dissallow already linked issue

[hblankenship]

[sc-5525]

Fixes #9930

When using the jira_finding_mappings API endpoint, trying to update a finding's Jira mapping with a Jira issue that is already assigned to another finding will now raise a validation error.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the handling of JIRA issue linking in the Defect Dojo application by introducing a new function to check if a finding is already linked to a JIRA issue and using it in the JIRAIssueSerializer class to prevent the creation of duplicate JIRA issues, which is a positive step in maintaining data integrity and improving the overall security and traceability of the application.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the handling of JIRA issue linking in the Defect Dojo application. The changes introduce a new function, jira_already_linked(), in the dojo/jira_link/helper.py file, which checks if a finding is already linked to a JIRA issue. This function is then used in the JIRAIssueSerializer class in the dojo/api_v2/serializers.py file to validate that a JIRA issue is not already linked to a finding before creating a new one.

These changes are a positive step in maintaining data integrity and preventing duplicate JIRA issues from being created, which could lead to confusion and potential security issues. By ensuring that JIRA issues are uniquely linked to findings, the application can improve its overall security and traceability. Overall, these code changes appear to be a reasonable and appropriate security-focused update to the Defect Dojo application.

Files Changed:

1. dojo/jira_link/helper.py:

   • Added a new function called jira_already_linked() that checks if a finding is already linked to a JIRA issue.
   • The purpose of this function is to prevent duplicate JIRA issues from being created for a finding.

2. dojo/api_v2/serializers.py:

   • Updated the JIRAIssueSerializer class to include a validation check that calls the jira_helper.jira_already_linked() function.
   • This validation ensures that a JIRA issue is not already linked to a finding before creating a new one.
   • If a linked finding is found, the serializer will raise a ValidationError with a message indicating that the JIRA issue is already linked to another finding.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[Maffooch]

Updated the function to return the whole finding rather than just the ID. It could be useful in the future

[Maffooch]

Suggested change

	def jira_already_linked(finding, jira_issue_key, jira_id):
	jira_issues = JIRA_Issue.objects.filter(jira_id=jira_id, jira_key=jira_issue_key).exclude(engagement__isnull=False)
	jira_issues = jira_issues.exclude(finding=finding)
	result = 0
	if len(jira_issues) > 0:
	result = jira_issues[0].finding_id
	return result
	def jira_already_linked(finding, jira_issue_key, jira_id) -> Finding | None:
	jira_issues = JIRA_Issue.objects.filter(jira_id=jira_id, jira_key=jira_issue_key).exclude(engagement__isnull=False)
	jira_issues = jira_issues.exclude(finding=finding)
	return jira_issues.first()

[Maffooch]

Suggested change

	linked_finding = jira_helper.jira_already_linked(finding, data.get("jira_key"), data.get("jira_id"))
	if linked_finding:
	msg = "JIRA issue " + data.get("jira_key") + " already linked to " + reverse("view_finding", args=(linked_finding,))
	raise serializers.ValidationError(msg)
	if (linked_finding := jira_helper.jira_already_linked(finding, data.get("jira_key"), data.get("jira_id"))) is not None:
	msg = "JIRA issue " + data.get("jira_key") + " already linked to " + reverse("view_finding", args=(linked_finding.id,))
	raise serializers.ValidationError(msg)