finding template refactor (#13946)

* finding_templates: make tags work again

* finding_templates: reinstate unit tests

* finding_templates: remove automated matching logic

* finding tempaltes: more auhtoirzation tests to apply template

* fixture cleanup

* upgrade notes

* finding_template: add cvss validation

* increase memory hugo

* finding_template: align fields with finding model

* finding_templates: update api schema

* finding_templates: centralize logic

* squash migrations

* squash migrations

* revert git hub pages changes

* fix user interface test

* update upgrade notes

* fix test

* move to 2.54

* fix test

* move to 2.54

* Bumping hugo version due to memory issue

---------

Co-authored-by: Ross Esposito <rossespo@gmail.com>

Author: valentijnscholten

.github/workflows/gh-pages.yml

@@ -46,13 +46,12 @@ jobs:
 
       - name: Install dependencies
         run: cd docs && npm ci
-      
+
       - name: Build production website
         env:
           HUGO_ENVIRONMENT: production
           HUGO_ENV: production
         run: cd docs && hugo --minify --gc --config config/production/hugo.toml
-
       - name: Deploy
         uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         if: github.repository == 'DefectDojo/django-DefectDojo' # Deploy docs only in core repo, not in forks - it would just fail in fork

docs/content/en/open_source/upgrading/2.54.md

@@ -2,7 +2,7 @@
 title: 'Upgrading to DefectDojo Version 2.54.x'
 toc_hide: true
 weight: -20250804
-description: Removal of django-auditlog & Dropped support for DD_PARSER_EXCLUDE & Reimport performance improvements
+description: Removal of django-auditlog & Dropped support for DD_PARSER_EXCLUDE & Reimport performance improvements & Removal of Finding Template Matching
 ---
 
 ## Breaking Change: Removal of django-auditlog
@@ -55,5 +55,9 @@ DefectDojo 2.54.x includes performance improvements for reimporting scan results
 
 No action is required after upgrading. (Optional tuning knobs exist via `DD_IMPORT_REIMPORT_MATCH_BATCH_SIZE` and `DD_IMPORT_REIMPORT_DEDUPE_BATCH_SIZE`.)
 
+## Finding Template enhancements and removal of CWE matching
+
+As communicated in the [2025Q1 community update](https://github.com/DefectDojo/django-DefectDojo/discussions/12153) the automated matching of Finding Templates based on `CWE` and/or `title` has now been removed.
+
 There are other instructions for upgrading to 2.54.x. Check the Release Notes for the contents of the release: `https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.54.0`
 Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.54.0) for the contents of the release.

dojo/api_v2/serializers.py

@@ -29,6 +29,7 @@
 from dojo.authorization.roles_permissions import Permissions
 from dojo.endpoint.utils import endpoint_filter, endpoint_meta_import
 from dojo.finding.helper import (
+    save_endpoints_template,
     save_vulnerability_ids,
     save_vulnerability_ids_template,
 )
@@ -111,7 +112,6 @@
     User,
     UserContactInfo,
     Vulnerability_Id,
-    Vulnerability_Id_Template,
     get_current_date,
 )
 from dojo.notifications.helper import create_notification
@@ -2029,57 +2029,80 @@ def validate_severity(self, value: str) -> str:
         return value
 
 
-class VulnerabilityIdTemplateSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Vulnerability_Id_Template
-        fields = ["vulnerability_id"]
-
-
 class FindingTemplateSerializer(serializers.ModelSerializer):
     tags = TagListSerializerField(required=False)
-    vulnerability_ids = VulnerabilityIdTemplateSerializer(
-        source="vulnerability_id_template_set", many=True, required=False,
-    )
+    vulnerability_ids = serializers.SerializerMethodField()
+    endpoints = serializers.SerializerMethodField()
 
     class Meta:
         model = Finding_Template
-        exclude = ("cve",)
+        exclude = ("cve", "vulnerability_ids_text")
+
+    @extend_schema_field(serializers.ListField(child=serializers.CharField()))
+    def get_vulnerability_ids(self, obj):
+        """Return vulnerability IDs as a list of strings."""
+        return obj.vulnerability_ids
+
+    @extend_schema_field(serializers.ListField(child=serializers.CharField()))
+    def get_endpoints(self, obj):
+        """Return endpoints as a list of URL strings."""
+        return obj.endpoints if hasattr(obj, "endpoints") else []
 
     def create(self, validated_data):
 
