Skip to content

Commit 557f58a

Browse files
fix(reimport): do not update finding tags on reimport for matched findings
Tags from the report were being appended to matched findings via tags.add(), causing tags to accumulate across reimports instead of being left unchanged. This aligns tag handling with how other finding fields are treated on reimport. Closes #14606
1 parent 2dffc3a commit 557f58a

File tree

2 files changed

+22
-16
lines changed

2 files changed

+22
-16
lines changed

dojo/importers/default_reimporter.py

Lines changed: 19 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -416,6 +416,7 @@ def process_findings(
416416
finding = self.finding_post_processing(
417417
finding,
418418
unsaved_finding,
419+
is_matched_finding=bool(matched_findings),
419420
)
420421
# all data is already saved on the finding, we only need to trigger post processing in batches
421422
push_to_jira = self.push_to_jira and ((not self.findings_groups_enabled or not self.group_by) or not finding_will_be_grouped)
@@ -973,6 +974,8 @@ def finding_post_processing(
973974
self,
974975
finding: Finding,
975976
finding_from_report: Finding,
977+
*,
978+
is_matched_finding: bool = False,
976979
) -> Finding:
977980
"""
978981
Save all associated objects to the finding after it has been saved
@@ -991,19 +994,22 @@ def finding_post_processing(
991994
for endpoint in self.endpoints_to_add:
992995
key = self.endpoint_manager.record_endpoint(endpoint)
993996
self.endpoint_manager.record_status_for_create(finding, key)
994-
# Parsers shouldn't use the tags field, and use unsaved_tags instead.
995-
# Merge any tags set by parser into unsaved_tags
996-
tags_from_parser = finding_from_report.tags if isinstance(finding_from_report.tags, list) else []
997-
unsaved_tags_from_parser = finding_from_report.unsaved_tags if isinstance(finding_from_report.unsaved_tags, list) else []
998-
merged_tags = unsaved_tags_from_parser + tags_from_parser
999-
if merged_tags:
1000-
finding_from_report.unsaved_tags = merged_tags
1001-
if finding_from_report.unsaved_tags:
1002-
cleaned_tags = clean_tags(finding_from_report.unsaved_tags)
1003-
if isinstance(cleaned_tags, list):
1004-
finding.tags.add(*cleaned_tags)
1005-
elif isinstance(cleaned_tags, str):
1006-
finding.tags.add(cleaned_tags)
997+
# For matched/existing findings, do not update tags from the report,
998+
# consistent with how other fields are handled on reimport.
999+
if not is_matched_finding:
1000+
# Parsers shouldn't use the tags field, and use unsaved_tags instead.
1001+
# Merge any tags set by parser into unsaved_tags
1002+
tags_from_parser = finding_from_report.tags if isinstance(finding_from_report.tags, list) else []
1003+
unsaved_tags_from_parser = finding_from_report.unsaved_tags if isinstance(finding_from_report.unsaved_tags, list) else []
1004+
merged_tags = unsaved_tags_from_parser + tags_from_parser
1005+
if merged_tags:
1006+
finding_from_report.unsaved_tags = merged_tags
1007+
if finding_from_report.unsaved_tags:
1008+
cleaned_tags = clean_tags(finding_from_report.unsaved_tags)
1009+
if isinstance(cleaned_tags, list):
1010+
finding.tags.add(*cleaned_tags)
1011+
elif isinstance(cleaned_tags, str):
1012+
finding.tags.add(cleaned_tags)
10071013
# Process any files
10081014
if finding_from_report.unsaved_files:
10091015
finding.unsaved_files = finding_from_report.unsaved_files

unittests/test_tags.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -369,12 +369,12 @@ def assert_tags_in_findings(findings: list[dict], expected_finding_count: int, d
369369
findings = response["results"]
370370
# Make sure we have what we are looking for
371371
assert_tags_in_findings(findings, 2, ["security", "network"])
372-
# Reimport with a different report that has more tags
372+
# Reimport with a different report that has more tags — matched findings should retain their original tags
373373
self.reimport_scan_with_params(test_id, self.generic_sample_with_more_tags_filename, scan_type="Generic Findings Import")
374374
response = self.get_test_findings_api(test_id)
375375
findings = response["results"]
376-
# Make sure we have what we are looking for
377-
assert_tags_in_findings(findings, 2, ["security", "network", "hardened"])
376+
# Tags from the report are not applied to matched findings on reimport, consistent with other fields
377+
assert_tags_in_findings(findings, 2, ["security", "network"])
378378

379379

380380
@versioned_fixtures

0 commit comments

Comments
 (0)