diff --git a/dojo/finding/helper.py b/dojo/finding/helper.py index d83d032b176..cd74f9526ea 100644 --- a/dojo/finding/helper.py +++ b/dojo/finding/helper.py @@ -532,6 +532,12 @@ def post_process_findings_batch( @receiver(pre_delete, sender=Finding) def finding_pre_delete(sender, instance, **kwargs): logger.debug("finding pre_delete: %d", instance.id) + if ( + instance.has_jira_issue + and not getattr(instance, "_skip_jira_close_on_delete", False) + and jira_services.is_delete_sync_allowed(instance) + ): + jira_services.close_issue_for_deleted_finding(instance) # this shouldn't be necessary as Django should remove any Many-To-Many entries automatically, might be a bug in Django? # https://code.djangoproject.com/ticket/154 instance.found_by.clear() @@ -562,7 +568,8 @@ def finding_delete(instance, **kwargs): if settings.DUPLICATE_CLUSTER_CASCADE_DELETE: duplicate_cluster.order_by("-id").delete() else: - reconfigure_duplicate_cluster(instance, duplicate_cluster) + new_original = reconfigure_duplicate_cluster(instance, duplicate_cluster) + _reassign_jira_issue_to_new_original(instance, new_original) else: logger.debug("no duplicate cluster found for finding: %d, so no need to reconfigure", instance.id) @@ -579,6 +586,28 @@ def finding_post_delete(sender, instance, **kwargs): logger.debug("finding post_delete, sender: %s instance: %s", to_str_typed(sender), to_str_typed(instance)) +def _reassign_jira_issue_to_new_original(deleted_finding, new_original): + if not new_original or new_original.has_jira_issue or not jira_services.is_delete_sync_allowed(deleted_finding): + return False + + jira_issue = jira_services.get_issue(deleted_finding) + if not jira_issue: + return False + + jira_instance = jira_services.get_instance(deleted_finding) + jira_services.add_simple_comment( + jira_instance, + jira_issue, + ( + f"DefectDojo finding {deleted_finding.id} was deleted. " + f"This Jira issue was reassigned to finding {new_original.id}." + ), + ) + jira_services.reassign_issue_to_finding(jira_issue, new_original) + deleted_finding._skip_jira_close_on_delete = True + return True + + # can't use model to id here due to the queryset # @dojo_async_task # @app.task @@ -586,12 +615,12 @@ def reconfigure_duplicate_cluster(original, cluster_outside): # when a finding is deleted, and is an original of a duplicate cluster, we have to chose a new original for the cluster # only look for a new original if there is one outside this test if original is None or cluster_outside is None or len(cluster_outside) == 0: - return + return None if settings.DUPLICATE_CLUSTER_CASCADE_DELETE: # Don't delete here — the caller (async_delete_crawl_task or finding_delete) # handles deletion of outside-scope duplicates efficiently via bulk_delete_findings. - return + return None logger.debug("reconfigure_duplicate_cluster: cluster_outside: %s", cluster_outside) # set new original to first finding in cluster (ordered by id) new_original = cluster_outside.order_by("id").first() @@ -610,6 +639,8 @@ def reconfigure_duplicate_cluster(original, cluster_outside): # Re-point remaining duplicates to the new original in a single query cluster_outside.exclude(id=new_original.id).update(duplicate_finding=new_original) + return new_original + return None def prepare_duplicates_for_delete(obj, *, preview_only=False): diff --git a/dojo/jira/helper.py b/dojo/jira/helper.py index 5b83a0596ab..87374427428 100644 --- a/dojo/jira/helper.py +++ b/dojo/jira/helper.py @@ -159,6 +159,10 @@ def is_keep_in_sync_with_jira(obj: Finding | Finding_Group, prefetched_jira_inst return False +def is_delete_sync_allowed(finding): + return bool(is_keep_in_sync_with_jira(finding) or is_push_all_issues(finding)) + + # checks if a finding can be pushed to JIRA # optionally provides a form with the new data for the finding # any finding that already has a JIRA issue can be pushed again to JIRA @@ -1268,6 +1272,81 @@ def push_status_to_jira(obj, jira_instance, jira, issue, *, save=False): return updated +def close_jira_issue_for_deleted_finding(finding) -> tuple[bool | None, str]: + logger.debug("closing linked Jira