-        # Save vulnerability ids and pop them
-        if "vulnerability_id_template_set" in validated_data:
-            vulnerability_id_set = validated_data.pop(
-                "vulnerability_id_template_set",
-            )
-        else:
-            vulnerability_id_set = None
+        # Handle vulnerability_ids if provided as list
+        vulnerability_ids = None
+        if "vulnerability_ids" in self.initial_data:
+            vulnerability_ids = self.initial_data.get("vulnerability_ids", [])
+            if isinstance(vulnerability_ids, str):
+                # If it's a string, split by newlines
+                vulnerability_ids = [vid.strip() for vid in vulnerability_ids.split("\n") if vid.strip()]
+            elif not isinstance(vulnerability_ids, list):
+                vulnerability_ids = []
+
+        # Handle endpoints if provided as list
+        endpoint_urls = None
+        if "endpoints" in self.initial_data:
+            endpoint_urls = self.initial_data.get("endpoints", [])
+            if isinstance(endpoint_urls, str):
+                # If it's a string, split by newlines
+                endpoint_urls = [url.strip() for url in endpoint_urls.split("\n") if url.strip()]
+            elif not isinstance(endpoint_urls, list):
+                endpoint_urls = []
 
         new_finding_template = super().create(
             validated_data,
         )
 
-        if vulnerability_id_set:
-            vulnerability_ids = [vulnerability_id["vulnerability_id"] for vulnerability_id in vulnerability_id_set]
-            validated_data["cve"] = vulnerability_ids[0]
-            save_vulnerability_ids_template(
-                new_finding_template, vulnerability_ids,
-            )
-            new_finding_template.save()
+        # Save vulnerability IDs using helper
+        if vulnerability_ids:
+            save_vulnerability_ids_template(new_finding_template, vulnerability_ids)
+
+        # Save endpoints using helper
+        if endpoint_urls:
+            save_endpoints_template(new_finding_template, endpoint_urls)
 
         return new_finding_template
 
     def update(self, instance, validated_data):
-        # Save vulnerability ids and pop them
-        if "vulnerability_id_template_set" in validated_data:
-            vulnerability_id_set = validated_data.pop(
-                "vulnerability_id_template_set",
-            )
-            vulnerability_ids = []
-            if vulnerability_id_set:
-                vulnerability_ids.extend(vulnerability_id["vulnerability_id"] for vulnerability_id in vulnerability_id_set)
+        # Handle vulnerability_ids if provided
+        if "vulnerability_ids" in self.initial_data:
+            vulnerability_ids = self.initial_data.get("vulnerability_ids", [])
+            if isinstance(vulnerability_ids, str):
+                vulnerability_ids = [vid.strip() for vid in vulnerability_ids.split("\n") if vid.strip()]
+            elif not isinstance(vulnerability_ids, list):
+                vulnerability_ids = []
             save_vulnerability_ids_template(instance, vulnerability_ids)
 
+        # Handle endpoints if provided
+        if "endpoints" in self.initial_data:
+            endpoint_urls = self.initial_data.get("endpoints", [])
+            if isinstance(endpoint_urls, str):
+                endpoint_urls = [url.strip() for url in endpoint_urls.split("\n") if url.strip()]
+            elif not isinstance(endpoint_urls, list):
+                endpoint_urls = []
+            save_endpoints_template(instance, endpoint_urls)
+
         return super().update(instance, validated_data)
 
 

