Skip to content

Commit 9fdce53

Browse files
authored
Merge pull request #14627 from valentijnscholten/fix/reimport-tags-not-updated
fix(reimport): do not update finding tags on reimport for matched findings
2 parents da8f0e7 + c1f2543 commit 9fdce53

2 files changed

Lines changed: 22 additions & 16 deletions

File tree

dojo/importers/default_reimporter.py

Lines changed: 19 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -409,6 +409,7 @@ def process_findings(
409409
finding = self.finding_post_processing(
410410
finding,
411411
unsaved_finding,
412+
is_matched_finding=bool(matched_findings),
412413
)
413414
# all data is already saved on the finding, we only need to trigger post processing in batches
414415
push_to_jira = self.push_to_jira and ((not self.findings_groups_enabled or not self.group_by) or not finding_will_be_grouped)
@@ -926,6 +927,8 @@ def finding_post_processing(
926927
self,
927928
finding: Finding,
928929
finding_from_report: Finding,
930+
*,
931+
is_matched_finding: bool = False,
929932
) -> Finding:
930933
"""
931934
Save all associated objects to the finding after it has been saved
@@ -940,19 +943,22 @@ def finding_post_processing(
940943
self.endpoint_manager.chunk_endpoints_and_disperse(finding, finding_from_report.unsaved_endpoints)
941944
if len(self.endpoints_to_add) > 0:
942945
self.endpoint_manager.chunk_endpoints_and_disperse(finding, self.endpoints_to_add)
943-
# Parsers shouldn't use the tags field, and use unsaved_tags instead.
944-
# Merge any tags set by parser into unsaved_tags
945-
tags_from_parser = finding_from_report.tags if isinstance(finding_from_report.tags, list) else []
946-
unsaved_tags_from_parser = finding_from_report.unsaved_tags if isinstance(finding_from_report.unsaved_tags, list) else []
947-
merged_tags = unsaved_tags_from_parser + tags_from_parser
948-
if merged_tags:
949-
finding_from_report.unsaved_tags = merged_tags
950-
if finding_from_report.unsaved_tags:
951-
cleaned_tags = clean_tags(finding_from_report.unsaved_tags)
952-
if isinstance(cleaned_tags, list):
953-
finding.tags.add(*cleaned_tags)
954-
elif isinstance(cleaned_tags, str):
955-
finding.tags.add(cleaned_tags)
946+
# For matched/existing findings, do not update tags from the report,
947+
# consistent with how other fields are handled on reimport.
948+
if not is_matched_finding:
949+
# Parsers shouldn't use the tags field, and use unsaved_tags instead.
950+
# Merge any tags set by parser into unsaved_tags
951+
tags_from_parser = finding_from_report.tags if isinstance(finding_from_report.tags, list) else []
952+
unsaved_tags_from_parser = finding_from_report.unsaved_tags if isinstance(finding_from_report.unsaved_tags, list) else []
953+
merged_tags = unsaved_tags_from_parser + tags_from_parser
954+
if merged_tags:
955+
finding_from_report.unsaved_tags = merged_tags
956+
if finding_from_report.unsaved_tags:
957+
cleaned_tags = clean_tags(finding_from_report.unsaved_tags)
958+
if isinstance(cleaned_tags, list):
959+
finding.tags.add(*cleaned_tags)
960+
elif isinstance(cleaned_tags, str):
961+
finding.tags.add(cleaned_tags)
956962
# Process any files
957963
if finding_from_report.unsaved_files:
958964
finding.unsaved_files = finding_from_report.unsaved_files

unittests/test_tags.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -369,12 +369,12 @@ def assert_tags_in_findings(findings: list[dict], expected_finding_count: int, d
369369
findings = response["results"]
370370
# Make sure we have what we are looking for
371371
assert_tags_in_findings(findings, 2, ["security", "network"])
372-
# Reimport with a different report that has more tags
372+
# Reimport with a different report that has more tags — matched findings should retain their original tags
373373
self.reimport_scan_with_params(test_id, self.generic_sample_with_more_tags_filename, scan_type="Generic Findings Import")
374374
response = self.get_test_findings_api(test_id)
375375
findings = response["results"]
376-
# Make sure we have what we are looking for
377-
assert_tags_in_findings(findings, 2, ["security", "network", "hardened"])
376+
# Tags from the report are not applied to matched findings on reimport, consistent with other fields
377+
assert_tags_in_findings(findings, 2, ["security", "network"])
378378

379379

380380
@versioned_fixtures

0 commit comments

Comments
 (0)