DefectDojo
diff --git a/‎dojo/finding/helper.py‎
Lines changed: 6 additions & 3 deletions b/‎dojo/finding/helper.py‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎dojo/importers/base_importer.py‎
Lines changed: 29 additions & 25 deletions b/‎dojo/importers/base_importer.py‎
Lines changed: 29 additions & 25 deletions
diff --git a/‎dojo/importers/default_reimporter.py‎
Lines changed: 13 additions & 4 deletions b/‎dojo/importers/default_reimporter.py‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎unittests/scans/anchore_grype/check_all_fields_different_ids_fabricated.json‎
Lines changed: 167 additions & 0 deletions b/‎unittests/scans/anchore_grype/check_all_fields_different_ids_fabricated.json‎
Lines changed: 167 additions & 0 deletions
@@ -762,12 +762,15 @@ def add_endpoints(new_finding, form):
             endpoint=endpoint, defaults={"date": form.cleaned_data["date"] or timezone.now()})
 
 
-def save_vulnerability_ids(finding, vulnerability_ids):
+def save_vulnerability_ids(finding, vulnerability_ids, *, delete_existing: bool = True):
     # Remove duplicates
     vulnerability_ids = list(dict.fromkeys(vulnerability_ids))
 
-    # Remove old vulnerability ids
-    Vulnerability_Id.objects.filter(finding=finding).delete()
+    # Remove old vulnerability ids if requested
+    # Callers can set delete_existing=False when they know there are no existing IDs
+    # to avoid an unnecessary delete query (e.g., for new findings)
+    if delete_existing:
+        Vulnerability_Id.objects.filter(finding=finding).delete()
 
     # Save new vulnerability ids
     # Using bulk create throws Django 50 warnings about unsaved models...
 
@@ -31,7 +31,6 @@
     Test_Import,
     Test_Import_Finding_Action,
     Test_Type,
-    Vulnerability_Id,
 )
 from dojo.notifications.helper import create_notification
 from dojo.tag_utils import bulk_add_tags_to_instances
@@ -796,36 +795,41 @@ def process_vulnerability_ids(
         to create `Vulnerability_Id` objects with the finding associated correctly.
         Only updates if vulnerability_ids have changed to avoid unnecessary database operations.
 
+        Note: The finding parameter can be:
+        - A new finding (from import) with unsaved_vulnerability_ids set from the parsed report
+        - An existing finding (from reimport) with unsaved_vulnerability_ids copied from the
+          finding_from_report before calling this method
+
         Args:
-            finding: The finding to process vulnerability IDs for
+            finding: The finding to process vulnerability IDs for.
+                For reimports, this is the existing finding with unsaved_vulnerability_ids
+                set from the import/reimport report.
 
         Returns:
             The finding object
 
         """
-        if finding.unsaved_vulnerability_ids:
-            # Only check for changes if the finding has been saved and might have existing vulnerability_ids
-            # For new findings, we always need to save vulnerability_ids
-            if finding.pk and finding.vulnerability_id_set.exists():
-                # Check if vulnerability_ids have changed before updating
-                # Get existing vulnerability IDs from the database
-                existing_vuln_ids = set(finding.vulnerability_ids) if finding.vulnerability_ids else set()
-                # Normalize the new vulnerability IDs (remove duplicates for comparison)
-                new_vuln_ids = set(finding.unsaved_vulnerability_ids)
-
-                # Only update if vulnerability IDs have changed
-                if existing_vuln_ids == new_vuln_ids:
-                    logger.debug(
-                        f"Skipping vulnerability_ids update for finding {finding.id} - "
-                        f"vulnerability_ids unchanged: {sorted(existing_vuln_ids)}",
-                    )
-                    return finding
-
-            # Remove old vulnerability ids - keeping this call only because of flake8
-            Vulnerability_Id.objects.filter(finding=finding).delete()
-
-            # user the helper function
-            finding_helper.save_vulnerability_ids(finding, finding.unsaved_vulnerability_ids)
+        # Normalize to empty list if None - always process vulnerability IDs
+        vulnerability_ids_to_process = finding.unsaved_vulnerability_ids or []
+
+        # For existing findings, check if there are changes before updating
+        if finding.pk and len(finding.vulnerability_id_set.all()) > 0:
+            # Get existing vulnerability IDs from the database
+            existing_vuln_ids = set(finding.vulnerability_ids) if finding.vulnerability_ids else set()
+            # Normalize the new vulnerability IDs (remove duplicates for comparison)
+            new_vuln_ids = set(vulnerability_ids_to_process)
+
+            # Only update if vulnerability IDs have changed
+            if existing_vuln_ids == new_vuln_ids:
+                logger.debug(
+                    f"Skipping vulnerability_ids update for finding {finding.id} - "
+                    f"vulnerability_ids unchanged: {sorted(existing_vuln_ids)}",
+                )
+                return finding
+
+        # Use the helper function which handles deletion and creation
+        # Always use delete_existing=True - it's a no-op if there are no existing IDs
+        finding_helper.save_vulnerability_ids(finding, vulnerability_ids_to_process, delete_existing=True)
 
