Add settings

[FirePanda169]

Description

Add settings:

• DD_SEARCH_SCM_TYPE - flag to enable/disable scm_type search
• DD_DEFAULT_SCM_TYPE - default value for scm_type
• DD_JIRA_CONNECT_METHOD - import path for jira connect method

DD_DEFAULT_SCM_TYPE makes it a little easier to work with scm-type, since most people use only one scm-type
DD_SEARCH_SCM_TYPE allows you to disable search to speed up the work a little

I think that for most it will be useful to use a combination
DD_SEARCH_SCM_TYPE = False
DD_DEFAULT_SCM_TYPE = "github" (or other)

Test results
...

[dryrunsecurity]

DryRun Security Summary

The pull request enhances DefectDojo's configuration by modifying the SCM type retrieval logic, adding timeout and deduplication settings, and introducing new configuration options to improve application security and vulnerability management.

Expand for full summary

Summary:

The code changes in this pull request are focused on enhancing the configuration and functionality of the DefectDojo application, with a particular emphasis on improving the application security features. The changes include modifications to the logic for retrieving the SCM type, as well as the addition of new configuration settings related to timeouts and deduplication of findings.

The changes to the get_scm_type() method in the Endpoint model allow the application to retrieve the SCM type from a DojoMeta object associated with the Product, if it exists, and fallback to a default setting if not. This change does not introduce any obvious security concerns, as long as the DojoMeta object and the default setting are properly configured.

The addition of new configuration settings related to timeouts and deduplication of findings are also important from an application security perspective. The timeout settings can help ensure that the application is able to handle requests in a timely manner, which is important for maintaining the performance and reliability of the application, especially in high-load scenarios. The deduplication configuration settings, on the other hand, can have a significant impact on the accuracy and effectiveness of the vulnerability management process, by allowing customization of the fields used for deduplication and the deduplication algorithms.

Files Changed:

1. dojo/models.py:

   • The get_scm_type() method in the Endpoint model has been modified to check if the SEARCH_SCM_TYPE setting is enabled and if the Engagement associated with the Endpoint has a Product. If these conditions are met, it checks if there is a DojoMeta object with the name "scm-type" for the Product. If found, it retrieves the value of the "scm-type" and returns it in lowercase. If the conditions are not met, it returns the DEFAULT_SCM_TYPE setting.

2. dojo/settings/settings.dist.py:

   • Three new configuration settings have been added:
     • DD_SEARCH_SCM_TYPE: A boolean setting that determines whether to search for the SCM type in the DojoMeta.
     • DD_DEFAULT_SCM_TYPE: A string setting that specifies the default SCM type to use when DD_SEARCH_SCM_TYPE is False or the SCM type is not found.
     • DD_JIRA_CONNECT_METHOD: A string setting that specifies the method to use for connecting to Jira.
   • New settings related to deduplication of findings have been added, including:
     • DD_HASHCODE_FIELDS_PER_SCANNER: A dictionary that specifies the fields to use for computing the hash code for each scanner type.
     • HASHCODE_ALLOWS_NULL_CWE: A dictionary that specifies whether to allow a null CWE value when computing the hash code for each scanner type.
     • DEDUPLICATION_ALGORITHM_PER_PARSER: A dictionary that specifies the deduplication algorithm to use for each parser type.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	1 finding

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[Maffooch]

HI @FirePanda169 I am curious about how much we would gain from short circuiting the SCM search times. If the performance gain is negligible, I am unsure if these settings will be more helpful than they would be confusing

[FirePanda169]

Hi @Maffooch I checked the response time on loading 10 findings. The time is almost the same. But I don't have records in the DojoMeta model. I don't have a chance to check more thoroughly yet.

[Maffooch]

@FirePanda169 thank you for doing the quick validation! Once you test with some DojoMeta that would trigger the code paths that these new settings are influencing, let me know what the performance savings are