finding_templates: remove automated matching logic

Author: valentijnscholten

dojo/db_migrations/0252_remove_template_match_fields.py

@@ -0,0 +1,26 @@
+# Generated by Django migration
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("dojo", "0251_usercontactinfo_reset_timestamps"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="system_settings",
+            name="enable_template_match",
+        ),
+        migrations.RemoveField(
+            model_name="finding_template",
+            name="template_match",
+        ),
+        migrations.RemoveField(
+            model_name="finding_template",
+            name="template_match_title",
+        ),
+    ]
+

dojo/db_migrations/0253_remove_finding_template_insert_insert_and_more.py

@@ -0,0 +1,47 @@
+# Generated by Django 5.2.9 on 2025-12-20 18:37
+
+import pgtrigger.compiler
+import pgtrigger.migrations
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0252_remove_template_match_fields'),
+    ]
+
+    operations = [
+        pgtrigger.migrations.RemoveTrigger(
+            model_name='finding_template',
+            name='insert_insert',
+        ),
+        pgtrigger.migrations.RemoveTrigger(
+            model_name='finding_template',
+            name='update_update',
+        ),
+        pgtrigger.migrations.RemoveTrigger(
+            model_name='finding_template',
+            name='delete_delete',
+        ),
+        migrations.RemoveField(
+            model_name='finding_templateevent',
+            name='template_match',
+        ),
+        migrations.RemoveField(
+            model_name='finding_templateevent',
+            name='template_match_title',
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name='finding_template',
+            trigger=pgtrigger.compiler.Trigger(name='insert_insert', sql=pgtrigger.compiler.UpsertTriggerSql(func='INSERT INTO "dojo_finding_templateevent" ("cve", "cvssv3", "cwe", "description", "id", "impact", "last_used", "mitigation", "numerical_severity", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id", "refs", "severity", "title") VALUES (NEW."cve", NEW."cvssv3", NEW."cwe", NEW."description", NEW."id", NEW."impact", NEW."last_used", NEW."mitigation", NEW."numerical_severity", _pgh_attach_context(), NOW(), \'insert\', NEW."id", NEW."refs", NEW."severity", NEW."title"); RETURN NULL;', hash='e55723452b8a9b306119b9cbb20e7d798552dd45', operation='INSERT', pgid='pgtrigger_insert_insert_59092', table='dojo_finding_template', when='AFTER')),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name='finding_template',
+            trigger=pgtrigger.compiler.Trigger(name='update_update', sql=pgtrigger.compiler.UpsertTriggerSql(condition='WHEN (OLD.* IS DISTINCT FROM NEW.*)', func='INSERT INTO "dojo_finding_templateevent" ("cve", "cvssv3", "cwe", "description", "id", "impact", "last_used", "mitigation", "numerical_severity", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id", "refs", "severity", "title") VALUES (NEW."cve", NEW."cvssv3", NEW."cwe", NEW."description", NEW."id", NEW."impact", NEW."last_used", NEW."mitigation", NEW."numerical_severity", _pgh_attach_context(), NOW(), \'update\', NEW."id", NEW."refs", NEW."severity", NEW."title"); RETURN NULL;', hash='eef457aa5665a449a8040e3a750a0b708714177a', operation='UPDATE', pgid='pgtrigger_update_update_43036', table='dojo_finding_template', when='AFTER')),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name='finding_template',
+            trigger=pgtrigger.compiler.Trigger(name='delete_delete', sql=pgtrigger.compiler.UpsertTriggerSql(func='INSERT INTO "dojo_finding_templateevent" ("cve", "cvssv3", "cwe", "description", "id", "impact", "last_used", "mitigation", "numerical_severity", "pgh_context_id", "pgh_created_at", "pgh_label", "pgh_obj_id", "refs", "severity", "title") VALUES (OLD."cve", OLD."cvssv3", OLD."cwe", OLD."description", OLD."id", OLD."impact", OLD."last_used", OLD."mitigation", OLD."numerical_severity", _pgh_attach_context(), NOW(), \'delete\', OLD."id", OLD."refs", OLD."severity", OLD."title"); RETURN NULL;', hash='ab2da63140c213dcf78cf413a69e1a2289a2fc3b', operation='DELETE', pgid='pgtrigger_delete_delete_3f3a6', table='dojo_finding_template', when='AFTER')),
+        ),
+    ]

