You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Defect Dojo has two "review" statuses. Peer Review, and Under Review. The use cases are not clearly defined in the UI, but looking at the code and doing some testing reveals the following:
Peer Review should be used when a security engineer wants a second opinion from another security engineer. This also sets the Finding to inactive.
Under Review should be used when a developer entered a fix and is requesting the fix be tested and the finding be closed.
Currently these states are only available to the writer role, which developers typically would not have. I propose the following changes for the purposes of starting discussion:
Collapse both states into a single "Under Review" status.
Allow those with reader role to request a review of a Finding, along with a dropdown list of reasons for the request (False positive, fixed, need risk acceptance (won't fix), etc.
Do not mark the Finding as inactive during the review period. If the Finding is deemed a false positive or otherwise not needed the Security Engineering team or staff can make the appropriate changes.
I'm not sure how to get the review request to the right people. Right now under Peer Review there is a dropdown list of staff users and the ability to send to all. This is disruptive and tends to get ignored. Please provide input on how to solve this.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Defect Dojo has two "review" statuses. Peer Review, and Under Review. The use cases are not clearly defined in the UI, but looking at the code and doing some testing reveals the following:
Currently these states are only available to the
writerrole, which developers typically would not have. I propose the following changes for the purposes of starting discussion:readerrole to request a review of a Finding, along with a dropdown list of reasons for the request (False positive, fixed, need risk acceptance (won't fix), etc.staffcan make the appropriate changes.I'm not sure how to get the review request to the right people. Right now under Peer Review there is a dropdown list of
staffusers and the ability to send to all. This is disruptive and tends to get ignored. Please provide input on how to solve this.Thoughts?
Beta Was this translation helpful? Give feedback.
All reactions