feat: Add dry_run support for reimport-scan operations#13563
Draft
Siryu6 wants to merge 10000 commits intoDefectDojo:devfrom
Draft
feat: Add dry_run support for reimport-scan operations#13563Siryu6 wants to merge 10000 commits intoDefectDojo:devfrom
Siryu6 wants to merge 10000 commits intoDefectDojo:devfrom
Conversation
Release: Merge release into master from: release/2.51.0
….51.0-2.52.0-dev Release: Merge back 2.51.0 into dev from: master-into-dev/2.51.0-2.52.0-dev
…x/2.51.0-2.52.0-dev Release: Merge back 2.51.0 into bugfix from: master-into-bugfix/2.51.0-2.52.0-dev
Bumps [django-pghistory](https://github.com/AmbitionEng/django-pghistory) from 3.7.0 to 3.8.3. - [Release notes](https://github.com/AmbitionEng/django-pghistory/releases) - [Changelog](https://github.com/AmbitionEng/django-pghistory/blob/main/CHANGELOG.md) - [Commits](AmbitionEng/django-pghistory@3.7.0...3.8.3) --- updated-dependencies: - dependency-name: django-pghistory dependency-version: 3.8.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…pose.yml) (DefectDojo#13325) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps vulners from 2.3.7 to 3.1.1. --- updated-dependencies: - dependency-name: vulners dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [social-auth-app-django](https://github.com/python-social-auth/social-app-django) from 5.4.3 to 5.5.1. - [Release notes](https://github.com/python-social-auth/social-app-django/releases) - [Changelog](https://github.com/python-social-auth/social-app-django/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-app-django@5.4.3...5.5.1) --- updated-dependencies: - dependency-name: social-auth-app-django dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [jira](https://github.com/pycontribs/jira) from 3.8.0 to 3.10.5. - [Release notes](https://github.com/pycontribs/jira/releases) - [Changelog](https://github.com/pycontribs/jira/blob/main/RELEASE.md) - [Commits](pycontribs/jira@3.8.0...3.10.5) --- updated-dependencies: - dependency-name: jira dependency-version: 3.10.5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…workflows/close-stale.yml) (DefectDojo#13349) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [django](https://github.com/django/django) from 5.1.12 to 5.1.13. - [Commits](django/django@5.1.12...5.1.13) --- updated-dependencies: - dependency-name: django dependency-version: 5.1.13 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… v2.4.0 (.github/workflows/release-x-manual-helm-chart.yml) (DefectDojo#13358) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.44 to 1.40.46. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.44...1.40.46) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.46 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…jo#13210) * fix: add missing resources, securityContext and env entries * chore: docs and schema * fix: missing securityContext for initializer job * fix: add resources to all cloudsql containers * chore: add missing explicit namespace * chore: refactor, split container and pod security context * chore: docs and schema * fix: lint * chore: sort helper * fix: lint and add changes to release notes * chore: trigger CI * chore: move to 2.52, fix pending issues * chore: docs
Bumps [social-auth-core](https://github.com/python-social-auth/social-core) from 4.7.0 to 4.8.0. - [Release notes](https://github.com/python-social-auth/social-core/releases) - [Changelog](https://github.com/python-social-auth/social-core/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-core@4.7.0...4.8.0) --- updated-dependencies: - dependency-name: social-auth-core dependency-version: 4.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…n Acunetix XML parser
….52.0-2.53.0-dev Release: Merge back 2.52.0 into dev from: master-into-dev/2.52.0-2.53.0-dev
…v41.168.6 (.github/workflows/renovate.yaml) (DefectDojo#13584) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….19.0 (docker-compose.override.dev.yml) (DefectDojo#13585) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…v41.169.2 (.github/workflows/renovate.yaml) (DefectDojo#13594) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…3600) Bumps [drf-spectacular](https://github.com/tfranzel/drf-spectacular) from 0.28.0 to 0.29.0. - [Release notes](https://github.com/tfranzel/drf-spectacular/releases) - [Changelog](https://github.com/tfranzel/drf-spectacular/blob/master/CHANGELOG.rst) - [Commits](tfranzel/drf-spectacular@0.28.0...0.29.0) --- updated-dependencies: - dependency-name: drf-spectacular dependency-version: 0.29.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps openapitools/openapi-generator-cli from v7.16.0 to v7.17.0. --- updated-dependencies: - dependency-name: openapitools/openapi-generator-cli dependency-version: v7.17.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…efectDojo#13598) Bumps nginx from 1.29.2-alpine3.22 to 1.29.3-alpine3.22. --- updated-dependencies: - dependency-name: nginx dependency-version: 1.29.3-alpine3.22 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.9 to 3.10. - [Release notes](https://github.com/Python-Markdown/markdown/releases) - [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md) - [Commits](Python-Markdown/markdown@3.9.0...3.10.0) --- updated-dependencies: - dependency-name: markdown dependency-version: '3.10' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.63 to 1.40.65. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.63...1.40.65) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.65 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…v41.169.4 (.github/workflows/renovate.yaml) (DefectDojo#13607) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…v1.34.1 (.github/workflows/k8s-tests.yml) (DefectDojo#13603) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…age.json) (DefectDojo#13604) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* implement n0s1 scanner DefectDojo#13564 * update * ruff * update * update * update * underline the correctness through comparison with rustyhog
…v41.170.0 (.github/workflows/renovate.yaml) (DefectDojo#13615) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
These files contained only formatting changes (line breaks, spacing) that made the diff harder to review. Reverting to focus the PR on the core dry_run functionality.