dojo/finding/urls.py

@@ -134,8 +134,6 @@
         views.clear_finding_review, name="clear_finding_review"),
     re_path(r"^finding/(?P<fid>\d+)/copy$",
         views.copy_finding, name="copy_finding"),
-    re_path(r"^finding/(?P<fid>\d+)/apply_cwe$",
-        views.apply_template_cwe, name="apply_template_cwe"),
     re_path(r"^finding/(?P<fid>\d+)/mktemplate$", views.mktemplate,
         name="mktemplate"),
     re_path(r"^finding/(?P<fid>\d+)/find_template_to_apply$", views.find_template_to_apply,

dojo/finding/views.py

@@ -19,7 +19,6 @@
 from django.db.models.query import Prefetch
 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect, JsonResponse, StreamingHttpResponse
 from django.shortcuts import get_object_or_404, render
-from django.template.defaultfilters import pluralize
 from django.urls import reverse
 from django.utils import formats, timezone
 from django.utils.safestring import mark_safe
@@ -62,7 +61,6 @@
     EditPlannedRemediationDateFindingForm,
     FindingBulkUpdateForm,
     FindingForm,
-    FindingFormID,
     FindingTemplateForm,
     GITHUBFindingForm,
     JIRAFindingForm,
@@ -111,7 +109,6 @@
     add_external_issue,
     add_field_errors_to_response,
     add_success_message_to_response,
-    apply_cwe_to_template,
     calculate_grade,
     do_false_positive_history,
     get_page_items,
@@ -476,15 +473,6 @@ def get_credential_objects(self, finding: Finding):
             "cred_engagement": cred_engagement,
         }
 
-    def get_cwe_template(self, finding: Finding):
-        cwe_template = None
-        with contextlib.suppress(Finding_Template.DoesNotExist):
-            cwe_template = Finding_Template.objects.filter(cwe=finding.cwe).first()
-
-        return {
-            "cwe_template": cwe_template,
-        }
-
     def get_request_response(self, finding: Finding):
         request_response = None
         burp_request = None
@@ -695,7 +683,6 @@ def get(self, request: HttpRequest, finding_id: int):
         # Add in the other extras
         context |= self.get_previous_and_next_findings(finding)
         context |= self.get_credential_objects(finding)
-        context |= self.get_cwe_template(finding)
         # Add in more of the other extras
         context |= self.get_request_response(finding)
         context |= self.get_similar_findings(request, finding)
@@ -1343,31 +1330,6 @@ def reopen_finding(request, fid):
     return HttpResponseRedirect(reverse("view_finding", args=(finding.id,)))
 
 
-@user_is_authorized(Finding, Permissions.Finding_Edit, "fid")
-def apply_template_cwe(request, fid):
-    finding = get_object_or_404(Finding, id=fid)
-    if request.method == "POST":
-        form = FindingFormID(request.POST, instance=finding)
-        if form.is_valid():
-            finding = apply_cwe_to_template(finding)
-            finding.save()
-            messages.add_message(
-                request,
-                messages.SUCCESS,
-                "Finding CWE template applied successfully.",
-                extra_tags="alert-success",
-            )
-            return HttpResponseRedirect(reverse("view_finding", args=(fid,)))
-        messages.add_message(
-            request,
-            messages.ERROR,
-            "Unable to apply CWE template finding, please try again.",
-            extra_tags="alert-danger",
-        )
-        return None
-    raise PermissionDenied
-
-
 @user_is_authorized(Finding, Permissions.Finding_Edit, "fid")
 def copy_finding(request, fid):
     finding = get_object_or_404(Finding, id=fid)
@@ -2246,7 +2208,6 @@ def add_template(request):
     if request.method == "POST":
         form = FindingTemplateForm(request.POST)
         if form.is_valid():
-            apply_message = ""
             template = form.save(commit=False)
             template.numerical_severity = Finding.get_numerical_severity(
                 template.severity,
@@ -2258,18 +2219,11 @@ def add_template(request):
             form.save_m2m()
             # Ensure template tags exist in Finding's tag model
             ensure_template_tags_in_finding_model(template)
-            count = apply_cwe_mitigation(
-                form.cleaned_data["apply_to_findings"], template,
-            )
-            if count > 0:
-                apply_message = (
-                    " and " + str(count) + pluralize(count, "finding,findings") + " "
-                )
 
