Ruff: Add and fix ISC002

[kiblik]

Add rule multi-line-implicit-string-concatenation (ISC002) and fix it

[dryrunsecurity]

DryRun Security Summary

The pull request includes changes across multiple files in the Defect Dojo application, focusing on improving report generation, JIRA integration, security finding management, and code maintainability, with key security-relevant updates to sensitive information detection and endpoint data handling, while raising some concerns about increased code complexity in the linter configuration.

Expand for full summary

Summary:

The code changes in this pull request span several files and focus on various aspects of the Defect Dojo application, including report generation, JIRA integration, security finding management, and linter configuration. While the changes do not introduce any obvious security vulnerabilities, there are a few areas that warrant closer attention from an application security perspective:

1. JIRA Integration: The changes in the dojo/forms.py file related to the JIRA integration functionality should be reviewed to ensure that the integration is properly configured and secured, as integrations with external systems can potentially introduce new attack vectors if not implemented securely.

2. Complexity and Maintainability: The increase in the maximum allowed complexity for the Pylint linter in the ruff.toml file is a concern, as it may indicate the presence of complex and potentially vulnerable code. It's recommended to review the codebase and refactor complex areas to improve maintainability and reduce the risk of security issues.

3. Sensitive Information Detection: The changes in the dojo/tools/noseyparker/parser.py file demonstrate the application's focus on detecting and reporting sensitive information, such as secrets, in the scanned repositories. This is a crucial security feature, and it's important to ensure that the detection and reporting mechanisms are robust and effective.

4. Endpoint Data Integrity: The changes in the dojo/endpoint/utils.py file aim to improve the handling and management of endpoint data, which is essential for maintaining an accurate and reliable representation of the application's attack surface. These changes are security-relevant and help ensure the integrity of the underlying data.

Overall, the code changes in this pull request appear to be focused on improving the functionality, maintainability, and security of the Defect Dojo application. While there are no immediate security concerns, it's important to continue reviewing the codebase and the application's security posture on an ongoing basis to identify and address any potential vulnerabilities.

Files Changed:

1. dojo/templatetags/display_tags.py: The changes in this file involve refactoring the finding_sla function to use f-strings and simplify the HTML code for displaying the Service Level Agreement (SLA) information. These changes do not introduce any obvious security concerns.

2. dojo/reports/widgets.py: The changes in this file update the report generation functionality, including the handling of various report widgets. While the changes do not appear to introduce security vulnerabilities, it's important to review the overall report generation process to ensure that sensitive information is not inadvertently exposed.

3. dojo/management/commands/jira_status_reconciliation.py: The changes in this file improve the readability, logging, performance, and error handling of the JIRA status reconciliation command. The changes do not introduce any obvious security concerns, but it's important to ensure that the JIRA integration is properly configured and secured.

4. dojo/management/commands/stamp_finding_last_reviewed.py: The changes in this file update the Finding model's metadata, such as the last_reviewed and last_reviewed_by fields. These changes are focused on improving the application's security management capabilities and do not raise any immediate security concerns.

5. dojo/tools/noseyparker/parser.py: The changes in this file are focused on the parser for the Nosey Parker security scanning tool, which is responsible for detecting and reporting on the presence of sensitive information in scanned repositories. These changes are security-relevant and demonstrate the application's commitment to identifying and addressing security risks.

6. ruff.toml: The changes in this file include the addition of a new security-related linter rule and a significant increase in the maximum allowed complexity for the Pylint linter. While the addition of the security rule is positive, the increase in complexity may indicate the presence of complex and potentially vulnerable code, which should be reviewed and addressed.

7. dojo/endpoint/utils.py: The changes in this file focus on improving the handling and management of endpoint data, which is crucial for maintaining an accurate and reliable representation of the application's attack surface. These changes are security-relevant and help ensure the integrity of the underlying data.

8. dojo/tools/dependency_track/parser.py: The changes in this file are a routine maintenance update that improves the readability of the code without introducing any significant security implications.

9. dojo/forms.py: The changes in this file are related to the JIRA integration functionality, specifically the push_to_jira field in the `JIRAFindingForm

Code Analysis

We ran 9 analyzers against 9 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

Approved