DefectDojo
Exception on invalid environment
Be informative DD raises an exception (HTTP-500 - internal server error) if a user uses a name of an non-existing environment in (re)imports
Bug description
ImportScanSerializer.set_context and ReImportScanSerializer.set_context uses
context["environment"] = Development_Environment.objects.get(
name=data.get("environment", "Development")
)
which is able to handle not defined environment but does not handle non-existenting one
Steps to reproduce
curl -X 'POST' \
'http://xxx:8080/api/v2/reimport-scan/' \
...
-F 'environment=non_existing_enviro' \
...
Expected behavior There are 2 options
- HTTP-400 validation error
- Create environment - but
set_contextis happening outside of AutoCreate context
Deployment method (select with an X)
- [ ] Docker Compose
- [x] Kubernetes
- [ ] GoDojo
Environment information
- DefectDojo version (see footer) or commit message: [2024-05-14 12:04:46 -0500] 1b86b6684: Optionally Enforce SLA Remediation Days (#10179) [ (HEAD, upstream/dev)]
Logs
uwsgi-1 | [14/May/2024 19:26:39] ERROR [dojo.api_v2.exception_handler:43] Development_Environment matching query does not exist.
uwsgi-1 | Traceback (most recent call last):
uwsgi-1 | File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch
uwsgi-1 | response = handler(request, *args, **kwargs)
uwsgi-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1 | File "/usr/local/lib/python3.11/site-packages/rest_framework/mixins.py", line 19, in create
uwsgi-1 | self.perform_create(serializer)
uwsgi-1 | File "/app/dojo/api_v2/views.py", line 2792, in perform_create
uwsgi-1 | serializer.save(push_to_jira=push_to_jira)
uwsgi-1 | File "/app/dojo/api_v2/serializers.py", line 2538, in save
uwsgi-1 | context = self.set_context(data)
uwsgi-1 | ^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1 | File "/app/dojo/api_v2/serializers.py", line 2415, in set_context
uwsgi-1 | context["environment"] = Development_Environment.objects.get(
uwsgi-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1 | File "/usr/local/lib/python3.11/site-packages/django/db/models/manager.py", line 85, in manager_method
uwsgi-1 | return getattr(self.get_queryset(), name)(*args, **kwargs)
uwsgi-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
uwsgi-1 | File "/usr/local/lib/python3.11/site-packages/django/db/models/query.py", line 650, in get
uwsgi-1 | raise self.model.DoesNotExist(
uwsgi-1 | dojo.models.Development_Environment.DoesNotExist: Development_Environment matching query does not exist.
uwsgi-1 | [14/May/2024 19:26:39] ERROR [django.request:241] Internal Server Error: /api/v2/reimport-scan/
im actually seeing this error on import with undefined environment in 2.33.7
edit: looks like this dd instance did not get the default environments created, somehow
I had the same issue on 2.37.0 and 2.38.1 when no environment is provided in an import-scan call and no environment with the name 'Development' exists. Hence, renaming the default list of environments effectively breaks any API calls to import-scan without the environment parameter. As I found out the hard way, this includes the Dependency Track integration.
I'd expect the environment parameter to be mandatory, or else it should be possible to set a 'default' environment which would then be used if no environment is set in the API call. If a non-existing environment is provided, an HTTP 400 would be ok imho. I wouldn't go auto-creating environments as this is an admin responsibility.
