push to jira: check for existing jira issue inside celery task #12508
Merged
valentijnscholten merged 1 commit intoMay 28, 2025
Merged
Conversation
|
This pull request contains potential security risks related to indirect object references and sensitive information logging, which could expose system internals and create vulnerabilities if proper access controls and logging practices are not implemented. 💭 Unconfirmed Findings (2)
All finding details can be found in the DryRun Security Dashboard. |
valentijnscholten
changed the title
Maffooch
approved these changes
May 27, 2025
hblankenship
approved these changes
May 27, 2025
dogboat
approved these changes
May 28, 2025
3 tasks
xansec
pushed a commit
to xansec/django-DefectDojo
that referenced
this pull request
Jun 18, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Probably Fixes #12158
The JIRA helper was checking whether a new JIRA issue needed to be created or an existing needed to be updated.
This check happened before the task was submitted to Celery for background processing. This check was too early as by the time the
add_jira_issuetask was picked up by Celery there could have been anotheradd_jira_issuetask before that which had already created an issue. This could happen in certain scenario's with a slow celery worker, slow JIRA and/or fast import-reimport touching the same findings.This PR now moves the check for an existing JIRA issue inside the celery task itself to avoid this scenario.
In theory duplicates could still happen when running multiple workers in parallel. To avoid that we would some kind of locking to ensure only one push to jira task can be submitted for a specific finding. Since that is non-trivial and this PR already provides a huge reduction on the chance of duplicates occurring, I suggest we wait to see if that complication is really needed.
There are alterntiave more lightweight improvements such as:
defectdojo-finding-id-12345to each created finding and perform an "exist" check in JIRA before creating a new JIRA issue.