         return finding
 
 
@@ -695,7 +695,7 @@ def finding_post_processing(
         self,
         finding: Finding,
         finding_from_report: Finding,
-    ) -> None:
+    ) -> Finding:
         """
         Save all associated objects to the finding after it has been saved
         for the purpose of foreign key restrictions
@@ -715,10 +715,19 @@ def finding_post_processing(
             finding.unsaved_files = finding_from_report.unsaved_files
         self.process_files(finding)
         # Process vulnerability IDs
-        if finding_from_report.unsaved_vulnerability_ids:
-            finding.unsaved_vulnerability_ids = finding_from_report.unsaved_vulnerability_ids
+        # Copy unsaved_vulnerability_ids from the report finding to the existing finding
+        # so process_vulnerability_ids can process them (see its docstring for details)
+        # Always set it (even if empty list) so we can clear existing IDs when report has none
+        finding.unsaved_vulnerability_ids = finding_from_report.unsaved_vulnerability_ids or []
+        # Store the current cve value to check if it changes
+        old_cve = finding.cve
         # legacy cve field has already been processed/set earlier
-        return self.process_vulnerability_ids(finding)
+        finding = self.process_vulnerability_ids(finding)
+        # Save the finding only if the cve field was changed by save_vulnerability_ids
+        # This is temporary as the cve field will be phased out
+        if finding.cve != old_cve:
+            finding.save()
+        return finding
 
     def process_groups_for_all_findings(
         self,
 
@@ -0,0 +1,167 @@
+{
+    "matches": [
+     {
+      "vulnerability": {
+       "id": "GHSA-v6rh-hp5x-86rv",
+       "dataSource": "https://github.com/advisories/GHSA-v6rh-hp5x-86rv",
+       "namespace": "github:python",
+       "severity": "High",
+       "urls": [
+        "https://github.com/advisories/GHSA-v6rh-hp5x-86rv"
+       ],
+       "description": "Potential bypass of an upstream access control based on URL paths in Django",
+       "cvss": [],
+       "fix": {
+        "versions": [
+         "3.2.10"
+        ],
+        "state": "fixed"
+       },
+       "advisories": []
+      },
+      "relatedVulnerabilities": [
+       {
+        "id": "CVE-2021-1234",
+        "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-1234",
+        "namespace": "nvd",
+        "severity": "High",
+        "urls": [
+         "https://example.com/cve-2021-1234"
+        ],
+        "description": "A different CVE for testing vulnerability ID changes",
+        "cvss": [
+         {
+          "version": "3.1",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+          "metrics": {
+           "baseScore": 9.8,
+           "exploitabilityScore": 3.9,
+           "impactScore": 5.9
+          },
+          "vendorMetadata": {}
+         }
+        ]
+       },
+       {
+        "id": "CVE-2021-5678",
+        "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-5678",
+        "namespace": "nvd",
+        "severity": "Medium",
+        "urls": [
+         "https://example.com/cve-2021-5678"
+        ],
+        "description": "Another different CVE for testing vulnerability ID changes",
+        "cvss": [
+         {
+          "version": "3.1",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
+          "metrics": {
+           "baseScore": 6.3,
+           "exploitabilityScore": 3.9,
+           "impactScore": 2.4
+          },
+          "vendorMetadata": {}
+         }
+        ]
+       }
+      ],
+      "matchDetails": [
+       {
+        "matcher": "python-matcher",
+        "searchedBy": {
+         "language": "python",
+         "namespace": "github:python"
+        },
+        "found": {
+         "versionConstraint": ">=3.2,<3.2.10 (python)"
+        }
+       }
+      ],
+      "artifact": {
+       "name": "Django",
+       "version": "3.2.9",
+       "type": "python",
+       "locations": [
+        {
+         "path": "/usr/local/lib/python3.8/site-packages/Django-3.2.9.dist-info/METADATA",
+         "layerID": "sha256:b1d4455cf82b15a50b006fe87bd29f694c8f9155456253eb67fdd155b5edcf4a"
+        }
+       ],
+       "language": "python",
+       "licenses": [
+        "BSD-3-Clause"
+       ],
+       "cpes": [
+        "cpe:2.3:a:django_software_foundation:Django:3.2.9:*:*:*:*:*:*:*"
+       ],
+       "purl": "pkg:pypi/Django@3.2.9",
+       "metadata": null
+      }
+     }
+    ],
+    "source": {
+     "type": "image",
+     "target": {
+      "userInput": "vulnerable-image:latest",
+      "imageID": "sha256:ce9898fd214aef9c994a42624b09056bdce3ff4a8e3f68dc242d967b80fcbeee",
+      "manifestDigest": "sha256:9d8825ab20ac86b40eb71495bece1608a302fb180384740697a28c2b0a5a0fc6",
+      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+      "tags": [
+       "vulnerable-image:latest"
+      ],
+      "imageSize": 707381791,
+      "layers": []
+     }
+    },
+    "distro": {
+     "name": "debian",
+     "version": "10",
+     "idLike": ""
+    },
+    "descriptor": {
+     "name": "grype",
+     "version": "0.28.0",
+     "configuration": {
+      "configPath": "",
+      "output": "json",
+      "file": "",
+      "output-template-file": "",
+      "quiet": false,
+      "check-for-app-update": true,
+      "only-fixed": false,
+      "scope": "Squashed",
+      "log": {
+       "structured": false,
+       "level": "",
+       "file": ""
+      },
+      "db": {
+       "cache-dir": "/home/user/.cache/grype/db",
+       "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json",
+       "ca-cert": "",
+       "auto-update": true,
+       "validate-by-hash-on-start": false
+      },
+      "dev": {
+       "profile-cpu": false,
+       "profile-mem": false
+      },
+      "fail-on-severity": "",
+      "registry": {
+       "insecure-skip-tls-verify": false,
+       "insecure-use-http": false,
+       "auth": []
+      },
+      "ignore": null,
+      "exclude": []
+     },
+     "db": {
+      "built": "2021-12-24T08:14:02Z",
+      "schemaVersion": 3,
+      "location": "/home/user/.cache/grype/db/3",
+      "checksum": "sha256:6c4777e1acea787e5335ccee6b5e4562cd1767b9cca138c07e0802efb2a74162",
+      "error": null
+     }
+    }
+   }
+