fix ruff

paulOsinski · Maffooch · commit 08b9a60863c7 · 2026-04-29T10:28:52.000-06:00
diff --git a/dojo/jira/helper.py b/dojo/jira/helper.py
@@ -1911,12 +1911,14 @@ def process_resolution_from_jira(
     """Processes the resolution field in the JIRA issue and updated the finding in Defect Dojo accordingly"""
     import dojo.risk_acceptance.helper as ra_helper  # noqa: PLC0415 import error
     status_changed = False
-    # A Jira issue is treated as "resolved" (i.e. the linked finding should be
-    # mitigated / risk-accepted / false-positive'd) only when BOTH a non-null
-    # resolution is present AND the issue's statusCategory is "done". Jira's
-    # statusCategory.key is the canonical closure signal (always one of
-    # "new", "indeterminate", "done"), and checking it alongside the
-    # resolution field prevents several real-world bugs:
+    # A Jira issue is treated as "resolved" (the linked finding should be
+    # mitigated / risk-accepted / false-positive'd) when the issue's
+    # statusCategory.key is "done". Jira's statusCategory is the canonical
+    # closure signal (one of "new", "indeterminate", "done", "undefined"),
+    # always returned by the API, and does not depend on per-workflow
+    # resolution-field hygiene.
+    #
+    # Relying on statusCategory prevents real-world bugs:
     #   1. Workflows where reopen transitions do not clear the resolution -
     #      the issue ends up in an "open but resolved" state and every
     #      webhook event for the issue would otherwise mis-mitigate the
@@ -1929,14 +1931,11 @@ def process_resolution_from_jira(
     #      and the first webhook sees the pre-transition (still-resolved)
     #      state even though the intended final state is reopened.
     #
-    # status_category_key is keyword-only and optional to preserve backward
-    # compatibility with any caller that has not yet been updated to extract
-    # it from the webhook payload; when it is None we fall back to the
-    # historical resolution-only behavior.
-    if status_category_key is None:
-        resolved = resolution_id is not None
-    else:
-        resolved = status_category_key == "done"
+    # The resolution value (when present) is still used downstream to
+    # classify "done" issues as risk-accepted, false-positive, or the
+    # default mitigated category (see jira_instance.accepted_resolutions
+    # and .false_positive_resolutions below).
+    resolved = status_category_key == "done"
     jira_instance = get_jira_instance(finding)
 
     if resolved:
diff --git a/dojo/management/commands/jira_status_reconciliation.py b/dojo/management/commands/jira_status_reconciliation.py
@@ -102,6 +102,13 @@ def _reconcile_findings(mode, product_obj, engagement_obj, timestamp, dryrun, me
         resolution = issue_from_jira.fields.resolution if issue_from_jira.fields.resolution and issue_from_jira.fields.resolution != "None" else None
         resolution_id = resolution.id if resolution else None
         resolution_name = resolution.name if resolution else None
+        # statusCategory.key is the canonical "is this issue done" signal
+        # that process_resolution_from_jira uses to decide whether to mitigate.
+        status_category_key = getattr(
+            getattr(getattr(issue_from_jira.fields, "status", None), "statusCategory", None),
+            "key",
+            None,
+        )
 
         # convert from str to datetime
         issue_from_jira.fields.updated = parse_datetime(issue_from_jira.fields.updated)
@@ -175,7 +182,11 @@ def _reconcile_findings(mode, product_obj, engagement_obj, timestamp, dryrun, me
             if action == "import_status_from_jira":
                 message_action = "deactivating" if find.active else "reactivating"
 
-                status_changed = jira_helper.process_resolution_from_jira(find, resolution_id, resolution_name, assignee_name, issue_from_jira.fields.updated, find.jira_issue) if not dryrun else "dryrun"
+                status_changed = jira_helper.process_resolution_from_jira(
+                    find, resolution_id, resolution_name, assignee_name,
+                    issue_from_jira.fields.updated, find.jira_issue,
+                    status_category_key=status_category_key,
+                ) if not dryrun else "dryrun"
                 if status_changed:
                     message = f"{find.jira_issue.jira_key}; {settings.SITE_URL}/finding/{find.id};{find.status()};{resolution_name};{flag1};{flag2};{flag3};{find.jira_issue.jira_change};{issue_from_jira.fields.updated};{find.last_status_update};{issue_from_jira.fields.updated};{find.last_reviewed};{issue_from_jira.fields.updated};{message_action} finding in defectdojo;{status_changed}"
                     messages.append(message)
@@ -264,6 +275,13 @@ def _reconcile_finding_groups(mode, product_obj, engagement_obj, timestamp, dryr
         resolution = issue_from_jira.fields.resolution if issue_from_jira.fields.resolution and issue_from_jira.fields.resolution != "None" else None
         resolution_id = resolution.id if resolution else None
         resolution_name = resolution.name if resolution else None
+        # statusCategory.key is the canonical "is this issue done" signal
+        # that process_resolution_from_jira uses to decide whether to mitigate.
+        status_category_key = getattr(
+            getattr(getattr(issue_from_jira.fields, "status", None), "statusCategory", None),
+            "key",
+            None,
+        )
 
         # convert from str to datetime
         issue_from_jira.fields.updated = parse_datetime(issue_from_jira.fields.updated)
@@ -335,6 +353,7 @@ def _reconcile_finding_groups(mode, product_obj, engagement_obj, timestamp, dryr
                             find, resolution_id, resolution_name, assignee_name,
                             issue_from_jira.fields.updated, finding_group.jira_issue,
                             finding_group=finding_group,
+                            status_category_key=status_category_key,
                         )
                     else:
                         status_changed = "dryrun"
