Verified Status Toggle: Add Granularity

[Maffooch]

Adding some granularity to the enforce verified status to allow users to make more granular changes

[sc-9724]

[dryrunsecurity]

DryRun Security Summary

The pull request enhances DefectDojo's security and reliability by introducing granular system settings that allow administrators to control the enforcement of verified status across Jira integration, product grading, metrics calculations, and other critical features.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and reliability of the DefectDojo application by introducing more granular control over the enforcement of verified status for various features, such as Jira integration, product grading, and metrics calculations.

The key changes include:

1. Addition of new system settings (enforce_verified_status_jira, enforce_verified_status_product_grading, and enforce_verified_status_metrics) to allow the system administrator to configure the verified status requirements for different functionalities.
2. Updates to the codebase to respect the new system settings and ensure that only verified findings are considered for critical features like Jira integration, product grading, and metrics reporting.
3. Comprehensive test coverage to validate the behavior of the application when the verified status enforcement settings are enabled or disabled.
4. Improvements to the handling of Jira integration, including the creation of new Jira issues for identified security findings and the enforcement of verified status for pushing findings to Jira.

From an application security perspective, these changes are positive as they provide more control and visibility over the verified status of findings, which helps to maintain the integrity and accuracy of the application's security data and reporting. The granular configuration options also allow the organization to fine-tune the security controls based on their specific needs and risk tolerance.

Files Changed:

1. dojo/db_migrations/0219_system_settings_enforce_verified_status_jira_and_more.py: This file introduces new system settings to control the enforcement of verified status for various features.
2. dojo/jira_link/helper.py: The changes in this file ensure that only active and verified findings are pushed to Jira.
3. dojo/forms.py: The changes enforce the verified status requirement for findings being pushed to Jira.
4. dojo/management/commands/jira_async_updates.py: The changes handle the synchronization of Jira issue updates with the application's findings.
5. dojo/management/commands/push_to_jira_update.py: The changes ensure that only verified and active findings are pushed to Jira.
6. dojo/metrics/utils.py: The changes allow the system administrator to control whether only verified findings are included in the metrics calculations.
7. dojo/reports/views.py: The changes ensure that the endpoints displayed in the report are filtered based on the verified status of the findings.
8. dojo/metrics/views.py: The changes introduce the enforce_verified_status_metrics setting to control the inclusion of verified findings in the metrics calculations.
9. dojo/reports/widgets.py: The changes modify the filtering of Endpoint objects based on the verified status enforcement settings.
10. dojo/models.py: The changes introduce new system settings to control the verified status enforcement for various features.
11. dojo/utils.py: The changes ensure that only verified findings are considered when calculating metrics and product grades.
12. unittests/test_jira_import_and_pushing_api.py: The changes add new test cases to validate the behavior of the JIRA integration functionality when the verified status enforcement settings are enabled or disabled.
13. Various other test-related files: The changes include updates to the VCR test suite to handle the JIRA integration functionality and the enforcement of verified status.

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
IDOR Analyzer	1 finding

Overall Riskiness

🟡 Please give this pull request extra attention during review.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[hblankenship]

Check my previous comment.