django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Usage of accepted findings mapping - Jira

Open GabrielJuliao opened this issue 6 months ago • 4 comments

Hi,

I need assistance understanding how the "accepted findings" mapping works in the DefectDojo JIRA integration. The documentation lacks clear details, and I have several questions:

What does "accepted findings" mean in this context? Is it the same as "Risk Acceptance" in DefectDojo?

If it is related to Risk Acceptance, how does it map different types of Risk Acceptance (e.g., mitigated, accepted, etc.)?

Does a JIRA resolution of "Done" get recognized as an "accepted finding" in DefectDojo, or is it handled differently?

A clear explanation of this feature and its workflow would be greatly appreciated, as the current documentation is insufficient.

Deployment method (select with an X)

  • [x] Docker Compose
  • [ ] Kubernetes
  • [ ] GoDojo

Environment information

  • Operating System: Ubuntu 24.04
  • Docker Compose version: v2.35.1
  • DefectDojo version: 2.46.2

GabrielJuliao avatar Jun 10 '25 13:06 GabrielJuliao

This is used when processing data coming in from JIRA either via the webhook or the reconciliation Django management command. If the resolution of a JIRA issue matches one of the resolutions configured in the accepted_mapping_resolution configuration field, a Risk Acceptance object will be created.

The code that does this is at https://github.com/DefectDojo/django-DefectDojo/blob/f65a31011e780386b9f158062da80878d3bb36d8/dojo/jira_link/helper.py#L1669-L1727

From what I can see now it will always create a Risk Acceptance object even if full risk acceptance is disabled. And it will never set the risk_accepted flag on the Finding. If this observation is correct, those might be bugs.

valentijnscholten avatar Jun 10 '25 17:06 valentijnscholten

Hi,

Thanks for the initial clarification. I have follow-up questions about bidirectional mapping and the purpose of "accepted findings" in the DefectDojo JIRA integration:

  • Reverse Mapping: If I accept a finding in DefectDojo, will this automatically map to a specific JIRA resolution or status? If so, how is this configured?
  • Internal Resolutions in DefectDojo: Does DefectDojo have its own internal "resolution" states (e.g., Inactive, Mitigated, etc.) that can be mapped to JIRA resolutions or statuses?
  • Mirroring in JIRA: If I configure a mapping to mirror DefectDojo states (e.g., Inactive, Mitigated) in JIRA, will this bidirectional sync work as expected?
  • Purpose of Accepted Mappings: What is the goal of the "accepted mappings" feature?
    • Is it to map JIRA resolutions to internal DefectDojo states?
    • Or does it create an internal mapping in DefectDojo and then sync any equivalent JIRA resolutions/statuses to it?

GabrielJuliao avatar Jun 10 '25 17:06 GabrielJuliao

All answers are No.

Risk Acceptance syncing from Defect Dojo to JIRA is not fully implemented, but as long as the Finding is inactive, it will be closed in JIRA. Defect Dojo doesn't set any resolution, JIRA will choose a default.

The accepted_mapping_resolution is only used as described above, so for when Findings are accepted in JIRA they are marked as inactive and Risk Accepted in Defect Dojo.

valentijnscholten avatar Jun 10 '25 20:06 valentijnscholten

Ok, thank you! It would be nice to have default/configurable restart SLA on expiration when Jira webhook triggers accepted_mapping_resolution, as of now expiration is set to never.

GabrielJuliao avatar Jun 11 '25 03:06 GabrielJuliao

Easiest would be to use the existing risk_acceptance_form_default_days from System_Settings, would that be good enough for your use case?

valentijnscholten avatar Jun 19 '25 20:06 valentijnscholten

Yes, any expiration would work!

GabrielJuliao avatar Jun 23 '25 17:06 GabrielJuliao