django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Finding path and source code

Open apxitekt0r opened this issue 1 year ago • 11 comments

Hi everyone! Maybe I don't understand or don't know how but it will be great to unite the findings path of scan with the sour code uri method in impot scan in api.

Actually it works online with Engagements. But import-scan has a method for source code too in api. And for me, idea to rewrite the path in engagements or creating new engagement after scan looks like a bad way

For myself I can rewrite code but for others it will be nice to see this function in defectdojo.

apxitekt0r avatar Feb 03 '24 23:02 apxitekt0r

@apxitekt0r, I don't really get what you want. Could you please write steps to reproduce the issue and what you would want to achieve? Maybe also a screenshot would help? Please be more precise, I can hardly follow your description.

manuel-sommer avatar Feb 03 '24 23:02 manuel-sommer

@apxitekt0r, I don't really get what you want. Could you please write steps to reproduce the issue and what you would want to achieve? Maybe also a screenshot would help? Please be more precise, I can hardly follow your description.

I mean that.

Screenshot_20240204-023129~2.png

Screenshot_20240204-023208~2.png

Screenshot_20240204-023029.png

On screenshots you can see the repo source on engagements and import-scan (api function) but when you use source code uri in import-scan it doesn't work to create a link with -/blob/(tag/Brach) for imported test. It works only if you rewrite repo in engagements. I want to use function source code repo for test scan without rewrite repo in engagements.

apxitekt0r avatar Feb 03 '24 23:02 apxitekt0r

Can you make a PR to fix this?

manuel-sommer avatar Feb 04 '24 20:02 manuel-sommer

@quirinziessler fyi.

manuel-sommer avatar Feb 04 '24 20:02 manuel-sommer

The question is: Is this useful? In my eyes not. Engagements should reflect only one single repository. So I would rather suggest to remove the irritating repo uri input from the findings api then to passing it trough and overwrite the engagement setting. Why don't you just update/patch the engagement accordingly @apxitekt0r? Then if you click on a findings detail you will be redirected to the repo and finding location.

quirinziessler avatar Feb 05 '24 16:02 quirinziessler

The question is: Is this useful? In my eyes not. Engagements should reflect only one single repository. So I would rather suggest to remove the irritating repo uri input from the findings api then to passing it trough and overwrite the engagement setting. Why don't you just update/patch the engagement accordingly @apxitekt0r? Then if you click on a findings detail you will be redirected to the repo and finding location.

In my vision if I rewrite a repo path for old findings, url source code of finding changes too. But sometimes I need to compare old and new tags, for example. And for this I need to create new engagement for every new scans. Also scans use branch/tag but I can't use it for url in finding path without rewrite engagement repo. And I can't to push tickets to Jira with tags from scans, just from engagements.

apxitekt0r avatar Feb 05 '24 16:02 apxitekt0r

Is it possible to change code and work logic?

apxitekt0r avatar Feb 29 '24 23:02 apxitekt0r

Sure, can you do a PR to improve the functionality?

manuel-sommer avatar Mar 05 '24 15:03 manuel-sommer

I haven't rewrite code yet to try PR.

apxitekt0r avatar Mar 05 '24 17:03 apxitekt0r

Maybe the PR will also be interesting for @quirinziessler

manuel-sommer avatar Mar 05 '24 17:03 manuel-sommer

But I guess you should make up your mind if you do the PR to really advance / improve the already existing feature. Otherwise, it might not get merged. I haven't used this feature yet, so I can't really judge on this.

manuel-sommer avatar Mar 05 '24 17:03 manuel-sommer