DefectDojo
Add Simple Metrics API endpoint
Description
This PR adds a REST API endpoint /api/v2/metrics/simple for programmatic access to DefectDojo's simple metrics functionality. This will enable automated reporting and external dashboard integration
Changes:
- New API endpoint that mirrors the business logic of the existing UI
/metrics/simpleendpoint - Uses conditional aggregation to summarize product type counts in a single database query (as opposed to the UI's Python loops)
- Fixes a bug in
dojo/utils.pythat caused crashes when anonymous users triggered logout events by handling null user cases
Test results
- Created 10 test methods in 'dojo/unittests/test_apiv2_simple_metrics' uwsgi-1 | ---------------------------------------------------------------------- uwsgi-1 | Ran 43 tests in 4.588s uwsgi-1 | uwsgi-1 | OK (skipped=32)
Documentation
- Updated OpenAPI schema documentation
- Feature summary added to docs (docs/content/en/api/metrics-endpoint.md)
Checklist
- [X] Make sure to rebase your PR against the very latest
dev. - [X] Features/Changes should be submitted against the
dev. - [X] Bugfixes should be submitted against the
bugfixbranch. - [X] Give a meaningful name to your PR, as it may end up being used in the release notes.
- [X] Your code is flake8 compliant.
- [X] Your code is python 3.11 compliant.
- [X] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
- [N/A] Model changes must include the necessary migrations in the dojo/db_migrations folder.
- [X] Add applicable tests to the unit tests.
- [X] Add the proper label to categorize your PR.
Response
[
{
"product_type_id": 2,
"product_type_name": "Platform A",
"Total": 25,
"S0": 13,
"S1": 2,
"S2": 10,
"S3": 0,
"S4": 0,
"Opened": 25,
"Closed": 0
},
{
"product_type_id": 1,
"product_type_name": "Research and Development",
"Total": 7,
"S0": 1,
"S1": 3,
"S2": 3,
"S3": 0,
"S4": 0,
"Opened": 7,
"Closed": 0
}
]
:red_circle: Risk threshold exceeded.
This pull request introduces several security concerns, including potential information disclosure through error messages and metrics endpoints, user enumeration via logout logging, and a possible denial of service vulnerability in the metrics view. The changes affect multiple files in the dojo directory and require careful review to mitigate potential security risks.
:warning: Configured Codepaths Edit in dojo/urls.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:warning: Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:warning: Configured Codepaths Edit in dojo/api_v2/serializers.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:warning: Configured Codepaths Edit in dojo/api_v2/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:warning: Information Disclosure via Error Messages in docs/content/en/api/metrics-endpoint.md
| Vulnerability | Information Disclosure via Error Messages |
|---|---|
| Description | The documentation provides detailed error messages that could help an attacker understand backend validation logic. While informative for developers, these specific error messages reveal implementation details that could aid in probing the API's input validation mechanisms. |
https://github.com/DefectDojo/django-DefectDojo/blob/1737ad23729f32d597162b9c489020f651a29afe/docs/content/en/api/metrics-endpoint.md#L1-L169
:warning: User Enumeration via Logout Logging in dojo/utils.py
| Vulnerability | User Enumeration via Logout Logging |
|---|---|
| Description | The logout logging differentiates between authenticated and anonymous users, which could potentially provide a side channel for user enumeration if log entries are accessible or observable. |
https://github.com/DefectDojo/django-DefectDojo/blob/1737ad23729f32d597162b9c489020f651a29afe/dojo/utils.py#L2387-L2396
:warning: Information Disclosure via New API Endpoint in dojo/urls.py
| Vulnerability | Information Disclosure via New API Endpoint |
|---|---|
| Description | The new metrics endpoint could expose sensitive system information if not properly secured. The introduction of this endpoint requires careful review to ensure it does not leak operational details. |
https://github.com/DefectDojo/django-DefectDojo/blob/1737ad23729f32d597162b9c489020f651a29afe/dojo/urls.py#L58-L64
:warning: Information Disclosure via Metrics in dojo/api_v2/serializers.py
| Vulnerability | Information Disclosure via Metrics |
|---|---|
| Description | The serializer exposes detailed metrics about product types, including vulnerability counts by severity. If not properly protected, this could provide an attacker insights into the organization's security posture and vulnerability landscape. |
https://github.com/DefectDojo/django-DefectDojo/blob/1737ad23729f32d597162b9c489020f651a29afe/dojo/api_v2/serializers.py#L3089-L3107
:warning: Potential Denial of Service in dojo/api_v2/views.py
| Vulnerability | Potential Denial of Service |
|---|---|
| Description | The SimpleMetricsViewSet sets pagination_class = None, which could allow resource exhaustion if a large number of product types or findings are processed. This could lead to excessive server resource consumption. |
https://github.com/DefectDojo/django-DefectDojo/blob/1737ad23729f32d597162b9c489020f651a29afe/dojo/api_v2/views.py#L11-L17
:warning: Information Disclosure via Error Messaging in dojo/api_v2/views.py
| Vulnerability | Information Disclosure via Error Messaging |
|---|---|
| Description | The error message for product_type_id does not clearly distinguish between a non-existent product type and an unauthorized product type. This could potentially allow for subtle user enumeration. |
https://github.com/DefectDojo/django-DefectDojo/blob/1737ad23729f32d597162b9c489020f651a29afe/dojo/api_v2/views.py#L11-L17
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
![dryrunsecurity[bot] avatar](https://avatars.githubusercontent.com/in/377039?v=4 "Published by a pub.dev verified publisher"){kind=small}
:red_circle: Risk threshold exceeded.
