Bump easymde from 2.15.0 to 2.18.0 in /components

dojo/db_migrations/0114_product_risk_acceptance.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.1.12 on 2021-07-06 22:23
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0113_endpoint_protocol'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='product',
+            name='risk_acceptance',
+            field=models.ManyToManyField(blank=True, default=None, editable=False, to='dojo.Risk_Acceptance'),
+        ),
+    ]

dojo/engagement/views.py

@@ -794,6 +794,8 @@ def add_risk_acceptance(request, eid, fid=None):
                 risk_acceptance.notes.add(notes)
 
             eng.risk_acceptance.add(risk_acceptance)
+            if settings.PRODUCT_WIDE_RISK_ACCEPTANCE:
+                eng.product.risk_acceptance.add(risk_acceptance)
 
             findings = form.cleaned_data['accepted_findings']
 

dojo/models.py

@@ -710,6 +710,9 @@ class Product(models.Model):
 
     enable_simple_risk_acceptance = models.BooleanField(default=False, help_text=_('Allows simple risk acceptance by checking/unchecking a checkbox.'))
     enable_full_risk_acceptance = models.BooleanField(default=True, help_text=_('Allows full risk acceptance using a risk acceptance form, expiration date, uploaded proof, etc.'))
+    risk_acceptance = models.ManyToManyField(
+        "Risk_Acceptance", default=None, editable=False, blank=True
+    )
 
     def __str__(self):
         return self.name

dojo/product/views.py

@@ -164,6 +164,10 @@ def view_product(request, pid):
                                            out_of_scope=False).order_by('numerical_severity').values(
         'severity').annotate(count=Count('severity'))
 
+    risks_accepted = prod.risk_acceptance.all().select_related('owner').annotate(
+        accepted_findings_count=Count('accepted_findings__id')
+    )
+
     critical = 0
     high = 0
     medium = 0
@@ -206,7 +210,9 @@ def view_product(request, pid):
         'product_type_members': product_type_members,
         'product_groups': product_groups,
         'product_type_groups': product_type_groups,
-        'personal_notifications_form': personal_notifications_form})
+        'personal_notifications_form': personal_notifications_form,
+        'risks_accepted': risks_accepted
+    })
 
 
 @user_is_authorized(Product, Permissions.Component_View, 'pid', 'view')

dojo/settings/settings.dist.py

@@ -164,6 +164,8 @@
     DD_EDITABLE_MITIGATED_DATA=(bool, False),
     # new experimental feature that tracks history across multiple reimports for the same test
     DD_TRACK_IMPORT_HISTORY=(bool, True),
+    # new experimental feature that implements risk acceptance across product (useful with deduplication within engagement)
+    DD_PRODUCT_WIDE_RISK_ACCEPTANCE=(bool, False),
 
     # Feature toggle for new authorization, which is incomplete at the moment.
     # Don't set it to True for productive environments!
@@ -1054,6 +1056,8 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 TRACK_IMPORT_HISTORY = env('DD_TRACK_IMPORT_HISTORY')
 
+PRODUCT_WIDE_RISK_ACCEPTANCE = env('DD_PRODUCT_WIDE_RISK_ACCEPTANCE')
+
 # ------------------------------------------------------------------------------
 # JIRA
 # ------------------------------------------------------------------------------

dojo/templates/dojo/view_product_details.html

@@ -123,6 +123,89 @@ <h3 class="panel-title"><span class="fa fa-pie-chart" aria-hidden="true"></span>
 </div>
 </div>
 <!-- end metrics -->
+
+{% if 'PRODUCT_WIDE_RISK_ACCEPTANCE'|setting_enabled %}
+  <div class="row">
+      <div id="risk" class="col-md-12">
+          <div class="panel panel-default">
+              <div class="panel-heading">
+                  <h4> Risk Acceptance </h4>
+              </div>
+              {% if risks_accepted %}
+                  <div class="table-responsive">
+                      <table id="risk_acceptances"
+                          class="tablesorter-bootstrap table table-condensed table-striped">
+                          <thead>
+                              <tr>
+                                  <th></th>
+                                  <th>Date</th>
+                                  <th>Accepted By</th>
+                                  <th>Name</th>
+                                  <th>Decision</th>
+                                  <!-- <th>Decision Details</th> -->
+                                  <th>Expiration</th>
+                                  <th>Findings</th>
+                                  <th>Proof</th>
+                                  <th>Owner</th>
+                          </thead>
+                          <tbody>
+                              {% for risk_acceptance in risks_accepted %}
+                                  <tr>
+                                      <td class="centered">
+                                          <ul>
+                                              <li class="dropdown" style="list-style:none;position:absolute">
+                                                  <a href="#" class="dropdown-toggle" data-toggle="dropdown" aria-expanded="true">&nbsp;<b class="fa fa-ellipsis-v"></b>&nbsp;</a>
+                                                  <ul class="dropdown-menu">
+                                                      {% with engagement=risk_acceptance.engagement %}
+                                                          {% include 'dojo/snippets/risk_acceptance_actions_snippet.html' with include_view=True %}
+                                                      {% endwith %}
+                                                  </ul>
+                                              </li>
+                                          </ul>
+                                      </td>
+                                      <td><a href="{% url 'view_risk_acceptance' risk_acceptance.engagement.id risk_acceptance.id %}">{{ risk_acceptance.created|date }}</a></td>
+                                      <td>{{ risk_acceptance.accepted_by.get_full_name }}</td>
+                                      <td><a href="{% url 'view_risk_acceptance' risk_acceptance.engagement.id risk_acceptance.id %}">{{ risk_acceptance.name }}</a></td>
+                                      <td>
+                                          {{ risk_acceptance.get_decision_display|default_if_none:"" }}
+                                          {% if risk_acceptance.decision_details %}
+                                              &nbsp;<i style="position:absolute;" class="fa has-popover fa-info-circle" title="Decision Details" data-trigger="hover" data-placement="bottom" data-container="body" data-html="true"
+                                                  data-content="{{ risk_acceptance.decision_details }}"></i>
+                                          {% endif %}
+                                      </td>
+                                      <!-- <td>{{ risk_acceptance.decision_details|default_if_none:""| truncatechars_html:100 }}</td> -->
+                                      <td class="{% if risk_acceptance.is_expired %}red{% endif%}">
+                                          {% if risk_acceptance.expiration_date %}
+                                              {{ risk_acceptance.expiration_date|date }}
+                                          {% else %}
+                                              Never
+                                          {% endif %}
+                                      </td>
+                                      <td>{{ risk_acceptance.accepted_findings_count }}</td>
+                                      {% if risk_acceptance.filename %}
+                                          <td><a href="{% url 'download_risk_acceptance' risk_acceptance.engagement.id risk_acceptance.id %}">Yes</a>
+                                              &nbsp;<i style="position:absolute;" class="fa has-popover fa-info-circle" title="Uploaded proof" data-trigger="hover" data-placement="bottom" data-container="body" data-html="true"
+                                                  data-content="{{ risk_acceptance.filename }}"></i>
+                                          </td>
+                                      {% else %}
+                                          <td>No</a></td>
+                                      {% endif %}
+                                      <td>{{ risk_acceptance.owner.get_full_name }}</td>
+                                  </tr>
+                              {% endfor %}
+                          </tbody>
+                      </table>
+                  </div>
+              {% else %}
+                  <div class="panel-body">
+                      <small class="text-muted"><em>No Risk Acceptances found.</em></small>
+                  </div>
+              {% endif %}
+          </div>
+      </div>
+  </div>
+{% endif %}
+
 <div class="row">
   <div class="col-md-6">
     <div class="panel panel-default">