Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Product burndown metrics causes a internal server error when working with bulk edit risk acceptance #10237

Closed
1 task done
gietschess opened this issue May 21, 2024 · 0 comments
Closed
1 task done

Product burndown metrics causes a internal server error when working with bulk edit risk acceptance #10237

gietschess opened this issue May 21, 2024 · 0 comments
Labels
bug

Comments

@gietschess
Copy link
Contributor

Bug description
The product burndown metrics causes a internal server error when using the bulk edit function to risk-accept findings.
When just add the risk accepted flag to a finding theres no risk acceptance object within the engagement linked to this finding.
In https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/utils.py#L2505 which is used to count the findings for the burndown we assume that theres always a risk acceptance object for the accepted finding.

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/django/core/handlers/exception.py", line 56, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/app/dojo/authorization/authorization_decorators.py", line 37, in _wrapped
    return func(request, *args, **kwargs)
  File "/app/dojo/product/views.py", line 738, in async_burndown_metrics
    open_findings_burndown = get_open_findings_burndown(prod)
  File "/app/dojo/utils.py", line 2566, in get_open_findings_burndown
    f_risk_accepted_date = f.risk_acceptance.created.timestamp()

Exception Type: AttributeError at /product/1/async_burndown_metrics
Exception Value: 'NoneType' object has no attribute 'created'

Steps to reproduce
Steps to reproduce the behavior:

  1. Risk-accept a finding using the bulk edit function (https://defectdojo.local/test/2 , check box a finding of a test and use the Bulk Edit dropdown and check Risk Acceptance and Accept, click Submit)
  2. Go to product metrics containing the accepted finding (https://defectdojo.local/product/1/metrics)
  3. Scroll down to 'Detailed Metrics/Open Day to Day by Severity'
  4. see the widget loading forever
  5. Follow the django/uwsgi logs to see the error

Expected behavior
When not using the risk acceptance objects to organize accepted risks theres no information about when a finding was accepted.
Maybe fallback to dojo_finding tables 'created' or 'last_status_update' field value?
Otherwise handle accepted risks by their mitigation status and show them as open in the widget even it they're accepted.

Deployment method

  • Kubernetes

Environment information

  • DefectDojo version 2.34.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gietschess