This pull request introduces several security considerations, including potential information disclosure through metrics serialization, IP logging during logout, and product type enumeration, with multiple sensitive files being edited across the project's API, utility, and template components. While none of the findings are blocking, they highlight areas where careful access control and error message handling could mitigate potential reconnaissance or information leakage risks.
:red_circle: Configured Codepaths Edit in dojo/templates/dojo/simple_metrics.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:red_circle: Configured Codepaths Edit in dojo/urls.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:red_circle: Configured Codepaths Edit in dojo/utils.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:red_circle: Configured Codepaths Edit in dojo/api_v2/serializers.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:red_circle: Configured Codepaths Edit in dojo/api_v2/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:red_circle: Configured Codepaths Edit in dojo/metrics/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
:red_circle: Configured Codepaths Edit in dojo/templates/dojo/pt_counts.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Metrics Information Disclosure in dojo/api_v2/serializers.py
| Vulnerability | Metrics Information Disclosure |
|---|---|
| Description | The new SimpleMetricsSerializer exposes detailed security metrics, including finding counts by severity and status. If not properly secured, this could provide attackers with insights into the application's security posture and internal metrics. |
https://github.com/DefectDojo/django-DefectDojo/blob/405b676ed0b22397f9afed984d152a24f7690fbf/dojo/api_v2/serializers.py#L3103-L3124
Logout IP Logging in dojo/utils.py
| Vulnerability | Logout IP Logging |
|---|---|
| Description | The patch introduces logging of IP addresses for both authenticated and anonymous logout attempts. While logging can be useful for auditing, logging IP addresses for anonymous users could potentially be used for tracking or reconnaissance if not carefully managed. |
https://github.com/DefectDojo/django-DefectDojo/blob/405b676ed0b22397f9afed984d152a24f7690fbf/dojo/utils.py#L2397-L2406
Product Type Enumeration in dojo/api_v2/views.py
| Vulnerability | Product Type Enumeration |
|---|---|
| Description | The new metrics API endpoint allows filtering by product type ID, which could potentially enable an attacker to enumerate valid product type IDs through careful probing of the API responses. While the implementation includes authorization checks, the distinct error messages and response handling could leak information about the existence of product types. |
https://github.com/DefectDojo/django-DefectDojo/blob/405b676ed0b22397f9afed984d152a24f7690fbf/dojo/api_v2/views.py#L3174-L3296
Test Credential Linting Disabled in ruff.toml
| Vulnerability | Test Credential Linting Disabled |
|---|---|
| Description | Disabling the S106 linting rule for test files removes warnings about hardcoded passwords, which could lead to accidental exposure of credentials if test files are mishandled or the repository is compromised. |
https://github.com/DefectDojo/django-DefectDojo/blob/405b676ed0b22397f9afed984d152a24f7690fbf/ruff.toml#L112-L118
Verbose Error Message Disclosure in docs/content/en/api/metrics-endpoint.md
| Vulnerability | Verbose Error Message Disclosure |
|---|---|
| Description | The API documentation reveals detailed error messages that provide insights into the backend's validation logic. While informative for developers, these messages could assist an attacker in understanding the application's input validation mechanisms and potential attack surfaces. |
https://github.com/DefectDojo/django-DefectDojo/blob/405b676ed0b22397f9afed984d152a24f7690fbf/docs/content/en/api/metrics-endpoint.md#L1-L169
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
This pull request has conflicts, please resolve those before we can evaluate the pull request.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}