Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruff: Add and fix S113 #11198

Merged
merged 3 commits into from
Nov 12, 2024
Merged

Ruff: Add and fix S113 #11198

merged 3 commits into from
Nov 12, 2024

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Nov 5, 2024

Add RUFF rule S113 https://docs.astral.sh/ruff/rules/request-without-timeout/

Regular parts have been easy to identify. Issues in sessions have not been marked yet but I fixed them.

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR parser labels Nov 5, 2024
Copy link

dryrunsecurity bot commented Nov 5, 2024

DryRun Security Summary

The pull request focuses on improving the security and reliability of various API integrations within the DefectDojo application, including the addition of timeout parameters, improved error handling, and updates to configuration settings, which help mitigate potential security risks and ensure the long-term security and reliability of the application.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and reliability of various
API integrations within the DefectDojo application. The key changes include the addition of
timeout parameters for API requests, improved error handling, and updates to configuration
settings. These changes help mitigate potential security risks, such as denial-of-service
vulnerabilities and improper handling of API responses.

The changes cover a wide range of API integrations, including Bugcrowd, Cobalt, SonarQube,
Edgescan, Risk Recon, and the Microsoft Graph API. In each case, the addition of timeout
parameters is a positive security enhancement, as it prevents the application from getting
stuck waiting for unresponsive API calls.

Additionally, the changes include improvements to error handling, which help the application
gracefully handle API errors and provide more meaningful feedback to users. The updates to
configuration settings, such as the DD_REQUESTS_TIMEOUT and DD_REQUIRE_PASSWORD_ON_USER
settings, also contribute to the overall security and maintainability of the application.

While the changes do not introduce any obvious security vulnerabilities, it's important to
continue reviewing the application's security posture, especially when integrating with
third-party services and APIs. Ongoing monitoring, testing, and updating of security
configurations and practices are crucial to ensure the long-term security and reliability
of the DefectDojo application.

Files Changed:

  • dojo/jira_link/helper.py: The changes add a timeout parameter to the requests.post()
    call when closing a JIRA epic, which is a positive security enhancement.
  • dojo/management/commands/import_github_languages.py: The changes add a timeout parameter
    to the HTTP request to the GitHub colors JSON file and include robust exception handling,
    both of which are good security practices.
  • dojo/notifications/helper.py: The changes add timeouts to various HTTP requests and
    handle the sending of notifications to Slack, Microsoft Teams, and configured webhook
    endpoints in a secure manner.
  • dojo/settings/.settings.dist.py.sha256sum: The changes update the SHA-256 hash file,
    which is likely used to verify the integrity of the corresponding configuration file.
    This change is expected and does not introduce any apparent security risks.
  • dojo/pipeline.py: The changes add a timeout parameter to the API call to the Microsoft
    Graph API, which is a positive security enhancement. However, the code still relies on
    external API calls, which introduces potential security risks that should be considered.
  • dojo/tools/api_bugcrowd/api_client.py, dojo/tools/api_cobalt/api_client.py,
    dojo/tools/api_sonarqube/api_client.py, dojo/tools/api_edgescan/api_client.py,
    dojo/tools/api_risk_recon/api.py: These changes all involve adding timeout parameters
    to API requests, which is a security best practice to prevent the application from
    getting stuck waiting for unresponsive API calls.
  • dojo/settings/settings.dist.py: The changes include adding a new setting
    DD_REQUESTS_TIMEOUT to set the timeout for HTTP requests, as well as updates to
    notification system settings and a new setting to require a password when creating
    or updating users.
  • ruff.toml: The changes update the Ruff linter configuration, adding a rule to
    check for the use of time.sleep() and removing a rule related to assert statements.
    These changes are focused on improving code quality and performance, rather than
    addressing specific security vulnerabilities.

Code Analysis

We ran 9 analyzers against 12 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

kiblik and others added 2 commits November 12, 2024 19:13
Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com>
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mtesauro mtesauro merged commit fbbcef0 into DefectDojo:dev Nov 12, 2024
73 checks passed
@kiblik kiblik deleted the ruff_S113 branch November 12, 2024 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants