Enhance JIRA synchronization logic in importers and serializers

- Updated push_to_jira conditions to include sync behavior based on JIRA instance settings.
- Refactored JIRA push logic to check for sync status in FindingSerializer and DefaultImporter.
- Improved handling of JIRA instance retrieval and sync checks in DefaultReImporter and BaseImporter.
- Added support for prefetched JIRA instance in is_keep_in_sync_with_jira function.

Author: Maffooch

dojo/api_v2/serializers.py

@@ -1858,8 +1858,9 @@ def update(self, instance, validated_data):
             for location_ref in locations:
                 location_ref.location.associate_with_finding(instance)
 
-        if push_to_jira:
-            jira_helper.push_to_jira(instance)
+        if push_to_jira or finding_helper.is_keep_in_sync_with_jira(instance):
+            # Push synchronously so that we can see jira errors in real time
+            jira_helper.push_to_jira(instance, sync=True)
 
         return instance
 

dojo/finding/helper.py

@@ -24,6 +24,7 @@
     do_dedupe_finding_task_internal,
     get_finding_models_for_deduplication,
 )
+from dojo.jira_link.helper import is_keep_in_sync_with_jira
 from dojo.location.models import Location
 from dojo.location.status import FindingLocationStatus
 from dojo.location.utils import save_locations_to_add
@@ -33,6 +34,7 @@
     Engagement,
     Finding,
     Finding_Group,
+    JIRA_Instance,
     Notes,
     System_Settings,
     Test,
@@ -459,14 +461,24 @@ def post_process_finding_save_internal(finding, dedupe_option=True, rules_option
 
 @dojo_async_task
 @app.task
-def post_process_findings_batch(finding_ids, *args, dedupe_option=True, rules_option=True, product_grading_option=True,
-             issue_updater_option=True, push_to_jira=False, user=None, **kwargs):
+def post_process_findings_batch(
+    finding_ids,
+    *args,
+    dedupe_option=True,
+    rules_option=True,
+    product_grading_option=True,
+    issue_updater_option=True,
+    push_to_jira=False,
+    jira_instance_id=None,
+    user=None,
+    **kwargs,
+):
 
     logger.debug(
         f"post_process_findings_batch called: finding_ids_count={len(finding_ids) if finding_ids else 0}, "
         f"args={args}, dedupe_option={dedupe_option}, rules_option={rules_option}, "
         f"product_grading_option={product_grading_option}, issue_updater_option={issue_updater_option}, "
-        f"push_to_jira={push_to_jira}, user={user.id if user else None}, kwargs={kwargs}",
+        f"push_to_jira={push_to_jira}, jira_instance_id={jira_instance_id}, user={user.id if user else None}, kwargs={kwargs}",
     )
     if not finding_ids:
         return
@@ -502,14 +514,21 @@ def post_process_findings_batch(finding_ids, *args, dedupe_option=True, rules_op
     if product_grading_option and system_settings.enable_product_grade:
         calculate_grade(findings[0].test.engagement.product.id)
 
-    if push_to_jira:
+    # If we received the ID of a jira instance, then we need to determine the keep in sync behavior
+    jira_instance = None
+    if jira_instance_id is not None:
+        with suppress(JIRA_Instance.DoesNotExist):
+            jira_instance = JIRA_Instance.objects.get(id=jira_instance_id)
+    # We dont check if the finding jira sync is applicable quite yet until we can get in the loop
+        # but this is a way to at least make it that far
+    if push_to_jira or getattr(jira_instance, "keep_findings_jira_sync", False):
         for finding in findings:
-            if finding.has_jira_issue or not finding.finding_group:
-                jira_helper.push_to_jira(finding)
-            else:
-                jira_helper.push_to_jira(finding.finding_group)
+            object_to_push = finding if finding.has_jira_issue or not finding.finding_group else finding.finding_group
+            # Check the push_to_jira flag again to potentially shorty circuit without checking for existing findings
+            if push_to_jira or is_keep_in_sync_with_jira(object_to_push, prefetched_jira_instance=jira_instance):
+                jira_helper.push_to_jira(object_to_push)
     else:
-        logger.debug("push_to_jira is False, not ushing to JIRA")
+        logger.debug("push_to_jira is False, not pushing to JIRA")
 
 
 @receiver(pre_delete, sender=Finding)

dojo/importers/base_importer.py

@@ -18,6 +18,7 @@
 from dojo.importers.endpoint_manager import EndpointManager
 from dojo.importers.location_manager import LocationManager
 from dojo.importers.options import ImporterOptions
+from dojo.jira_link.helper import is_keep_in_sync_with_jira
 from dojo.location.models import AbstractLocation, Location
 from dojo.models import (
     # Import History States
@@ -998,7 +999,7 @@ def mitigate_finding(
             # don't try to dedupe findings that we are closing
             finding.save(dedupe_option=False, product_grading_option=product_grading_option)
         else:
-            finding.save(dedupe_option=False, push_to_jira=self.push_to_jira, product_grading_option=product_grading_option)
+            finding.save(dedupe_option=False, push_to_jira=(self.push_to_jira or is_keep_in_sync_with_jira(finding, prefetched_jira_instance=self.jira_instance)), product_grading_option=product_grading_option)
 
     def notify_scan_added(
         self,

dojo/importers/default_importer.py

@@ -10,6 +10,7 @@
 from dojo.finding import helper as finding_helper
 from dojo.importers.base_importer import BaseImporter, Parser
 from dojo.importers.options import ImporterOptions
+from dojo.jira_link.helper import is_keep_in_sync_with_jira
 from dojo.models import (
     Engagement,
     Finding,
@@ -381,9 +382,13 @@ def close_old_findings(
                 product_grading_option=False,
             )
         # push finding groups to jira since we only only want to push whole groups
-        if self.findings_groups_enabled and self.push_to_jira:
+        # We dont check if the finding jira sync is applicable quite yet until we can get in the loop
+        # but this is a way to at least make it that far
+        if self.findings_groups_enabled and (self.push_to_jira or getattr(self.jira_instance, "keep_findings_jira_sync", False)):
             for finding_group in {finding.finding_group for finding in old_findings if finding.finding_group is not None}:
-                jira_helper.push_to_jira(finding_group)
+                # Check the push_to_jira flag again to potentially shorty circuit without checking for existing findings
+                if self.push_to_jira or is_keep_in_sync_with_jira(finding_group, prefetched_jira_instance=self.jira_instance):
+                    jira_helper.push_to_jira(finding_group)
 
         # Calculate grade once after all findings have been closed
         if old_findings:

dojo/importers/default_reimporter.py

@@ -15,6 +15,7 @@
 )
 from dojo.importers.base_importer import BaseImporter, Parser
 from dojo.importers.options import ImporterOptions
+from dojo.jira_link.helper import is_keep_in_sync_with_jira
 from dojo.location.status import FindingLocationStatus
 from dojo.models import (
     Development_Environment,
@@ -439,6 +440,7 @@ def process_findings(
                             product_grading_option=True,
                             issue_updater_option=True,
                             push_to_jira=push_to_jira,
+                            jira_instance_id=getattr(self.jira_instance, "id", None),
                         )
 
         # No chord: tasks are dispatched immediately above per batch
@@ -497,10 +499,13 @@ def close_old_findings(
                 )
                 mitigated_findings.append(finding)
         # push finding groups to jira since we only only want to push whole groups
-        if self.findings_groups_enabled and self.push_to_jira:
+        # We dont check if the finding jira sync is applicable quite yet until we can get in the loop
+        # but this is a way to at least make it that far
+        if self.findings_groups_enabled and (self.push_to_jira or getattr(self.jira_instance, "keep_findings_jira_sync", False)):
             for finding_group in {finding.finding_group for finding in findings if finding.finding_group is not None}:
-                jira_helper.push_to_jira(finding_group)
-
+                # Check the push_to_jira flag again to potentially shorty circuit without checking for existing findings
+                if self.push_to_jira or is_keep_in_sync_with_jira(finding_group, prefetched_jira_instance=self.jira_instance):
+                    jira_helper.push_to_jira(finding_group)
         # Calculate grade once after all findings have been closed
         if mitigated_findings:
             perform_product_grading(self.test.engagement.product)
@@ -983,19 +988,24 @@ def process_groups_for_all_findings(
                 create_finding_groups_for_all_findings=self.create_finding_groups_for_all_findings,
                 **kwargs,
             )
-            if self.push_to_jira:
-                if findings[0].finding_group is not None:
-                    jira_helper.push_to_jira(findings[0].finding_group)
-                else:
-                    jira_helper.push_to_jira(findings[0])
-
-        if self.findings_groups_enabled and self.push_to_jira:
+            # We dont check if the finding jira sync is applicable quite yet until we can get in the loop
+            # but this is a way to at least make it that far
+            if self.push_to_jira or getattr(self.jira_instance, "keep_findings_jira_sync", False):
+                object_to_push = findings[0].finding_group if findings[0].finding_group is not None else findings[0]
+                # Check the push_to_jira flag again to potentially shorty circuit without checking for existing findings
+                if self.push_to_jira or is_keep_in_sync_with_jira(object_to_push, prefetched_jira_instance=self.jira_instance):
+                    jira_helper.push_to_jira(object_to_push)
+        # We dont check if the finding jira sync is applicable quite yet until we can get in the loop
+        # but this is a way to at least make it that far
+        if self.findings_groups_enabled and (self.push_to_jira or getattr(self.jira_instance, "keep_findings_jira_sync", False)):
             for finding_group in {
                     finding.finding_group
                     for finding in self.reactivated_items + self.unchanged_items
                     if finding.finding_group is not None and not finding.is_mitigated
             }:
-                jira_helper.push_to_jira(finding_group)
+                # Check the push_to_jira flag again to potentially shorty circuit without checking for existing findings
+                if self.push_to_jira or is_keep_in_sync_with_jira(finding_group, prefetched_jira_instance=self.jira_instance):
+                    jira_helper.push_to_jira(finding_group)
 
     def process_results(
         self,

dojo/importers/options.py

@@ -10,12 +10,14 @@
 from django.utils import timezone
 from django.utils.functional import SimpleLazyObject
 
+from dojo.jira_link.helper import get_jira_instance
 from dojo.models import (
     Development_Environment,
     Dojo_User,
     Endpoint,
     Engagement,
     Finding,
+    JIRA_Instance,
     Product_API_Scan_Configuration,
     Test,
     Test_Import,
@@ -70,7 +72,6 @@ def load_base_options(
         self.lead: Dojo_User | None = self.validate_lead(*args, **kwargs)
         self.minimum_severity: str = self.validate_minimum_severity(*args, **kwargs)
         self.parsed_findings: list[Finding] | None = self.validate_parsed_findings(*args, **kwargs)
-        self.push_to_jira: bool = self.validate_push_to_jira(*args, **kwargs)
         self.scan_date: datetime = self.validate_scan_date(*args, **kwargs)
         self.scan_type: str = self.validate_scan_type(*args, **kwargs)
         self.service: str = self.validate_service(*args, **kwargs)
@@ -80,6 +81,8 @@ def load_base_options(
         self.test_title: str = self.validate_test_title(*args, **kwargs)
         self.verified: bool = self.validate_verified(*args, **kwargs)
         self.version: str = self.validate_version(*args, **kwargs)
+        # Save this for last to use engagement and test for prefetching related to Jira info
+        self.push_to_jira: bool = self.validate_push_to_jira(*args, **kwargs)
 
     def load_additional_options(
         self,
@@ -478,6 +481,7 @@ def validate_push_to_jira(
         *args: list,
         **kwargs: dict,
     ) -> bool:
+        self.jira_instance: JIRA_Instance | None = get_jira_instance(self.engagement or self.test)
         return self.validate(
             "push_to_jira",
             expected_types=[bool],

dojo/jira_link/helper.py

@@ -145,13 +145,13 @@ def _safely_get_obj_status_for_jira(obj: Finding | Finding_Group, *, isenforced:
     return status or ["Inactive"]
 
 
-def is_keep_in_sync_with_jira(finding):
+def is_keep_in_sync_with_jira(finding, prefetched_jira_instance: JIRA_Instance = None):
     keep_in_sync_enabled = False
     # Check if there is a jira issue that needs to be updated
     jira_issue_exists = finding.has_jira_issue or (finding.finding_group and finding.finding_group.has_jira_issue)
     if jira_issue_exists:
         # Determine if any automatic sync should occur
-        jira_instance = get_jira_instance(finding)
+        jira_instance = prefetched_jira_instance or get_jira_instance(finding)
         if jira_instance:
             keep_in_sync_enabled = jira_instance.finding_jira_sync
 
@@ -225,8 +225,8 @@ def can_be_pushed_to_jira(obj, form=None):
 
 
 # use_inheritance=True means get jira_project config from product if engagement itself has none
-def get_jira_project(obj, *, use_inheritance=True):
-    if not is_jira_enabled():
+def get_jira_project(obj, *, use_inheritance=True, jira_enabled: bool = False):
+    if not jira_enabled and not (jira_enabled := is_jira_enabled()):
         return None
 
     if obj is None:
@@ -242,19 +242,19 @@ def get_jira_project(obj, *, use_inheritance=True):
             return obj.jira_project
         # some old jira_issue records don't have a jira_project, so try to go via the finding instead
         if (hasattr(obj, "finding") and obj.finding) or (hasattr(obj, "engagement") and obj.engagement):
-            return get_jira_project(obj.finding, use_inheritance=use_inheritance)
+            return get_jira_project(obj.finding, use_inheritance=use_inheritance, jira_enabled=jira_enabled)
         return None
 
     if isinstance(obj, Finding | Stub_Finding):
         finding = obj
-        return get_jira_project(finding.test)
+        return get_jira_project(finding.test, jira_enabled=jira_enabled)
 
     if isinstance(obj, Finding_Group):
-        return get_jira_project(obj.test)
+        return get_jira_project(obj.test, jira_enabled=jira_enabled)
 
     if isinstance(obj, Test):
         test = obj
-        return get_jira_project(test.engagement)
+        return get_jira_project(test.engagement, jira_enabled=jira_enabled)
 
     if isinstance(obj, Engagement):
         engagement = obj
@@ -269,7 +269,7 @@ def get_jira_project(obj, *, use_inheritance=True):
 
         if use_inheritance:
             logger.debug("delegating to product %s for %s", engagement.product, engagement)
-            return get_jira_project(engagement.product)
+            return get_jira_project(engagement.product, jira_enabled=jira_enabled)
         logger.debug("not delegating to product %s for %s", engagement.product, engagement)
         return None
 
@@ -286,11 +286,11 @@ def get_jira_project(obj, *, use_inheritance=True):
     return None
 
 
-def get_jira_instance(obj):
-    if not is_jira_enabled():
+def get_jira_instance(obj, jira_enabled: bool = False):  # noqa: FBT001, FBT002
+    if not jira_enabled and not (jira_enabled := is_jira_enabled()):
         return None
 
-    jira_project = get_jira_project(obj)
+    jira_project = get_jira_project(obj, jira_enabled=jira_enabled)
     if jira_project:
         logger.debug("found jira_instance %s for %s", jira_project.jira_instance, obj)
         return jira_project.jira_instance
@@ -415,17 +415,17 @@ def get_jira_finding_text(jira_instance):
     return None
 
 
-def has_jira_issue(obj):
+def has_jira_issue(obj: Finding | Engagement | Finding_Group) -> bool:
     return get_jira_issue(obj) is not None
 
 
-def get_jira_issue(obj):
-    if isinstance(obj, Finding | Engagement | Finding_Group):
-        try:
-            return obj.jira_issue
-        except JIRA_Issue.DoesNotExist:
-            return None
-    return None
+def get_jira_issue(obj: Finding | Engagement | Finding_Group) -> JIRA_Issue | None:
+    """
+    This pattern is "cheaper" than the try/catch handling of the DoesNotExist exception
+    that would happen if we try to access obj.jira_issue when there is none, and it also
+    works with prefetch_related where the related object is None instead of a RelatedManager
+    """
+    return getattr(obj, "jira_issue", None)
 
 
 def has_jira_configured(obj):