Skip to content

Jira Webhook Race Condition Prevents Finding Closure #14200

New issue
New issue
Closed
Closed
Jira Webhook Race Condition Prevents Finding Closure#14200
Labels
bug
@a-ruff

Description

@a-ruff
a-ruff
opened on Jan 29, 2026

Bug description

When closing a Jira ticket with a comment while having both issue.updated and comment.created webhook events enabled, the DefectDojo finding will fail to be marked as closed/mitigated. I suspect this is caused by a race condition in the webhook processing.

Database locking when processing webhook events could help, but I'm not sure what side effects that might have on the rest of the project.

Environment information

  • DefectDojo version v. 2.54.0
  • DefectDojo with Jira integration enabled
  • Jira webhooks configured with both events:
    • issue.updated
    • comment.created
  • Automatically sync Findings with JIRA? setting: disabled
    • This setting mask the bug. I suspect the finding to Close -> Re-open because of the comment (this bug) -> Re-close because of the sync.

Steps to reproduce

  1. Configure Jira integration in DefectDojo with webhooks enabled
  2. Enable both issue.updated and comment.created webhook events in Jira
Image
  1. Ensure Automatically sync Findings with JIRA? is disabled in DefectDojo jira configuration
Image
  1. Create a Finding in DefectDojo that is pushed to Jira
  2. In Jira, close the ticket with a comment
  3. Check the Finding status in DefectDojo

Expected Result: Finding should be marked as inactive/mitigated

Actual Result: Finding remains active despite the Jira issue being closed

  1. Disable comment.created webhook events in Jira.
  2. Re-open the Jira ticket, ensure DefectDojo finding is open.
  3. In Jira, close the ticket with a comment
  4. Check the Finding status in DefectDojo, this time finding should be marked as inactive/mitigated

Root cause

When a Jira issue is closed with a comment, Jira sends two separate webhook events nearly simultaneously:

  1. issue.updated
  2. comment.created

The webhook handler processes these events as follows:

For issue.updated:

  1. Load finding from database
  2. Call process_resolution_from_jira() -> sets finding.active = False, saves finding
  3. Call check_for_and_create_comment() -> creates note, calls finding.save()

For comment.created:

  1. Load finding from database
  2. Call check_for_and_create_comment() -> creates note, calls finding.save()

I suspect the problem occurs when both webhooks arrive concurrently, check_for_and_create_comment might overide the change done by process_resolution_from_jira. As a result, the finding is now back to active=True in the database.

Deployment method

  • Docker Compose
  • Kubernetes
  • GoDojo

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions