Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(api): Enable to set recommendation and decision in risk_acceptance#12303

Merged
Maffooch merged 1 commit into
DefectDojo:bugfixfrom
kiblik:api_risk_acc_enable_write_recommendation_and_decision
Apr 29, 2025
Merged

fix(api): Enable to set recommendation and decision in risk_acceptance#12303
Maffooch merged 1 commit into
DefectDojo:bugfixfrom
kiblik:api_risk_acc_enable_write_recommendation_and_decision

Conversation

@kiblik
Copy link
Copy Markdown
Contributor

@kiblik kiblik commented Apr 23, 2025
edited
Loading

Issue

Until now, the API endpoint POST /api/v2/risk_acceptance/ (which also applies to PUT and PATCH) has not accepted recommendation and decision. As a result, DD used the default value (fix for recommendation and accept for decision). There was no error message.
For GET requests, DD translated the chosen value (one of A, V, M, F, T) to human-readable form.
It sounds nice, but not if it means that fields are not writable.
Screenshot 2025-04-23 at 16 43 24
Screenshot 2025-04-23 at 16 45 00

Solution

This PR dropped SerializerMethodFields with get_... methods, which locked these fields to read-only mode. Now, during the creation of RiskAcc, the user is able to define recommendation and decision.
Screenshot 2025-04-23 at 16 59 22

But

The only "disadvantage" is that it is now unable to see a human-readable form anymore.
Screenshot 2025-04-23 at 16 58 59

No buts

APIs are not for humans but for machines, so simple values should not be the issue.
Translation is still possible based on the description in the OpenAPI spec:

$ curl 'http://localhost:8080/api/v2/oa3/schema/?format=json' 2>/dev/null | jq '.paths."/api/v2/risk_acceptance/".get.parameters[] | select(.name=="recommendation").description' -r
Recommendation from the security team.

* `A` - Accept (The risk is acknowledged, yet remains)
* `V` - Avoid (Do not engage with whatever creates the risk)
* `M` - Mitigate (The risk still exists, yet compensating controls make it less of a threat)
* `F` - Fix (The risk is eradicated)
* `T` - Transfer (The risk is transferred to a 3rd party)

or

$ curl -X 'OPTIONS' 'http://localhost:8080/api/v2/risk_acceptance/' -H 'accept: application/json' -H 'Authorization: Token xxx' 2>/dev/null | jq .actions.POST.recommendation.choices
[
  {
    "value": "A",
    "display_name": "Accept (The risk is acknowledged, yet remains)"
  },
  {
    "value": "V",
    "display_name": "Avoid (Do not engage with whatever creates the risk)"
  },
  {
    "value": "M",
    "display_name": "Mitigate (The risk still exists, yet compensating controls make it less of a threat)"
  },
  {
    "value": "F",
    "display_name": "Fix (The risk is eradicated)"
  },
  {
    "value": "T",
    "display_name": "Transfer (The risk is transferred to a 3rd party)"
  }
]

@github-actions github-actions Bot added the apiv2 label Apr 23, 2025
@kiblik kiblik force-pushed the api_risk_acc_enable_write_recommendation_and_decision branch from 3823e9b to b52dea9 Compare April 23, 2025 19:29
@kiblik kiblik marked this pull request as ready for review April 23, 2025 19:30
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Apr 23, 2025

DryRun Security

No security concerns detected in this pull request.

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch requested a review from blakeaowens April 25, 2025 04:16
mtesauro
mtesauro approved these changes Apr 26, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch requested a review from dogboat April 28, 2025 21:20
@Maffooch Maffooch added this to the 2.46.0 milestone Apr 28, 2025
@Maffooch Maffooch merged commit c15e604 into DefectDojo:bugfix Apr 29, 2025
77 checks passed
@kiblik kiblik deleted the api_risk_acc_enable_write_recommendation_and_decision branch April 29, 2025 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

apiv2 unittests

Projects

None yet

Milestone

2.46.0

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @dogboat @Maffooch @blakeaowens