dojo/db_migrations/0252_finding_template_changes.py

@@ -0,0 +1,200 @@
+# Generated by Django 5.2.9 on 2025-12-21 07:29
+
+import dojo.validators
+import pgtrigger.compiler
+import pgtrigger.migrations
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0251_usercontactinfo_reset_timestamps'),
+    ]
+
+    operations = [
+        pgtrigger.migrations.RemoveTrigger(
+            model_name='finding_template',
+            name='insert_insert',
+        ),
+        pgtrigger.migrations.RemoveTrigger(
+            model_name='finding_template',
+            name='update_update',
+        ),
+        pgtrigger.migrations.RemoveTrigger(
+            model_name='finding_template',
+            name='delete_delete',
+        ),
+        migrations.RemoveField(
+            model_name='system_settings',
+            name='enable_template_match',
+        ),
+        migrations.RemoveField(
+            model_name='finding_template',
+            name='template_match',
+        ),
+        migrations.RemoveField(
+            model_name='finding_template',
+            name='template_match_title',
+        ),
+        migrations.RemoveField(
+            model_name='finding_templateevent',
+            name='template_match',
+        ),
+        migrations.RemoveField(
+            model_name='finding_templateevent',
+            name='template_match_title',
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='cvssv4',
+            field=models.TextField(help_text='Common Vulnerability Scoring System version 4 (CVSS4) score associated with this finding.', max_length=255, null=True, validators=[dojo.validators.cvss4_validator], verbose_name='CVSS4 vector'),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='component_name',
+            field=models.CharField(blank=True, help_text='Affected component name (e.g., library name)', max_length=500, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='component_version',
+            field=models.CharField(blank=True, help_text='Affected component version', max_length=100, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='cvssv3_score',
+            field=models.FloatField(blank=True, help_text='CVSSv3 score', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='cvssv4_score',
+            field=models.FloatField(blank=True, help_text='CVSSv4 score', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='effort_for_fixing',
+            field=models.CharField(blank=True, help_text='Effort estimate for fixing (e.g., Low/Medium/High)', max_length=99, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='fix_available',
+            field=models.BooleanField(blank=True, help_text='Indicates if a fix is available for this vulnerability type', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='fix_version',
+            field=models.CharField(blank=True, help_text='Version where fix is available', max_length=100, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='notes',
+            field=models.TextField(blank=True, help_text='Note content to add when applying this template', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='planned_remediation_version',
+            field=models.CharField(blank=True, help_text='Target version for remediation', max_length=99, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='severity_justification',
+            field=models.TextField(blank=True, help_text='Explanation of why this severity level is appropriate', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='steps_to_reproduce',
+            field=models.TextField(blank=True, help_text='Standard reproduction steps for this vulnerability type', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='vulnerability_ids_text',
+            field=models.TextField(blank=True, help_text='Vulnerability IDs (one per line)', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_template',
+            name='endpoints_text',
+            field=models.TextField(blank=True, help_text='Endpoint URLs (one per line)', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='component_name',
+            field=models.CharField(blank=True, help_text='Affected component name (e.g., library name)', max_length=500, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='component_version',
+            field=models.CharField(blank=True, help_text='Affected component version', max_length=100, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='cvssv3_score',
+            field=models.FloatField(blank=True, help_text='CVSSv3 score', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='cvssv4',
+            field=models.TextField(help_text='Common Vulnerability Scoring System version 4 (CVSS4) score associated with this finding.', max_length=255, null=True, validators=[dojo.validators.cvss4_validator], verbose_name='CVSS4 vector'),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='cvssv4_score',
+            field=models.FloatField(blank=True, help_text='CVSSv4 score', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='effort_for_fixing',
+            field=models.CharField(blank=True, help_text='Effort estimate for fixing (e.g., Low/Medium/High)', max_length=99, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='fix_available',
+            field=models.BooleanField(blank=True, help_text='Indicates if a fix is available for this vulnerability type', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='fix_version',
