Ruff: Add and fix Q000

[kiblik]

PEP8 was fixed last year but there was not linter checking new findings.
This should fix and help for the future.

https://docs.astral.sh/ruff/rules/#flake8-quotes-q

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	5 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	48 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover a wide range of functionality within the Defect Dojo application, a web-based application vulnerability management tool. The changes span multiple modules, including the API, endpoint management, credential management, engagement management, finding management, and various utility functions.

Overall, the code changes demonstrate a strong focus on security, with a emphasis on implementing robust authorization and access control mechanisms, secure data handling, and performance optimizations. The use of Django's built-in security features, such as input validation and sanitization, as well as the extensive use of authorization decorators and custom permission checks, suggest that security is a key priority in the development of this application.

While the changes do not directly introduce any obvious security vulnerabilities, it is important to review the implementation details and the broader context of the application to ensure that there are no potential security risks or unintended consequences. This includes verifying the proper handling of sensitive data, the secure integration with external systems (e.g., JIRA), and the overall adherence to security best practices throughout the codebase.

Files Changed:

1. dojo/__init__.py: This file has been updated to reflect the latest version, project URL, and documentation URL for the Defect Dojo application.
2. .github/workflows/release-1-create-pr.yml: This GitHub Actions workflow is responsible for creating a pull request to merge a new release branch into the master branch, ensuring that the version numbers are consistently updated across the project.
3. dojo/admin.py: The changes update the admin interface for the AnswerParentAdmin model, modifying the display of certain fields.
4. .github/workflows/release-3-master-into-dev.yml: This workflow is responsible for creating pull requests to merge the changes from the master branch into the dev and bugfix branches, ensuring that the version numbers are properly updated.
5. dojo/api_v2/prefetch/schema.py: The changes in this file are related to the implementation of a prefetch functionality in the API version 2 of the Defect Dojo application.
6. dojo/apps.py: The changes in this file are focused on the integration of the Watson search engine and the configuration of various models for indexing and searching.
7. dojo/api_v2/views.py: The changes in this file are related to the configuration of the API documentation and the use of a custom renderer for the API responses.
8. dojo/api_v2/serializers.py: This file contains various serializers used throughout the Defect Dojo application, handling the serialization and deserialization of different models and data structures.
9. dojo/celery.py: The changes in this file are related to the configuration and setup of the Celery task queue system within the Django project.
10. dojo/components/views.py: The changes in this file are focused on the handling and display of software components within the application.
11. dojo/cred/queries.py: The changes in this file are related to the authorization and access control mechanisms for credential mappings in the application.
12. dojo/cred/urls.py: The changes in this file are a refactoring of the URL patterns for the credential management functionality.
13. dojo/development_environment/urls.py: The changes in this file are related to the URL patterns for the development environment management functionality.
14. dojo/decorators.py: The changes in this file introduce various decorator functions, including those related to asynchronous task handling, model conversion, exception handling, and rate limiting.
15. dojo/development_environment/views.py: The changes in this file are focused on the authorization and error handling aspects of the development environment management functionality.
16. dojo/cred/views.py: The changes in this file are related to the management of credentials, including their creation, editing, viewing, and deletion, as well as their association with various entities.
17. dojo/endpoint/queries.py: The changes in this file are focused on the authorization and access control mechanisms for retrieving authorized endpoints and endpoint statuses.
18. dojo/endpoint/urls.py: The changes in this file are primarily formatting and style updates to the URL patterns for the endpoint-related functionality.
19. dojo/endpoint/signals.py: The changes in this file are related to the handling of the post-delete signal for the Endpoint model, including audit logging and notification creation.
20. dojo/endpoint/utils.py:

Powered by DryRun Security

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

DryRun Security Summary

The provided code changes cover a wide range of functionality within the Defect Dojo application, including updates to security, reliability, and maintainability, with a focus on improving authorization, input validation, logging, and management of findings, credentials, endpoints, and engagements.

Expand for full summary

Summary:

The provided code changes cover a wide range of functionality within the Defect Dojo application, including updates to the credential management, endpoint management, engagement management, finding management, and various other components. Overall, the changes appear to be focused on improving the security, reliability, and maintainability of the application.

Key security-related enhancements include:

1. Improved authorization and access control mechanisms to ensure that users can only perform actions they are authorized to do.
2. Enhanced input validation and sanitization to prevent common web application vulnerabilities, such as SQL injection and cross-site scripting (XSS).
3. Strengthened logging, auditing, and notification capabilities to improve security monitoring and incident response.
4. Careful handling of sensitive data, such as credentials and vulnerability IDs, to prevent unauthorized access or exposure.
5. Enhancements to the management of findings, including duplicate finding handling, vulnerability ID tracking, and integration with external systems like JIRA.

While the code changes do not appear to introduce any obvious security vulnerabilities, it's important to review the entire codebase and the application's architecture to ensure that there are no other potential security risks. Regular security assessments, penetration testing, and security monitoring are recommended to maintain the application's overall security posture.

Files Changed:

1. dojo/__init__.py: Minor updates to version numbers and project URLs.
2. .github/workflows/release-1-create-pr.yml: Workflow for creating a new release pull request.
3. .github/workflows/release-3-master-into-dev.yml: Workflow for merging the master branch into the dev and bugfix branches after a new release.
4. dojo/admin.py: Updates to the Django admin interface for the Engagement Surveys.
5. dojo/api_v2/prefetch/schema.py: Improvements to the API documentation generation process.
6. dojo/apps.py: Changes to the application configuration, including Watson search integration and configuration deduplication checks.
7. dojo/components/views.py: Updates to the components page functionality.
8. dojo/api_v2/serializers.py: Enhancements to the API serializers, including validation and handling of findings, vulnerability IDs, reimports, endpoints, questionnaires, and announcements.
9. dojo/cred/queries.py: Improvements to the authorized credential mappings retrieval.
10. dojo/cred/urls.py: Refactoring of the credential management URL patterns.
11. dojo/api_v2/views.py: Updates to the API version 2 views, including custom renderers, role management, group management, and various other functionality.
12. dojo/celery.py: Changes to the Celery configuration, including asynchronous task handling and rate limiting.
13. dojo/development_environment/urls.py: Minor updates to the development environment URL patterns.
14. dojo/cred/views.py: Enhancements to the credential management functionality, including encryption, authorization checks, and note management.
15. dojo/decorators.py: Implementation of asynchronous task handling and rate limiting.
16. dojo/endpoint/queries.py: Improvements to the authorized endpoints and endpoint statuses retrieval.
17. dojo/development_environment/views.py: Updates to the development environment management functionality, including authorization checks and input validation.
18. dojo/endpoint/urls.py: Minor formatting changes to the endpoint management URL patterns.
19. dojo/endpoint/signals.py: Addition of logging and notification functionality for endpoint deletion events.
20. dojo/endpoint/utils.py: Enhancements to the Endpoint management, including filtering, deduplication, and metadata import.
21. dojo/engagement/services.py: Updates to the engagement closing and reopening functionality.
22. dojo/engagement/queries.py: Improvements to the authorized engagements retrieval.
23. dojo/endpoint/views.py: Updates to the endpoint management functionality, including authorization checks, filtering, and bulk operations.
24. dojo/engagement/urls.py: Refactoring of the engagement-related URL patterns.
25. dojo/engagement/signals.py: Handling of engagement creation, status changes, and deletion events.
26. dojo/finding/helper.py: Enhancements to the finding management, including duplicate finding handling an

Code Analysis

We ran 7 analyzers against 30 files and 2 analyzers had findings. 5 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	5 findings
Authn/Authz Analyzer	52 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.