             messages.add_message(
                 request,
                 messages.SUCCESS,
-                "Template created successfully. " + apply_message,
+                "Template created successfully.",
                 extra_tags="alert-success",
             )
             return HttpResponseRedirect(reverse("templates"))
@@ -2308,15 +2262,10 @@ def edit_template(request, tid):
             # Ensure template tags exist in Finding's tag model
             ensure_template_tags_in_finding_model(template)
 
-            count = apply_cwe_mitigation(
-                form.cleaned_data["apply_to_findings"], template,
-            )
-            apply_message = " and " + str(count) + " " + pluralize(count, "finding,findings") + " " if count > 0 else ""
-
             messages.add_message(
                 request,
                 messages.SUCCESS,
-                "Template " + apply_message + "updated successfully.",
+                "Template updated successfully.",
                 extra_tags="alert-success",
             )
             return HttpResponseRedirect(reverse("templates"))
@@ -2327,14 +2276,12 @@ def edit_template(request, tid):
             extra_tags="alert-danger",
         )
 
-    count = apply_cwe_mitigation(apply_to_findings=True, template=template, update=False)
     add_breadcrumb(title="Edit Template", top_level=False, request=request)
     return render(
         request,
         "dojo/add_template.html",
         {
             "form": form,
-            "count": count,
             "name": "Edit Template",
             "template": template,
         },

dojo/forms.py

@@ -1656,7 +1656,6 @@ class Meta:
 
 
 class FindingTemplateForm(forms.ModelForm):
-    apply_to_findings = forms.BooleanField(required=False, help_text="Apply template to all findings that match this CWE. (Update will overwrite mitigation, impact and references for any active, verified findings.)")
     title = forms.CharField(max_length=1000, required=True)
 
     cwe = forms.IntegerField(label="CWE", required=False)
@@ -1669,7 +1668,7 @@ class FindingTemplateForm(forms.ModelForm):
             "required": "Select valid choice: In Progress, On Hold, Completed",
             "invalid_choice": "Select valid choice: Critical,High,Medium,Low"})
 
-    field_order = ["title", "cwe", "vulnerability_ids", "severity", "cvssv3", "description", "mitigation", "impact", "references", "tags", "template_match", "template_match_cwe", "template_match_title", "apply_to_findings"]
+    field_order = ["title", "cwe", "vulnerability_ids", "severity", "cvssv3", "description", "mitigation", "impact", "references", "tags"]
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)

dojo/models.py

@@ -475,12 +475,6 @@ class System_Settings(models.Model):
         help_text=_("Enables Benchmarks such as the OWASP ASVS "
                   "(Application Security Verification Standard)"))
 
-    enable_template_match = models.BooleanField(
-        default=False,
-        blank=False,
-        verbose_name=_("Enable Remediation Advice"),
-        help_text=_("Enables global remediation advice and matching on CWE and Title. The text will be replaced for mitigation, impact and references on a finding. Useful for providing consistent impact and remediation advice regardless of the scanner."))
-
     enable_similar_findings = models.BooleanField(
         default=True,
         blank=False,
@@ -2814,10 +2808,6 @@ def save(self, dedupe_option=True, rules_option=True, product_grading_option=Tru
         self.set_hash_code(dedupe_option)
 
         if is_new_finding:
-            # We enter here during the first call from serializers.py
-            from dojo.utils import apply_cwe_to_template  # noqa: PLC0415 circular import
-            # No need to use the returned variable since `self` Is updated in memory
-            apply_cwe_to_template(self)
             if (self.file_path is not None) and (len(self.unsaved_endpoints) == 0):
                 self.static_finding = True
                 self.dynamic_finding = False
@@ -3661,8 +3651,6 @@ class Finding_Template(models.Model):
     references = models.TextField(null=True, blank=True, db_column="refs")
     last_used = models.DateTimeField(null=True, editable=False)
     numerical_severity = models.CharField(max_length=4, null=True, blank=True, editable=False)
-    template_match = models.BooleanField(default=False, verbose_name=_("Template Match Enabled"), help_text=_("Enables this template for matching remediation advice. Match will be applied to all active, verified findings by CWE."))
-    template_match_title = models.BooleanField(default=False, verbose_name=_("Match Template by Title and CWE"), help_text=_("Matches by title text (contains search) and CWE."))
 
