Quick verify in menu and keyboard shortcuts to verify/close findings

[fopina]

Description

When viewing a finding, the menu has the option to "Close finding" but no option to "Verify": one has to edit, scroll an endless form to get to status.

As (at least for me) triaging findings is either closing or verifying, I think it deserves a spot in the menu as well.

In addition, keyboard shortcuts shared by the ProTip are nice, so it felt like an even better shortcut (or shortcuts) would be: verify/close!

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.13 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request modifies multiple sensitive codepaths (URLs, views, templates, API serializers/views, and helper modules under dojo/) and the scanner flagged these edits as sensitive; consider reviewing the changes carefully and configuring allowed paths/authors in .dryrunsecurity.yaml if appropriate. None of the findings are marked blocking, but they are flagged at the failing risk threshold and warrant attention.

🔴 Configured Codepaths Edit in dojo/finding/urls.py (drs_7f0ce89c)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/finding/views.py (drs_ce0937f4)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/verify_finding.html (drs_959ff526)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html (drs_110cab11)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html (drs_cbb63c7f)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py (drs_c61db350)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/api_v2/views.py (drs_204dda67)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/finding/helper.py (drs_bde88f52)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/finding/views.py (drs_d7eedba4)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/finding/helper.py (drs_a95648cd)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/finding/helper.py (drs_562c68ea)

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.

[valentijnscholten]

What's the difference between the PRs? Do you have screenshots?

[fopinappb]

Hi @valentijnscholten , I understand where that question came from because I created this branch off the other one, not from dev - because it depends on it as I mention in the description

I split them in case there was some need to discuss the additions separately :)

#14317 adds Verify to the menu:

This one extends keyboard shortcuts in view findings (e,p,n) to also support verify and close finding

As the shortcut to "verify" requires the menu option to exist, I branched off it - also felt like they would look nice as different entries in the release log, since this one also improves "close finding" accessibility

[valentijnscholten]

So #14317 can be closed and we only need this one?

[fopina]

Done, PRs merged 👍

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[Maffooch]

Hi @fopina your PR will need to have the current upstream dev branch pulled in. I attempted to do this for you, but did not have the perms to do so. I apologize for inconvenience!

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[fopina]

I had to reset locally to the new dev as it was a mess of commits even after resolving conflicts...
Done now

[Maffooch]

This looks great! Can you please do a couple things

• Add API support
• Consolidate the verification process into a helper

Use the close finding helper as a reference for interfacing with jira, and consolidating UI/API behavior to prevent disparity

[fopinappb]

@Maffooch thanks for the feedback, working on adding those.
Question: what I did was explicitly skipping Jira notification, is your change request to add that update too?

Should it just be .save() (without jira=False) or you have anything particular in mind?

[fopinappb]

and tests fixed now, all done apart from confirmation on jira interaction 👍

[valentijnscholten]

I think what @Maffooch meant is that by making a findin verified, it might be eligible to be pushed to JIRA where before it was skipped depending on system settings. To accomodate that you would have to do something like or maybe the exact same thing as the close finding helper:

django-DefectDojo/dojo/finding/helper.py

Lines 1080 to 1098 in f1f3b93

	push_to_jira = False
	finding_in_group = finding.has_finding_group
	jira_issue_exists = finding.has_jira_issue or (
	finding.finding_group and finding.finding_group.has_jira_issue
	)
	jira_instance = jira_helper.get_jira_instance(finding)
	jira_project = jira_helper.get_jira_project(finding)
	if jira_issue_exists:
	push_to_jira = (
	jira_helper.is_push_all_issues(finding)
	or (jira_instance and jira_instance.finding_jira_sync)
	)
	if new_note and (getattr(jira_project, "push_notes", False) or push_to_jira) and not finding_in_group:
	jira_helper.add_comment(finding, new_note, force_push=True)
	# Persist and push JIRA if applicable
	finding.save(push_to_jira=(push_to_jira and not finding_in_group))
	if push_to_jira and finding_in_group:
	jira_helper.push_to_jira(finding.finding_group)

[fopinappb]

Flaky test I suppose, as it only failed for debian... Push force to retrigger tests

[fopinappb]

Thank you @valentijnscholten

I don't have a Jira instance to test however, looking at the code in dojo/jira_link/helper.py I don't see verified reflected anywhere.

If I'm not missing something, is it worth triggering a "push to jira" that will not actually push anything?

[valentijnscholten]

This

django-DefectDojo/dojo/jira_link/helper.py

Lines 191 to 226 in f1f3b93

	isenforced = get_system_setting("enforce_verified_status", True) or get_system_setting("enforce_verified_status_jira", True)
	if isinstance(obj, Finding):
	if form:
	active = form["active"].value()
	verified = form["verified"].value()
	severity = form["severity"].value()
	else:
	active = obj.active
	verified = obj.verified
	severity = obj.severity
	logger.debug("can_be_pushed_to_jira: %s, %s, %s", active, verified, severity)
	if not active or (not verified and isenforced):
	logger.debug("Findings must be active and verified, if enforced by system settings, to be pushed to JIRA")
	return False, "Findings must be active and verified, if enforced by system settings, to be pushed to JIRA", "error_not_active_or_verified"
	if jira_minimum_threshold and jira_minimum_threshold > Finding.get_number_severity(severity):
	logger.debug(f"Finding below the minimum JIRA severity threshold ({System_Settings.objects.get().jira_minimum_severity}).")
	return False, f"Finding below the minimum JIRA severity threshold ({System_Settings.objects.get().jira_minimum_severity}).", "error_below_minimum_threshold"
	elif isinstance(obj, Finding_Group):
	finding_group_status = _safely_get_obj_status_for_jira(obj)
	if "Empty" in finding_group_status:
	return False, f"{to_str_typed(obj)} cannot be pushed to jira as it contains no findings above minimum treshold.", "error_empty"
	if isenforced and "Verified" not in finding_group_status:
	return False, f"{to_str_typed(obj)} cannot be pushed to jira as it contains no active and verified findings above minimum treshold.", "error_not_active_or_verified"
	if "Active" not in _safely_get_obj_status_for_jira(obj):
	return False, f"{to_str_typed(obj)} cannot be pushed to jira as it contains no active findings above minimum treshold.", "error_inactive"
	else:
	return False, f"{to_str_typed(obj)} cannot be pushed to jira as it is of unsupported type.", "error_unsupported"
	return True, None, None

is the part where the newly verified finding might be selected to be pushed if someone has chosen to sync all findings to JIRA.

[fopina]

Oh what a miss 🤦 I was checking if verified was mapped somewhere and forgot to check if it part of the criteria to push...

I'll take a look at it, thanks

[fopina]

I just found myself jumping between model definition, signals in jira helper, definitions in finding helper, and others and it didn't become clearer to me than before.

I don't understand why this check is done in these methods instead of letting can_be_pushed_to_jira deal with it (and just passing push_to_jira=True to save).

As I can't understand but I'm sure there's a reason (as it's done not just for close_finding but others, at least partially), I just did as suggested 😄

I hope it looks as expected now 👍

[mtesauro]

Approved