation_and_decision branch from 3823e9b to b52dea9 Compare April 23, 2025 19:29
@kiblik kiblik marked this pull request as ready for review April 23, 2025 19:30
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security

No security concerns detected in this pull request.

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch requested a review from blakeaowens April 25, 2025 04:16
mtesauro
mtesauro approved these changes Apr 26, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch requested a review from dogboat April 28, 2025 21:20
@Maffooch Maffooch added this to the 2.46.0 milestone Apr 28, 2025
@Maffooch Maffooch merged commit c15e604 into DefectDojo:bugfix Apr 29, 2025
77 checks passed
@kiblik kiblik deleted the api_risk_acc_enable_write_recommendation_and_decision branch April 29, 2025 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
apiv2 unittests
Projects
None yet
Milestone
2.46.0
Development

Successfully merging this pull request may close these issues.
5 participants
@kiblik @mtesauro @dogboat @Maffooch @blakeaowens