Fix async fincding import

[FirePanda169]

Description

Adding missing decorator for findings import function

Test results

...

[dryrunsecurity]

DryRun Security Summary

The pull request addresses multiple security concerns in the DefectDojo project, including sensitive information exposure, configuration risks, and potential vulnerabilities, while also implementing security improvements across GitHub Actions workflows, Docker configurations, and Python scripts.

Expand for full summary

The pull request introduces updates to multiple GitHub Actions workflow files, Docker configurations, and various Python scripts across the DefectDojo project. Key security findings include:

1. Sensitive Information Exposure:

   • Docker Compose file contains default credentials (database password: 'defectdojo')
   • Kubernetes tests script exposes admin password retrieval
   • Multiple entrypoint scripts print potentially sensitive configuration details

2. Configuration Risks:

   • Default admin user settings with predictable credentials
   • HTTP (not HTTPS) used in some connectivity checks
   • Broad environment variable configurations
   • Potential supply chain risks from direct GitHub repository dependencies

3. Potential Vulnerabilities:

   • Insecure curl requests with --insecure flag
   • Hardcoded Chrome and ChromeDriver URLs
   • Default TLS certificate generation with predictable details
   • Permissive file permissions in some Docker configurations

4. Security Improvements:

   • Pinned GitHub Actions to specific commit hashes
   • Non-root user configurations in Docker images
   • Specific image SHA256 hash pinning
   • Improved error handling in shell scripts

No single critical vulnerability was identified, but the cumulative security observations suggest a need for careful configuration management and credential handling in the DefectDojo project.

Code Analysis

We ran 9 analyzers against 30 files and 3 analyzers had findings. 6 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	17 findings
Sensitive Files Analyzer	2 findings
Authn/Authz Analyzer	4 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[FirePanda169]

There is also a suggestion for optimization. Use asynchronous import only if more than 1 task will be created. For one chunk, it will definitely be useful.
Perhaps make the threshold 2 * ASYNC_FINDING_IMPORT_CHUNK_SIZE.
What do you think?

if settings.ASYNC_FINDING_IMPORT:
rewrite to
if settings.ASYNC_FINDING_IMPORT and settings.ASYNC_FINDING_IMPORT_CHUNK_SIZE < len(parsed_findings):

[Maffooch]

Hi @FirePanda169 there is a good chance that the async importer will be deprecated soon per the quarterly update discussion: #11199

I do not have details at this time when the final call will be made on that, but it is an experimental feature that has some unexpected behaviors, and I would advise against using it

[FirePanda169]

it's sad because importing a lot of findings becomes a problem without a solution.
I tried to come up with something to use Finding.objects.bulk_create(...). But the rewritten save method doesn't let me do it easily.

[valentijnscholten]

nvm, didn't saw the existing replies.

[Maffooch]

@FirePanda169 after talking amongst the other moderators, we have decided to move forward with deprecating this feature. Please make plans to disable async import