-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLA config: allow to use it on all levels #11300
Conversation
DryRun Security SummaryThe pull request enhances the Dojo application's Service Level Agreement (SLA) management functionality by adding new models, serializers, and views to support granular SLA configuration, asynchronous updates, authorization controls, and improved information display across products, engagements, and tests. Expand for full summarySummary: The code changes in this pull request are focused on enhancing the Service Level Agreement (SLA) management functionality in the Dojo application. The key changes include:
Overall, the changes appear to be focused on improving the SLA management functionality of the Dojo application, which can have a positive impact on the organization's ability to effectively track and remediate security vulnerabilities. From an application security perspective, the changes introduce some new security considerations, such as ensuring proper input validation, access control, and secure handling of sensitive data. Thorough review and testing of the implemented changes are recommended to identify and address any potential security risks. Files Changed:
Code AnalysisWe ran |
9644307
to
3fb7bb0
Compare
@kiblik Something I did not realize until taking another look at this new PR, there could be some tricky accommodations here when considering the possibility to update the SLA config on an engagement, while a product is running it's process of updating the SLA config. Without doing a deep dive on any other tripwires, the amount of complexity that would be needed to accommodate these extra SLA config levels make me question the value that they will provide. |
I planned to run the absolutely same validation + restriction as it is already implemented on django-DefectDojo/dojo/api_v2/serializers.py Lines 2019 to 2026 in 6d847ab
With reference to product.sla_configuration . So updates will be possible to perform only on the "whole product" level. I didn't plan to implement this kind of lock for Engs or Tests. Yes, it might look like a waste of resources (change of sla_config on the test level will trigger recalculation for the whole product) but I wasn't able to find a more elegant solution for now.
|
a33f0a3
to
f8b37d6
Compare
f8b37d6
to
e6e03c7
Compare
Sorry for the delayed response. I'm a bit concerned about the complexity this adds generally beyond what Cody raised ☝️ If we're documenting or explaining to people how DefectDojo works, we're going to have to say we have SLAs at Product, unless, they're at the Engagement, or unless it's at the test level. We'd also have to add SLA UI to both the Engagement and Test level (as well as API) to fully make this discoverable by DefectDojo users. We already have a rather cluttered UI with many UI elements that are used by a small portion of the community and it appears this would only add to that UI deficit. I'd rather spend cycles on updating the UI to a more modern toolkit/library TBH. I'm also concerned about how a change of SLA at the test level will cause recalculation for the entire product. We're seeing people with 9700+ products doing 26K tests per day so for a group of our users the extra calculation could be debilitating. I guess what I'm getting at is that the benefits of having SLA at Engagement & Test aren't worth the extra complexity and computation. Personally, I've only ever used SLAs at the Product level and the more I think about it, I begin to wonder if needing SLAs at something other then Product is more of a data modeling problem then a DefectDojo feature problem. I'd rather have more products then have the cognitive load of remember what Engagement or Test had what SLA - that or having to look to the UI to tell me that. Maybe I'm not describing it all that well here but in my gut this feels like a poor choice / trade-off between more features vs complexity. |
@kiblik closing this one for now |
Original PR: #10025