New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "Fix for vulns not included in host/endpoint views after reopening" #9181
Conversation
Contextual Security AnalysisAs DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.
Chat with your AI-powered Security Buddy by typing Install and configure more repositories at DryRun Security |
So... Do I underastand it correctly that this bug will not be fixed until DD v3 release as no one can edit models.py file for now? |
@WojTecH94 That has nothing to do with v3 - it's been our policy for years to only merge PRs which pass the CICD tests. This one slipped by with a broken test and was reverted. In this specific case, there were failing unit tests of the REST framework: https://github.com/DefectDojo/django-DefectDojo/actions/runs/7034140150 |
Ok, but if you look at these fails it seems they have nothing to do with the change in a PR...
and:
So I thought that this is rather connected with the error: |
About the unrelated failures: I can't speak for @Maffooch who did the release but I suspect he was concentrating on getting the release out rather then digging into the failure. About the "Sensitive Files" failure: We're trying out a new Github app called DryRun Security which lets us mark certain files as "important" and flag PRs that touch those files. Its working pretty good generally speaking. The idea is to have that tool flag changes to files that might impact our work towards v3. While it's technically failing, we're using it currently to just let the approvers know to look a bit closer at a PR that modifies one of those 'sensitive' files. Things like parsers aren't covered (for obvious reasons). I wrote about it in more detail in this GH discussion: #8974 |
Hi @WojTecH94 I apologize for all of the confusion here! This is on me for approving a PR with failing unit tests. I will work to improve my review process so that this does not happen again. Here is what I did on Monday during the release to make the decision to revert your PR (#9077) I triggered the release and found that the PR from the release branch to master had failing unit tests. This very seldomly happens because we are pretty good about ensuring the tests are passing in a PR before merging to dev. That PR is #9180. Luckily, there were only a few changes in this bugfix release, and only on PR that touched any application code. So I went to #9077 and checked the unit tests that were ran on the latest commit. Lucky again, there is only one commit, so it is pretty easy to narrow it down: I clicked the view details button to determine where the problem is. There are three attempts here. Sometimes the tests are finnicky (like you have made a point of in the comment above) so we often just run them again. Going to the origianl run on the unit tests (attempt #1) I can see that those failed, but I needed to figure out why: Because of the verbosity of the logs of these tests, github truncates everything past a few thousande lines. These tests dump all the error at the end, so looking to the full log output is necessary here: Scrolling to the bottom of the output (link to the output for convenience) I can see the following failures:
Because the tests had run to completion, I know that this is not a failure in the execution of the test, but rather a failure of the test itself. In cases where I encounter this situation during development, I will often just fix the failed test. However, since I was doing a release, I did not want this to be a blocker, so I reverted. I hope all of this makes sense, and provides the answers/reasoning you are looking for. If not, please do not hesitate to reach out :) |
Thank you for your broad explanation. I appreciate all the work you do here. |
@WojTecH94 TBH, the best path forward is probably to have you 're-do' this PR. I'd think that would be easier than trying to re-start with this PR since it's been merged then reverted. Plus, the code-base of DefectDojo moves pretty quickly so you'd likely have to rebase against the dev branch as well. We'd be happy to have your contribution added to DefectDojo. (and this time we'll be a bit more careful about merging it) |
Reverts #9077
@WojTecH94 apologies for the revert here. I missed the red X that unit tests were failing when approving this PR