♻️ Remove async import

[manuel-sommer]

TODO: Add a note for the release where this gets merged.

[dryrunsecurity]

DryRun Security Summary

The pull request removes deprecated asynchronous finding import features across multiple files, reducing security risks and simplifying system configuration by eliminating experimental code paths and potential concurrency-related vulnerabilities.

Expand for full summary

PR Summary: Removal of deprecated asynchronous finding import feature across multiple files, including documentation updates, code cleanup in importers, and configuration settings modifications.

Security Findings:

• Removal of experimental async processing methods reduces potential race conditions and concurrency-related security risks
• Eliminates configuration settings for async finding imports, simplifying the system's configuration
• Reduces attack surface by removing deprecated and experimental code paths
• Removes potential entry points for unintended behavior in import processes
• Cleans up unused imports that could potentially introduce security complexities

No direct security vulnerabilities were introduced by these changes.

Code Analysis

We ran 7 analyzers against 6 files and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	7 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[valentijnscholten]

Can I suggest to change the title to "Remove async import"?

[manuel-sommer]

Done

[Maffooch]

@manuel-sommer thank you for doing this! It will definitely save us some time in the future. We are planning to remove this functionality in the June release to provide folks enough awareness and time. The earliest we could merge this would be shortly after the May release

[manuel-sommer]

Sure, feel free to merge it later. :-)

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[manuel-sommer]

I will resolve the conflicts once this will be picked up again.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request involves sensitive edits to multiple importer files in the dojo/importers directory, with potential implications including reduced async processing capabilities, simplified code structure, and changes to import workflows that may impact performance and user configurations.

⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

💭 Unconfirmed Findings (5)

Vulnerability	Potential Information Disclosure
Description	Removal of documentation sections might reduce transparency about import mechanisms, potentially leaving users unaware of feature changes without consulting release notes.

Vulnerability	Configuration Variable Removal
Description	Deprecated configuration variables related to async finding imports were removed, which could impact existing import workflows and processing strategies.

Vulnerability	Reduced Attack Surface
Description	Eliminating async processing methods reduces risks such as race conditions, concurrency-related vulnerabilities, and potential experimental feature exploits.

Vulnerability	Import and Code Cleanup
Description	Removing unused imports slightly decreases potential attack surface and simplifies the codebase, making it easier to audit and secure.

Vulnerability	Potential Performance Considerations
Description	Switching to synchronous processing might negatively impact performance for large imports and could require users to modify their existing import strategies.

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.