Bug description
When closing a Jira ticket with a comment while having both issue.updated and comment.created webhook events enabled, the DefectDojo finding will fail to be marked as closed/mitigated. I suspect this is caused by a race condition in the webhook processing.
Database locking when processing webhook events could help, but I'm not sure what side effects that might have on the rest of the project.
Environment information
- DefectDojo version v. 2.54.0
- DefectDojo with Jira integration enabled
- Jira webhooks configured with both events:
issue.updatedcomment.created
Automatically sync Findings with JIRA? setting: disabled
- This setting mask the bug. I suspect the finding to Close -> Re-open because of the comment (this bug) -> Re-close because of the sync.
Steps to reproduce
- Configure Jira integration in DefectDojo with webhooks enabled
- Enable both
issue.updated and comment.created webhook events in Jira
- Ensure
Automatically sync Findings with JIRA? is disabled in DefectDojo jira configuration
- Create a Finding in DefectDojo that is pushed to Jira
- In Jira, close the ticket with a comment
- Check the Finding status in DefectDojo
Expected Result: Finding should be marked as inactive/mitigated
Actual Result: Finding remains active despite the Jira issue being closed
- Disable
comment.created webhook events in Jira.
- Re-open the Jira ticket, ensure DefectDojo finding is open.
- In Jira, close the ticket with a comment
- Check the Finding status in DefectDojo, this time finding should be marked as inactive/mitigated
Root cause
When a Jira issue is closed with a comment, Jira sends two separate webhook events nearly simultaneously:
issue.updatedcomment.created
The webhook handler processes these events as follows:
For issue.updated:
- Load finding from database
- Call process_resolution_from_jira() -> sets finding.active = False, saves finding
- Call check_for_and_create_comment() -> creates note, calls finding.save()
For comment.created:
- Load finding from database
- Call check_for_and_create_comment() -> creates note, calls finding.save()
I suspect the problem occurs when both webhooks arrive concurrently, check_for_and_create_comment might overide the change done by process_resolution_from_jira. As a result, the finding is now back to active=True in the database.
Deployment method
Bug description
When closing a Jira ticket with a comment while having both
issue.updatedandcomment.createdwebhook events enabled, the DefectDojo finding will fail to be marked as closed/mitigated. I suspect this is caused by a race condition in the webhook processing.Database locking when processing webhook events could help, but I'm not sure what side effects that might have on the rest of the project.
Environment information
issue.updatedcomment.createdAutomatically sync Findings with JIRA?setting: disabledSteps to reproduce
issue.updatedandcomment.createdwebhook events in JiraAutomatically sync Findings with JIRA?is disabled in DefectDojo jira configurationExpected Result: Finding should be marked as inactive/mitigated
Actual Result: Finding remains active despite the Jira issue being closed
comment.createdwebhook events in Jira.Root cause
When a Jira issue is closed with a comment, Jira sends two separate webhook events nearly simultaneously:
issue.updatedcomment.createdThe webhook handler processes these events as follows:
For
issue.updated:For
comment.created:I suspect the problem occurs when both webhooks arrive concurrently, check_for_and_create_comment might overide the change done by process_resolution_from_jira. As a result, the finding is now back to
active=Truein the database.Deployment method