fix(Risk_Acceptance): Remove redundancy in strings of Treatments

[kiblik]

Make strings translatable and remove redundancy

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request appear to be focused on enhancing the risk acceptance functionality in the DefectDojo application. The key changes include updating the TREATMENT_CHOICES field to use a more descriptive dictionary, adding new fields to capture the security team's recommendation and the risk owner's decision, allowing the upload of proof documents, specifying the risk owner, and introducing expiration handling features for risk acceptances.

From an application security perspective, these changes are positive as they provide more structure and control around the risk acceptance process. The ability to capture the security team's recommendation, the risk owner's decision, and supporting documentation can help organizations better manage and track their risk acceptance decisions. Additionally, the expiration handling features, such as automatically reactivating findings and restarting SLAs when a risk acceptance expires, can help ensure that risks are properly reevaluated and addressed over time, improving the overall security posture of the organization.

Files Changed:

• dojo/models.py: This file contains the Risk_Acceptance model, which has been updated with the following changes:
  • The TREATMENT_CHOICES field has been updated to use the TREATMENT_TRANSLATIONS dictionary to provide more descriptive choices.
  • New fields have been added, including recommendation, recommendation_details, decision, decision_details, path, owner, expiration_date, expiration_date_warned, expiration_date_handled, reactivate_expired, restart_sla_expired, and notes.
  • These changes enhance the risk acceptance functionality by allowing the capture of the security team's recommendation, the risk owner's decision, supporting documentation, risk ownership, and expiration handling features.

Powered by DryRun Security

[Maffooch]

Have you check if the API needs to be updated? I cannot tell without doing some testing

https://github.com/DefectDojo/django-DefectDojo/blob/501d172aee0c165c8ed8efe1c9fe496a006f437b/dojo/api_v2/serializers.py#L1479C1-L1485C72

[mtesauro]

Approved

[kiblik]

Have you check if the API needs to be updated? I cannot tell without doing some testing

https://github.com/DefectDojo/django-DefectDojo/blob/501d172aee0c165c8ed8efe1c9fe496a006f437b/dojo/api_v2/serializers.py#L1479C1-L1485C72

Yes, it works.

[kiblik]

Btw, Django 5.0 supports more flexible form (not just list of tuples but using of a dict).
After upgrade to 5.0 I would rewrite all models to dicts like here.