issue before deleting finding %d", finding.id) + + if not is_jira_enabled(): + return False, "JIRA integration is not enabled." + + if not finding.has_jira_issue: + return False, f"Finding {finding.id} has no linked JIRA issue." + + if not is_delete_sync_allowed(finding): + return False, f"Finding {finding.id} is not configured to sync deleted findings to JIRA." + + if not is_jira_configured_and_enabled(finding): + message = ( + f"Finding {finding.id} cannot close its linked JIRA issue " + "because JIRA is not configured or enabled." + ) + logger.debug(message) + return False, message + + jira_instance = get_jira_instance(finding) + if not jira_instance: + message = ( + f"Finding {finding.id} cannot close its linked JIRA issue " + "because the JIRA instance is not available." + ) + logger.warning(message) + return False, message + + jira_issue = get_jira_issue(finding) + if not jira_issue: + return False, f"Finding {finding.id} has no local JIRA issue record." + + try: + JIRAError.log_to_tempfile = False + jira = get_jira_connection(jira_instance) + if not jira: + message = ( + f"Finding {finding.id} cannot close its linked JIRA issue " + "because the JIRA connection could not be established." + ) + logger.warning(message) + return False, message + issue = jira.issue(jira_issue.jira_id) + except Exception as e: + message = f"The following jira instance could not be connected: {jira_instance} - {e}" + logger.exception(message) + log_jira_alert(message, finding) + return False, message + + if not issue_from_jira_is_active(issue): + logger.debug("Jira issue %s is already resolved", jira_issue.jira_key) + return False, f"Jira issue {jira_issue.jira_key} is already resolved." + + updated = jira_transition(jira, issue, jira_instance.close_status_key) + if updated: + add_simple_jira_comment( + jira_instance, + jira_issue, + f"DefectDojo finding {finding.id} was deleted. This Jira issue was closed automatically.", + ) + jira_issue.jira_change = timezone.now() + jira_issue.save(update_fields=["jira_change"]) + return True, f"Jira issue {jira_issue.jira_key} closed successfully." + + return updated, f"Jira issue {jira_issue.jira_key} was not closed." + + +def reassign_jira_issue_to_finding(jira_issue, finding): + jira_issue.finding = finding + jira_issue.finding_group = None + jira_issue.engagement = None + jira_issue.save(update_fields=["finding", "finding_group", "engagement"]) + + # gets the metadata for the provided issue type in the provided jira project def get_issuetype_fields( jira, diff --git a/dojo/jira/services.py b/dojo/jira/services.py index 54dec073be1..a2899666b90 100644 --- a/dojo/jira/services.py +++ b/dojo/jira/services.py @@ -137,6 +137,24 @@ def push_status(obj, jira_instance, jira, issue, *, save=False): return _get_helper().push_status_to_jira(obj, jira_instance, jira, issue, save=save) +def close_issue_for_deleted_finding(finding): + """ + Close the linked Jira issue before a finding is deleted. + + Wraps: jira_helper.close_jira_issue_for_deleted_finding + """ + return _get_helper().close_jira_issue_for_deleted_finding(finding) + + +def reassign_issue_to_finding(jira_issue, finding): + """ + Reassign a local Jira issue record to another finding. + + Wraps: jira_helper.reassign_jira_issue_to_finding + """ + return _get_helper().reassign_jira_issue_to_finding(jira_issue, finding) + + def update_issue(obj, *args, **kwargs): """ Update a Jira issue. @@ -339,6 +357,15 @@ def is_keep_in_sync(obj, prefetched_jira_instance=None): return _get_helper().is_keep_in_sync_with_jira(obj, prefetched_jira_instance=prefetched_jira_instance) +def is_delete_sync_allowed(finding): + """ + Check if deleting a finding should update its linked Jira issue. + + Wraps: jira_helper.is_delete_sync_allowed + """ + return _get_helper().is_delete_sync_allowed(finding) + + def is_push(instance, push_to_jira_parameter=None): """ Check if Jira push should happen. diff --git a/unittests/test_jira_helper.py b/unittests/test_jira_helper.py index b90a304f7a4..9d8f9dd01ca 100644 --- a/unittests/test_jira_helper.py +++ b/unittests/test_jira_helper.py @@ -1,7 +1,8 @@ import logging from unittest import TestCase -from unittest.mock import Mock +from unittest.mock import Mock, patch +import dojo.finding.helper as finding_helper import dojo.jira.helper as jira_helper logger = logging.getLogger(__name__) @@ -29,3 +30,195 @@ def test_issue_from_jira_is_active_with_unknown_status(self): def test_issue_from_jira_is_active_defaults_to_active_on_missing_attribute(self): """AttributeError anywhere in the fields.status.statusCategory.key chain defaults to active.""" self.assertTrue(jira_helper.issue_from_jira_is_active(Mock(spec=[]))) + + @patch("dojo.jira.helper.jira_transition", return_value=True) + @patch("dojo.jira.helper.get_jira_connection") + @patch("dojo.jira.helper.get_jira_issue") + @patch("dojo.jira.helper.get_jira_instance") + @patch("dojo.jira.helper.is_jira_configured_and_enabled", return_value=True) + @patch("dojo.jira.helper.is_jira_enabled", return_value=True) + def test_close_jira_issue_for_deleted_finding_closes_active_issue( + self, + is_jira_enabled, + is_jira_configured_and_enabled, + get_jira_instance, + get_jira_issue, + get_jira_connection, + jira_transition, + ): + finding = Mock(id=1) + finding.has_jira_issue = True + jira_instance = Mock(close_status_key=41) + jira_issue = Mock(jira_id="10001", jira_key="DD-1") + jira = Mock() + issue = self._make_issue("new") + get_jira_instance.return_value = jira_instance + get_jira_issue.return_value = jira_issue + get_jira_connection.return_value = jira + jira.issue.return_value = issue + + with ( + patch("dojo.jira.helper.is_delete_sync_allowed", return_value=True) as is_delete_sync_allowed, + patch("dojo.jira.helper.add_simple_jira_comment", return_value=True) as add_simple_jira_comment, + ): + updated, message = jira_helper.close_jira_issue_for_deleted_finding(finding) + + self.assertTrue(updated) + self.assertEqual("Jira issue DD-1 closed successfully.", message) + is_jira_enabled.assert_called_once_with() + is_delete_sync_allowed.assert_called_once_with(finding) + is_jira_configured_and_enabled.assert_called_once_with(finding) + jira.issue.assert_called_once_with("10001") + jira_transition.assert_called_once_with(jira, issue, 41) + add_simple_jira_comment.assert_called_once_with( + jira_instance, + jira_issue, + "DefectDojo finding 1 was deleted. This Jira issue was closed automatically.", + ) + jira_issue.save.assert_called_once_with(update_fields=["jira_change"]) + + def test_close_jira_issue_for_deleted_finding_skips_when_sync_disabled(self): + finding = Mock(id=1) + finding.has_jira_issue = True + + with ( + patch("dojo.jira.helper.is_jira_enabled", return_value=True) as is_jira_enabled, + patch("dojo.jira.helper.is_delete_sync_allowed", return_value=False) as is_delete_sync_allowed, + patch("dojo.jira.helper.is_jira_configured_and_enabled") as is_jira_configured_and_enabled, + ): + updated, message = jira_helper.close_jira_issue_for_deleted_finding(finding) + + self.assertFalse(updated) + self.assertEqual("Finding 1 is not configured to sync deleted findings to JIRA.", message) + is_jira_enabled.assert_called_once_with() + is_delete_sync_allowed.assert_called_once_with(finding) + is_jira_configured_and_enabled.assert_not_called() + + def test_reassign_jira_issue_to_finding_moves_local_link(self): + jira_issue = Mock() + finding = Mock() + + jira_helper.reassign_jira_issue_to_finding(jira_issue, finding) + + self.assertEqual(finding, jira_issue.finding) + self.assertIsNone(jira_issue.finding_group) + self.assertIsNone(jira_issue.engagement) + jira_issue.save.assert_called_once_with( + update_fields=["finding", "finding_group", "engagement"], + ) + + def test_reassign_jira_issue_to_new_original_moves_local_link_and_comments(self): + deleted_finding = Mock(id=1) + new_original = Mock(id=2) + new_original.has_jira_issue = False + jira_issue = Mock() + jira_instance = Mock() + + with ( + patch( + "dojo.finding.helper.jira_services.is_delete_sync_allowed", + return_value=True, + ) as is_delete_sync_allowed, + patch("dojo.finding.helper.jira_services.get_issue", return_value=jira_issue) as