This addresses maintainer feedback by:
1. Eliminating duplicate code path: Removed the separate dry_run_reimport()
method that duplicated most of process_findings() logic. Now dry_run uses
the same code path as regular reimport with conditional checks.
2. Implementation approach:
- Added 'if self.dry_run' conditionals at key points to skip DB writes
- Created categorize_matched_finding_for_dry_run() helper for matching logic
- Modified process_scan() to handle dry_run within the main flow
- Updated process_findings() to skip DB operations in dry_run mode
- Modified close_old_findings() to return early in dry_run mode
- Updated process_results() to build findings_details for dry_run
3. Benefits:
- Single code path reduces maintenance burden
- Changes to reimport logic automatically apply to dry_run
- Easier to review and understand
- Reduced code size by 49 lines
4. Known limitations (now documented):
- Findings with same hash_code in one report won't match each other
in dry_run (since first isn't saved to DB)
- This may show slightly more 'new' findings than would actually occur
- This is an acceptable limitation of dry_run mode
The refactoring maintains the same external API and behavior while
significantly simplifying the implementation.
This addresses the maintainer's concern about finding matching within the same scan report. Problem: If findings 100 and 101 in the same report have identical hash_codes, in a real import finding 101 would match against finding 100 (which was just saved to the DB). In the previous dry_run implementation, this match would not occur since finding 100 was never saved, leading to inaccurate statistics. Solution: 1. Track new findings in-memory during dry_run (self.dry_run_new_findings) 2. Updated match_new_finding_to_existing_finding() to check both: - Database findings (existing behavior) - In-memory findings from current scan (new for dry_run) 3. Split matching logic into helper methods: - _get_db_matches(): Query database for matches - _get_in_memory_matches(): Check in-memory findings (dry_run only) 4. When a new finding is created in dry_run, add it to the tracking list Result: Dry run now accurately simulates deduplication within the same scan report, providing statistics that match what would actually happen in a real import. This makes the dry_run feature much more reliable for previewing imports. Updated documentation to reflect that this limitation has been resolved.
Author
|
Thank you for the detailed feedback! I've addressed all three concerns:
The dry_run mode now uses the same code path as regular reimport and accurately simulates deduplication, including matches within the same scan report. |
Member
|
Still lots of formatting changes. We're going to have to put this on hold until after the reimport changes we've planned for Q1. |
Contributor
|
Marking as draft until we are ready for this one |
Contributor
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Author
|
Hi @valentijnscholten 👋 Looking for update about "reimport changes planned for Q1" 😅 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR implements a dry_run feature for reimport-scan operations that allows users to preview what changes would occur during a reimport without making any database modifications.
Key Features:
dry_runboolean parameter (defaults tofalse) on reimport-scan API endpointsclose_old_findings,do_not_reactivate, severity filters, etc.)Use Case:
This feature is particularly useful for CI/CD pipelines where teams want to validate scan results and preview changes before merging to production environments.
API Response Example:
{ "test_id": 123, "dry_run": true, "changes_preview": { "would_create": 5, "would_reactivate": 2, "would_close": 3, "would_leave_untouched": 10, "total_changes": 10 }, "findings_details": { "new_findings": [...], "reactivated_findings": [...], "closed_findings": [...], "unchanged_findings": [...] } }Documentation
API documentation is included in the serializer field descriptions (
help_text).Files Changed
dojo/api_v2/serializers.py- API integration for dry_run parameterdojo/importers/default_reimporter.py- Core dry_run_reimport() logicdojo/importers/default_importer.py- Return signature updatedojo/importers/options.py- dry_run parameter validationdojo/fixtures/dojo_testdata.json- Fixed missing SLA_Configurationdojo/engagement/views.py- View layer dry_run supportdojo/test/views.py- View layer dry_run supportunittests/dojo_test_case.py- Test helper methodsunittests/test_import_reimport.py- Minor test adjustmentsunittests/test_import_reimport_dry_run.py- New comprehensive test suiteLabels to add:
enhancementfeature