Conversation
- Fix DELETE/PUT comment routes: PathValue mismatch (commentId→comment_id, findingId→id) - Fix bulk status update: pass ActorID for resolved_by tracking - Add ApprovalExpirationController: auto-reopen findings with expired risk acceptances - Add Approval.Expire() method and 'expired' status - Migration 000088: add 'expired' to approval status CHECK + filtered index - Register controller in workers.go (1h interval, batch 100)
…solation - Fix comment delete leaving ghost activity in feed (delete activity instead of creating comment_deleted) - Fix comment edit creating blank activity (update existing activity content in-place via JSONB merge) - Add tenant_id filter to DeleteByCommentID and UpdateContentByCommentID to prevent cross-tenant data modification - Add assignee notifications for finding assignment, comments, and status changes with self-notify skip - Add partial JSONB index on changes->>'comment_id' for comment activity queries (migration 000089)
…pping + CTEM integration Pentest Campaign Management: - 5 DB tables: campaigns, findings, retests, templates, reports (migration 090) - Seeds: 8 finding templates, 11 permissions, 5 event types, Pentest Operator preset (migration 091) - Domain layer: types, entities, repository interfaces (pkg/domain/pentest/) - Repository layer: 5 PostgreSQL repositories with tenant isolation - Service layer: ~20 methods (campaigns, findings, retests, templates, reports) - HTTP handler: 24 endpoints with permission middleware - Routes: 4 route groups under /api/v1/pentest/ Compliance Framework Mapping: - 4 DB tables: frameworks, controls, assessments, finding_mappings (migration 092) - Seeds: compliance module, 7 permissions, 2 event types (migration 093) - Framework seed: 8 frameworks (OWASP, SOC2, ISO27001, PCI-DSS, NIST, HIPAA, GDPR, CIS) with 103 controls (migration 094) - Domain layer: types, entities, repository interfaces (pkg/domain/compliance/) - Repository + Service + Handler + Routes fully wired CTEM Integration (Pentest Finding → Unified Findings): - Migration 095: add pentest_campaign_id FK to findings, drop status CHECK constraint - Expanded FindingStatus enum: +6 pentest statuses (draft, in_review, remediation, retest, verified, accepted_risk) - Finding entity: pentestCampaignID field + ForceStatus method - Finding repository: pentest_campaign_id in SELECT/INSERT/scan - PentestService: CreateUnifiedFinding (source='pentest' → unified findings table) - PentestService: UpdatePentestFindingStatus with pentest transition validation - Auto-resolve exclusion: pentest findings never auto-closed by scanners - Source enforcement: VulnerabilityService blocks pentest status changes - Bulk status guard: blocks pentest-specific statuses in bulk operations - Dashboard stats: exclude draft/in_review from counts Permission System (18 new permissions, 3-layer sync): - DB: 11 pentest + 7 compliance permissions with role mappings - Go: permission.go + role_mapping.go + module.go updated - Frontend: constants.ts updated (constants, labels, role mappings) Security Fixes: - Template IDOR: tenant isolation added to GetByID/Update/Delete - Framework IDOR: tenant isolation on GetByID - System framework protection: AND is_system = FALSE on Update - Assessment authorization: verify framework ownership + control-framework match - per_page max limit (100) on all list endpoints - Mapping queries: LIMIT 1000 to prevent unbounded results
…ding pipeline Security Fixes: - ListControls: add tenant isolation (verify framework ownership before listing controls) - Compliance mapping guard: block draft/in_review findings from compliance control mapping - CreateInTx: fix missing pentest_campaign_id argument (70th param) preventing transactional creation CTEM Integration: - FindingFilter: add PentestCampaignID filter for campaign-scoped queries - ListUnifiedCampaignFindings: query unified findings table by campaign + source='pentest' - CreateRetest: use unifiedFindingRepo when available, verify source='pentest', auto-update status - GetStats: add 6 pentest status counts + source_pentest count - OpenCount: include pentest active statuses (draft, in_review, remediation, retest) - ResolvedCount: include verified status Domain: - Finding entity: add sourceMetadata field + getter/setter + SetSourceMetadata - FindingData: add SourceMetadata + PentestCampaignID fields - ComplianceService: add SetFindingRepository for draft guard - helpers.go: add unmarshalJSONBMap helper Handler: - PentestHandler CreateFinding: calls CreateUnifiedFinding with full pentest data - PentestHandler UpdateStatus: calls UpdatePentestFindingStatus with transition validation - toUnifiedPentestFindingResponse: decodes SourceMetadata for pentest detail fields - PentestFindingRequest: expanded with all pentest fields (asset_id, evidence, PoC, etc.)
- Add version input validation (must match v<major>.<minor>.<patch>) - Add Docker image pull commands to GitHub Release notes - GHCR is primary registry, Docker Hub is optional mirror
…ening Backend: - Unified finding pipeline: List/Get/Update/Delete all use findings table (not deprecated pentest_findings) - Batch enrichment: campaign list uses 3 queries instead of 41 (batch stats + batch user resolution) - Request body size limits (1MB) on all decode handlers - Source verification: GetUnifiedFinding rejects non-pentest findings - DeleteFinding uses unified repo with source='pentest' check - ILIKE search injection fix: escape %, _, \ in all pentest repos - Dynamic campaign types: accept any string (configurable per tenant via settings) - Tenant pentest settings: GET/PATCH /settings/pentest for campaign types + methodologies - CreateTemplate now sets all input fields (was only name + severity) - Auto-add creator as lead + team member on campaign creation - Team member enrichment: resolve user IDs to names/emails in campaign response - Campaign stats from unified findings table with progress calculation - ListAllFindings endpoint: GET /api/v1/pentest/findings (all pentest findings across campaigns) - Report GET endpoints use Read permission (was incorrectly requiring Write) - FindingFilter.ExcludeStatuses support end-to-end Tests: - 28 pentest service unit tests + 12 integration edge case tests - Seed script for pentest data (4 campaigns, 8 findings, 2 retests, 1 report)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.