♻️ Remove async import #12042
♻️ Remove async import #12042
Conversation
github-actions
bot
added
settings_changes
DryRun Security SummaryThe pull request removes deprecated asynchronous finding import features across multiple files, reducing security risks and simplifying system configuration by eliminating experimental code paths and potential concurrency-related vulnerabilities. Expand for full summaryPR Summary: Removal of deprecated asynchronous finding import feature across multiple files, including documentation updates, code cleanup in importers, and configuration settings modifications. Security Findings:
No direct security vulnerabilities were introduced by these changes. Code AnalysisWe ran
Overall Riskiness🔴 Risk threshold exceeded. We've notified @mtesauro, @grendel513. |
|
Can I suggest to change the title to "Remove async import"? |
|
Done |
|
@manuel-sommer thank you for doing this! It will definitely save us some time in the future. We are planning to remove this functionality in the June release to provide folks enough awareness and time. The earliest we could merge this would be shortly after the May release |
|
Sure, feel free to merge it later. :-) |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
I will resolve the conflicts once this will be picked up again. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
🔴 Risk threshold exceeded.This pull request involves sensitive edits to multiple importer files in the dojo/importers directory, with potential implications for async import functionality, performance, and system configuration flexibility, including the removal of deprecated features and configurations.
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
💭 Unconfirmed Findings (4)
| Vulnerability | Potential Feature Deprecation Impact |
|---|---|
| Description | Removal of async import functionality in documentation file, which could cause compatibility issues for users who have not migrated away from async import, potentially leading to unexpected behavior or data import failures. |
| Vulnerability | Potential Performance Regression |
|---|---|
| Description | Synchronous replacement of async endpoint processing in endpoint_manager.py, which may impact performance for large endpoint volumes by removing distributed processing across Celery workers. |
| Vulnerability | Reduced Flexibility in Endpoint Processing |
|---|---|
| Description | Loss of dynamic configuration for endpoint processing due to removal of configurable async import settings, reducing system adaptability. |
| Vulnerability | Deprecated Feature Configuration Removal |
|---|---|
| Description | Elimination of deprecated configurations in settings.dist.py to prevent unintended behavior and potential misconfigurations with outdated experimental features. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
| @@ -273,12 +273,6 @@ | |||
| DD_RATE_LIMITER_ACCOUNT_LOCKOUT=(bool, False), | |||
| # when enabled SonarQube API parser will download the security hotspots | |||
| DD_SONARQUBE_API_PARSER_HOTSPOTS=(bool, True), | |||
| # when enabled, finding importing will occur asynchronously, default False | |||
| # This experimental feature has been deprecated as of DefectDojo 2.44.0 (March release). Please exercise caution if using this feature with an older version of DefectDojo, as results may be inconsistent. | |||
| DD_ASYNC_FINDING_IMPORT=(bool, False), | |||
There was a problem hiding this comment.
If True, would it make sense to create an announcement banner or other alert to notify the users / admins that they are using a feature that is no longer present?
There was a problem hiding this comment.
I don't have the time right now to implement this.
No description provided.