Bug - Unable to 'unlink' Jira Epic from Product Engagement, similar to 'unlink' Jira Issue from Finding

[testaccount90009]

Slack thread:
https://owasp.slack.com/archives/C2P5BA8MN/p1701210518937829

When enabling Engagement Epic mapping for Jira, there is no way to unlink an epic from an engagement metadata. This causes an issue for any engagement that was mapped to a Jira project - since the epic for the engagement will stay with the previous binding. There's no way to 'unlink' like you can with a Finding from a Jira issue, so when you enable engagement epic mapping in a product in DefectDojo, the engagement metadata stays with that and you can't change it. This is not ideal.

Bug description
A clear and concise description of what the bug is. For errors include at least the exact error message you are seeing (including traceback).

Steps to reproduce
Steps to reproduce the behavior:

1. Set up Jira integration.
2. Enable engagement epic mapping with Project A in DefectDojo.
3. Push a Finding and have Jira Epic created. Verify in Engagement metadata.
4. Delete Epic in Jira or change project in DefectDojo for Engagement.
5. Experience bug behavior of no way to unlink or modify a mapped engagement to an epic.
6. Push finding with new Jira Project B that was set up in Dojo.
7. Experience bug error saying can't find Epic.

Expected behavior
A clear and concise description of what you expected to happen.

There should be a way to unlink the Engagements referenced / linked Epic in the metadata of the Products Engagement. If the Epic is deleted, or if the Product/Engagement metadata changes to reflect a new Jira Project - it should be possible to link to a new Epic and similar to the 'unlink' function with a Finding to a Jira Issue.

Because the Epic no longer exists and we tried to move the metadata to a new Jira Project, there's issues now because DefectDojo thinks the Epic is still mapped to the Engagement.

Deployment method (select with an X)

• Docker Compose
• Kubernetes
• GoDojo

Environment information\

• DefectDojo version - 2.27.3
• Ubuntu

Logs
Use docker-compose logs (or similar, depending on your deployment method) to get the logs and add the relevant sections here showing the error occurring (if applicable).

Sample scan files
If applicable, add sample scan files to help reproduce your problem.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context (optional)
Add any other context about the problem here.

[testaccount90009]

Here's the code to 'unlink' a finding_group from a Jira issue: https://github.com/DefectDojo/django-DefectDojo/blob/7912214c2831fbbc9f69255e3637435d608ad998/dojo/finding_group/views.py#L145C32-L145C32

Referenced:

django-DefectDojo/dojo/finding_group/urls.py

Line 10 in 7912214

re_path(r'^finding_group/(?P<fgid>\d+)/jira/unlink$', views.unlink_jira, name='finding_group_unlink_jira'),

Here's the code to 'unlink' a finding from a Jira issue:

django-DefectDojo/dojo/finding/views.py

Line 1036 in 7912214

if not new_jira_issue_key:

Referenced:

django-DefectDojo/dojo/finding/urls.py

Line 188 in 7912214

re_path(r'^finding/(?P<fid>\d+)/jira/unlink$', views.unlink_jira, name='finding_unlink_jira'),

Currently there is no reference for unlinking an Engagement or an Epic, much like these code lines add that functionality for unlinking Findings/Group from Jira issue. This exhibits bug behavior when an Engagement is mapped to an Epic, but the Epic no longer exists - or if the Engagement/Product needs to be edited relative to the Jira project/epic, it does not unlink correctly and still thinks there is an existing Epic that it is linked to.

Even running the reconciliation script for the Jira status does not fix it.

[manuel-sommer]

Can you do a PR to fix it?