Set last reviewed date and reviewer when note is added #14209
Conversation
Update finding's last reviewed date and reviewer to maintain parity with UI behaviors
valentijnscholten
changed the title
|
Should this also happen on notes added via the JIRA webhook? |
Maffooch
requested review from
Jino-T,
blakeaowens,
paulOsinski and
valentijnscholten
Sure |
Update finding with last reviewed date and author.
|
This pull request introduces a JIRA webhook handler change that automatically sets a finding's last_reviewed timestamp and last_reviewed_by to a generic "JIRA" user whenever any JIRA comment is received, which means non-review interactions (questions, bot updates) can improperly mark findings as reviewed and undermine the audit trail and compliance reporting. This behavior weakens accountability and allows external activity to manipulate review status used for monitoring and reports.
Business Logic: Audit Trail Integrity via JIRA Webhook in
|
| Vulnerability | Business Logic: Audit Trail Integrity via JIRA Webhook |
|---|---|
| Description | The JIRA webhook handler in dojo/jira_link/views.py automatically updates the last_reviewed timestamp and last_reviewed_by field of a finding whenever any JIRA comment is received. This logic flaw treats every external interaction (such as a developer asking a question or a bot posting an update) as a formal security review. The identity of the reviewer is set to a generic 'JIRA' system user, which dilutes the accountability of the audit trail. Because last_reviewed is a critical field used for compliance monitoring, filtering stale findings, and generating security reports, this automated behavior allows the review status of findings to be manipulated by external, non-tester interactions, compromising the integrity of compliance reporting. |
django-DefectDojo/dojo/jira_link/views.py
Lines 288 to 291 in 0372240
All finding details can be found in the DryRun Security Dashboard.
Update finding's last reviewed date and reviewer to maintain parity with UI behaviors