     tags = TagField(blank=True, force_lowercase=True, help_text=_("Add tags that help describe this finding template. Choose from the list or add new tags. Press Enter key to add."))
 

dojo/templates/dojo/add_template.html

@@ -22,11 +22,6 @@ <h3> {{ name }} {{ template }}</h3>
     <form id="add_template" class="form-horizontal" method="post">{% csrf_token %}
         {% include "dojo/form_fields.html" with form=form %}
         <div class="form-group">
-            {% if count > 0 %}
-                <div class="col-sm-offset-2 col-sm-10">
-                    <p>{{ count }} active, verified finding{{ count|pluralize }} match this template.</p>
-                </div>
-            {% endif %}
             <div class="col-sm-offset-2 col-sm-10">
                 <button class="btn btn-primary" type="submit" name="add_template">Save Template</button>
             </div>

dojo/templates/dojo/templates.html

@@ -76,7 +76,6 @@ <h3 class="has-filters">
                                         </a>
                                     {% endif %}
                                 </td>
-                                <td>{{ finding.template_match }}</td>
                                 <td>
                                     {% if add_from_template %}
                                         <a href="{% url 'add_temp_finding' tid finding.id %}"

dojo/templates/dojo/view_finding.html

@@ -101,24 +101,7 @@ <h3 class="pull-left finding-title">
                                     </a>
                                 </li>
                             {% endif %}
-                            {% if cwe_template.cwe and finding|has_object_permission:"Finding_Edit" %}
-                                    <li role="presentation">
-                                        <a class="apply-cwe-finding" href="#">
-                                            <i class="fa-solid fa-copy"></i> Apply CWE Template Remediation to Finding
-                                        </a>
-                                    </li>
-                                    <form id="apply-cwe-finding-form" method="post" action="{% url 'apply_template_cwe' finding.id %}">
-                                        {% csrf_token %}
-                                        <input type="hidden" label="apply_template" aria-label="apply_template" name="id" value="{{ finding.id }}"/>
-                                    </form>
-                            {% endif %}
-                            {% if not cwe_template.cwe and "Finding_Add"|has_global_permission %}
-                                    <li role="presentation">
-                                        <a href="{% url 'add_template' %}">
-                                            <i class="fa-solid fa-copy"></i> Create a CWE Remediation Template
-                                        </a>
-                                    </li>
-                            {% endif %}
+
                             {% if finding|has_object_permission:"Finding_Edit" %}
                                 <li role="presentation">
                                     <a href="{% url 'find_template_to_apply' finding.id %}">
@@ -1273,12 +1256,6 @@ <h4>Credential
 
         });
 
-        $('a.apply-cwe-finding').on('click', function (e) {
-            if (confirm('Apply CWE template to this finding? (This will overwrite mitigation, impact and references.)')) {
-                $("form#apply-cwe-finding-form").submit();
-            }
-
-        });
 
         $("a#next").on('click', function (e) {
             e.preventDefault();

dojo/utils.py

@@ -1427,27 +1427,6 @@ def add_language(product, language, files=1, code=1):
             pass
 
 
-# Apply finding template data by matching CWE + Title or CWE
-def apply_cwe_to_template(finding, *, override=False):
-    if System_Settings.objects.get().enable_template_match or override:
-        # Attempt to match on CWE and Title First
-        template = Finding_Template.objects.filter(
-            cwe=finding.cwe, title__icontains=finding.title, template_match=True).first()
-
-        # If none then match on CWE
-        template = Finding_Template.objects.filter(
-            cwe=finding.cwe, template_match=True).first()
-
-        if template:
-            finding.mitigation = template.mitigation
-            finding.impact = template.impact
-            finding.references = template.references
-            template.last_used = timezone.now()
-            template.save()
-
-    return finding
-
-
 def truncate_with_dots(the_string, max_length_including_dots):
     if not the_string:
         return the_string