+            field=models.CharField(blank=True, help_text='Version where fix is available', max_length=100, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='notes',
+            field=models.TextField(blank=True, help_text='Note content to add when applying this template', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='planned_remediation_version',
+            field=models.CharField(blank=True, help_text='Target version for remediation', max_length=99, null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='severity_justification',
+            field=models.TextField(blank=True, help_text='Explanation of why this severity level is appropriate', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='steps_to_reproduce',
+            field=models.TextField(blank=True, help_text='Standard reproduction steps for this vulnerability type', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='vulnerability_ids_text',
+            field=models.TextField(blank=True, help_text='Vulnerability IDs (one per line)', null=True),
+        ),
+        migrations.AddField(
+            model_name='finding_templateevent',
+            name='endpoints_text',
+            field=models.TextField(blank=True, help_text='Endpoint URLs (one per line)', null=True),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name='finding_template',
+            trigger=pgtrigger.compiler.Trigger(name='insert_insert', sql=pgtrigger.compiler.UpsertTriggerSql(func='INSERT INTO "dojo_finding_templateevent" ("component_name", "component_version", "cve", "cvssv3", "cvssv3_score", "cvssv4", "cvssv4_score", "cwe", "description", "effort_for_fixing", "endpoints_text", "fix_available", "fix_version", "id", "impact", "last_used", "mitigation", "notes", "numerical_severity", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id", "planned_remediation_version", "refs", "severity", "severity_justification", "steps_to_reproduce", "title", "vulnerability_ids_text") VALUES (NEW."component_name", NEW."component_version", NEW."cve", NEW."cvssv3", NEW."cvssv3_score", NEW."cvssv4", NEW."cvssv4_score", NEW."cwe", NEW."description", NEW."effort_for_fixing", NEW."endpoints_text", NEW."fix_available", NEW."fix_version", NEW."id", NEW."impact", NEW."last_used", NEW."mitigation", NEW."notes", NEW."numerical_severity", _pgh_attach_context(), NOW(), \'insert\', NEW."id", NEW."planned_remediation_version", NEW."refs", NEW."severity", NEW."severity_justification", NEW."steps_to_reproduce", NEW."title", NEW."vulnerability_ids_text"); RETURN NULL;', hash='602d9e872906719a1c95d671a0c9e4ffe5b1b7ec', operation='INSERT', pgid='pgtrigger_insert_insert_59092', table='dojo_finding_template', when='AFTER')),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name='finding_template',
+            trigger=pgtrigger.compiler.Trigger(name='update_update', sql=pgtrigger.compiler.UpsertTriggerSql(condition='WHEN (OLD.* IS DISTINCT FROM NEW.*)', func='INSERT INTO "dojo_finding_templateevent" ("component_name", "component_version", "cve", "cvssv3", "cvssv3_score", "cvssv4", "cvssv4_score", "cwe", "description", "effort_for_fixing", "endpoints_text", "fix_available", "fix_version", "id", "impact", "last_used", "mitigation", "notes", "numerical_severity", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id", "planned_remediation_version", "refs", "severity", "severity_justification", "steps_to_reproduce", "title", "vulnerability_ids_text") VALUES (NEW."component_name", NEW."component_version", NEW."cve", NEW."cvssv3", NEW."cvssv3_score", NEW."cvssv4", NEW."cvssv4_score", NEW."cwe", NEW."description", NEW."effort_for_fixing", NEW."endpoints_text", NEW."fix_available", NEW."fix_version", NEW."id", NEW."impact", NEW."last_used", NEW."mitigation", NEW."notes", NEW."numerical_severity", _pgh_attach_context(), NOW(), \'update\', NEW."id", NEW."planned_remediation_version", NEW."refs", NEW."severity", NEW."severity_justification", NEW."steps_to_reproduce", NEW."title", NEW."vulnerability_ids_text"); RETURN NULL;', hash='644c1afec5497d6e86c4c1c861801819b7363d61', operation='UPDATE', pgid='pgtrigger_update_update_43036', table='dojo_finding_template', when='AFTER')),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name='finding_template',
+            trigger=pgtrigger.compiler.Trigger(name='delete_delete', sql=pgtrigger.compiler.UpsertTriggerSql(func='INSERT INTO "dojo_finding_templateevent" ("component_name", "component_version", "cve", "cvssv3", "cvssv3_score", "cvssv4", "cvssv4_score", "cwe", "description", "effort_for_fixing", "endpoints_text", "fix_available", "fix_version", "id", "impact", "last_used", "mitigation", "notes", "numerical_severity", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id", "planned_remediation_version", "refs", "severity", "severity_justification", "steps_to_reproduce", "title", "vulnerability_ids_text") VALUES (OLD."component_name", OLD."component_version", OLD."cve", OLD."cvssv3", OLD."cvssv3_score", OLD."cvssv4", OLD."cvssv4_score", OLD."cwe", OLD."description", OLD."effort_for_fixing", OLD."endpoints_text", OLD."fix_available", OLD."fix_version", OLD."id", OLD."impact", OLD."last_used", OLD."mitigation", OLD."notes", OLD."numerical_severity", _pgh_attach_context(), NOW(), \'delete\', OLD."id", OLD."planned_remediation_version", OLD."refs", OLD."severity", OLD."severity_justification", OLD."steps_to_reproduce", OLD."title", OLD."vulnerability_ids_text"); RETURN NULL;', hash='925844fc74c390b9d4fc446e0d3f44f556817fd4', operation='DELETE', pgid='pgtrigger_delete_delete_3f3a6', table='dojo_finding_template', when='AFTER')),
+        )
+    ]