get_issue, + patch("dojo.finding.helper.jira_services.get_instance", return_value=jira_instance) as get_instance, + patch("dojo.finding.helper.jira_services.add_simple_comment", return_value=True) as add_simple_comment, + patch("dojo.finding.helper.jira_services.reassign_issue_to_finding") as reassign_issue_to_finding, + ): + reassigned = finding_helper._reassign_jira_issue_to_new_original(deleted_finding, new_original) + + self.assertTrue(reassigned) + is_delete_sync_allowed.assert_called_once_with(deleted_finding) + get_issue.assert_called_once_with(deleted_finding) + get_instance.assert_called_once_with(deleted_finding) + add_simple_comment.assert_called_once_with( + jira_instance, + jira_issue, + "DefectDojo finding 1 was deleted. This Jira issue was reassigned to finding 2.", + ) + reassign_issue_to_finding.assert_called_once_with(jira_issue, new_original) + self.assertTrue(deleted_finding._skip_jira_close_on_delete) + + def test_reassign_jira_issue_to_new_original_skips_when_new_original_has_jira_issue(self): + deleted_finding = Mock(id=1) + new_original = Mock(id=2) + new_original.has_jira_issue = True + + with ( + patch("dojo.finding.helper.jira_services.get_issue") as get_issue, + patch("dojo.finding.helper.jira_services.reassign_issue_to_finding") as reassign_issue_to_finding, + ): + reassigned = finding_helper._reassign_jira_issue_to_new_original(deleted_finding, new_original) + + self.assertFalse(reassigned) + get_issue.assert_not_called() + reassign_issue_to_finding.assert_not_called() + + @patch("dojo.finding.helper.delete_related_files") + @patch("dojo.finding.helper.delete_related_notes") + @patch("dojo.finding.helper.jira_services.close_issue_for_deleted_finding") + def test_finding_pre_delete_closes_linked_jira_issue_before_cleanup( + self, + close_issue_for_deleted_finding, + delete_related_notes, + delete_related_files, + ): + finding = Mock(id=1) + finding.has_jira_issue = True + finding._skip_jira_close_on_delete = False + + with patch( + "dojo.finding.helper.jira_services.is_delete_sync_allowed", + return_value=True, + ) as is_delete_sync_allowed: + finding_helper.finding_pre_delete(sender=Mock(), instance=finding) + + is_delete_sync_allowed.assert_called_once_with(finding) + close_issue_for_deleted_finding.assert_called_once_with(finding) + finding.found_by.clear.assert_called_once_with() + delete_related_notes.assert_called_once_with(finding) + delete_related_files.assert_called_once_with(finding) + + @patch("dojo.finding.helper.delete_related_files") + @patch("dojo.finding.helper.delete_related_notes") + @patch("dojo.finding.helper.jira_services.close_issue_for_deleted_finding") + def test_finding_pre_delete_skips_jira_close_when_sync_disabled( + self, + close_issue_for_deleted_finding, + delete_related_notes, + delete_related_files, + ): + finding = Mock(id=1) + finding.has_jira_issue = True + finding._skip_jira_close_on_delete = False + + with patch( + "dojo.finding.helper.jira_services.is_delete_sync_allowed", + return_value=False, + ) as is_delete_sync_allowed: + finding_helper.finding_pre_delete(sender=Mock(), instance=finding) + + is_delete_sync_allowed.assert_called_once_with(finding) + close_issue_for_deleted_finding.assert_not_called() + finding.found_by.clear.assert_called_once_with() + delete_related_notes.assert_called_once_with(finding) + delete_related_files.assert_called_once_with(finding) + + @patch("dojo.finding.helper.delete_related_files") + @patch("dojo.finding.helper.delete_related_notes") + @patch("dojo.finding.helper.jira_services.close_issue_for_deleted_finding") + def test_finding_pre_delete_skips_jira_close_after_reassigning_issue( + self, + close_issue_for_deleted_finding, + delete_related_notes, + delete_related_files, + ): + finding = Mock(id=1) + finding.has_jira_issue = True + finding._skip_jira_close_on_delete = True + + finding_helper.finding_pre_delete(sender=Mock(), instance=finding) + + close_issue_for_deleted_finding.assert_not_called() + finding.found_by.clear.assert_called_once_with() + delete_related_notes.assert_called_once_with(finding) + delete_related_files.assert_called_once_with(finding)