Ruff: Add and fix FBT002 (+ merge all FBT rules)

[kiblik]

Add rule https://docs.astral.sh/ruff/rules/boolean-default-value-positional-argument/ and fix it. + merge FBT rules.

[dryrunsecurity]

DryRun Security Summary

The pull request introduces a comprehensive set of improvements to the Defect Dojo application, focusing on enhancing security, reliability, and maintainability through updates to various components including JIRA integration, finding management, access controls, and notification processing.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of functionality within the Defect Dojo application, with a focus on improving the security, reliability, and maintainability of the application. The changes include updates to the handling of JIRA integration, the management of findings and their deduplication, the processing of notifications, and the implementation of various utility functions.

From an application security perspective, the changes introduce several enhancements that can help strengthen the overall security posture of the application. These include improvements to input validation, access control, and the handling of sensitive data. The changes also address potential security vulnerabilities, such as SQL injection and cross-site scripting (XSS), by introducing more robust input validation and sanitization mechanisms.

Additionally, the changes to the deduplication and closing of findings functionality, as well as the improvements to the notification processing, can help ensure the accuracy and reliability of the application's security data, which is crucial for effective security management.

Files Changed:

1. dojo/components/sql_group_concat.py: The changes in this file introduce a custom Django Aggregate class called Sql_GroupConcat, which provides a convenient way to use the GROUP_CONCAT SQL function in Django queries. The changes do not introduce any obvious security concerns.

2. dojo/endpoint/views.py: The changes in this file focus on improving the authorization and access control mechanisms for the endpoints, ensuring that users can only view and interact with the endpoints they are authorized to access.

3. dojo/decorators.py: The changes in this file enhance the rate-limiting functionality and the handling of model instances and their IDs, which can help mitigate potential security risks, such as denial-of-service attacks and unauthorized access.

4. dojo/api_v2/serializers.py: The changes in this file introduce the use of keyword-only arguments for various serializers, which can improve the readability and maintainability of the code, and also ensure that input data is properly validated and follows the expected business rules.

5. dojo/engagement/views.py: The changes in this file introduce an additional access control check to prevent unauthorized modifications to the risk acceptance, which is an important security feature.

6. dojo/finding/helper.py: The changes in this file focus on improving the handling and management of findings, including deduplication, false positive tracking, and integration with external systems like JIRA, which can enhance the overall security of the application.

7. dojo/finding/views.py: The changes in this file are primarily focused on improving the functionality and user experience of the finding management features, without introducing any obvious security concerns.

8. dojo/forms.py: The changes in this file are related to the MonthYearWidget class, which does not directly impact the security of the application.

9. dojo/filters.py: The changes in this file introduce improvements to the filtering capabilities of the application, which can help users more effectively search and analyze security findings. The changes also focus on maintaining appropriate access controls and data handling.

10. dojo/middleware.py: The changes in this file are related to the caching of system settings, which does not directly impact the security of the application.

11. dojo/jira_link/helper.py: The changes in this file improve the integration between Defect Dojo and Jira, addressing potential security concerns such as SQL injection and sensitive information exposure.

12. dojo/product/views.py: The changes in this file introduce a new parameter for the creation of CI/CD engagements, which does not appear to have any direct security implications.

13. dojo/models.py: The changes in this file are related to the handling of file uploads and the processing of findings, which can have security implications that should be reviewed.

14. dojo/notifications/helper.py: The changes in this file focus on improving the reliability and flexibility of the notification functionality, which can contribute to the overall security of the application.

15. dojo/remote_user.py: The changes in this file are related to the authentication and user management functionality, and they include security-relevant checks to ensure that requests are coming from trusted proxy nodes.

16. dojo/risk_acceptance/helper.py: The changes in this file are focused on improving the flexibility and control of the risk acceptance management functionality, which is an important security-related feature.

17. dojo/search/views.py: The changes in this file are related to the search functionality, and it's important to ensure that the search results are properly sanitized and that the overall search

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	2 findings
IDOR Analyzer	1 finding

Overall Riskiness

🟡 Please give this pull request extra attention during review.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.