Fix bulk risk acceptance for active findings (#14281) (#14292)

Allow simple risk acceptance of active findings via bulk edit menu,
matching the behavior of individual finding risk acceptance.

Previously, bulk risk acceptance incorrectly rejected active findings
with a warning message, even though individual risk acceptance worked
fine. This was inconsistent with DefectDojo Pro and the individual
risk acceptance feature.

Changes:
- Remove the check that prevented active findings from being risk
  accepted in bulk operations
- Update test to verify active findings can now be risk accepted
- Remove obsolete warning message about active findings
- Simplify return value of _bulk_update_risk_acceptance helper

The simple_risk_accept helper already handles setting finding.active
to False when accepting risk, so there's no need for an additional
check in the bulk update flow.

Author: valentijnscholten

dojo/finding/views.py

@@ -2793,14 +2793,10 @@ def _bulk_update_simple_fields(finds, form):
 def _bulk_update_risk_acceptance(finds, form, request, prods):
     """Helper function to handle risk acceptance updates."""
     skipped_risk_accept_count = 0
-    skipped_active_risk_accept_count = 0
 
     if form.cleaned_data["risk_acceptance"]:
         for finding in finds:
-            if finding.active:
-                skipped_active_risk_accept_count += 1
-            # Allow risk acceptance for inactive findings (whether duplicate or not)
-            elif form.cleaned_data["risk_accept"]:
+            if form.cleaned_data["risk_accept"]:
                 if (
                     not finding.test.engagement.product.enable_simple_risk_acceptance
                 ):
@@ -2822,15 +2818,7 @@ def _bulk_update_risk_acceptance(finds, form, request, prods):
             extra_tags="alert-warning",
         )
 
-    if skipped_active_risk_accept_count > 0:
-        messages.add_message(
-            request,
-            messages.WARNING,
-            f"Skipped risk acceptance of {skipped_active_risk_accept_count} active findings. Active findings cannot be risk accepted.",
-            extra_tags="alert-warning",
-        )
-
-    return skipped_risk_accept_count, skipped_active_risk_accept_count
+    return skipped_risk_accept_count
 
 
 def _bulk_update_finding_groups(finds, form):
@@ -3095,7 +3083,7 @@ def finding_bulk_update_all(request, pid=None):
 
             _bulk_update_simple_fields(finds, form)
 
-            _skipped_risk_accept_count, _skipped_active_risk_accept_count = _bulk_update_risk_acceptance(
+            _skipped_risk_accept_count = _bulk_update_risk_acceptance(
                 finds, form, request, prods,
             )
 

unittests/test_bulk_edit_validation.py

@@ -409,8 +409,8 @@ def test_bulk_edit_duplicate_finding_severity_update_works(self):
 
     # View-Level Validation Tests (Active + Risk Acceptance)
 
-    def test_bulk_edit_active_finding_cannot_accept_risk(self):
-        """Test that active findings cannot accept risk via bulk edit"""
+    def test_bulk_edit_active_finding_can_accept_risk(self):
+        """Test that active findings can accept risk via bulk edit (matching individual behavior)"""
         # Enable simple risk acceptance on product
         self.product.enable_simple_risk_acceptance = True
         self.product.save()
@@ -427,22 +427,26 @@ def test_bulk_edit_active_finding_cannot_accept_risk(self):
             follow=True,
         )
 
-        # Verify finding is NOT risk accepted
+        # Verify finding IS risk accepted and becomes inactive
         self.active_finding.refresh_from_db()
-        self.assertFalse(
+        self.assertTrue(
             self.active_finding.risk_accepted,
-            "Active finding should not be risk accepted",
+            "Active finding should be risk accepted",
+        )
+        self.assertFalse(
+            self.active_finding.active,
+            "Risk accepted finding should become inactive",
         )
 
-        # Verify warning message
+        # Verify no warning message about active findings
         messages = self._get_messages_text(response)
         warning_messages = [
             m for m in messages if "active findings" in m.lower() and "risk" in m.lower()
         ]
-        self.assertGreater(
+        self.assertEqual(
             len(warning_messages),
             0,
-            f"Expected warning about active findings and risk acceptance, got: {messages}",
+            f"Unexpected warning about active findings: {warning_messages}",
         )
 
     def test_bulk_edit_inactive_finding_can_accept_risk(self):
@@ -553,12 +557,15 @@ def test_bulk_edit_shows_success_message_with_actual_count(self):
         self._assert_finding_status(normal2, active=True)
 
     def test_bulk_edit_shows_multiple_warning_messages(self):
-        """Test that multiple warning messages appear for different conflicts"""
+        """
+        Test that warning messages appear for conflicts (duplicate status)
+        and that active findings can now be risk accepted successfully
+        """
         # Enable simple risk acceptance
         self.product.enable_simple_risk_acceptance = True
         self.product.save()
 
-        # First, try to set duplicate finding as active (will be skipped)
+        # First, try to set duplicate finding as active (will be skipped with warning)
         post_data1 = self._bulk_edit_post_data(
             [self.duplicate_finding.id],
             active=True,  # Will conflict with duplicate
@@ -569,11 +576,11 @@ def test_bulk_edit_shows_multiple_warning_messages(self):
             follow=True,
         )
 
-        # Then, try to risk accept active finding (will be skipped)
+        # Then, risk accept active finding (should succeed - no longer a conflict)
         post_data2 = self._bulk_edit_post_data(
             [self.active_finding.id],
             risk_acceptance=True,
-            risk_accept=True,  # Will conflict with active
+            risk_accept=True,  # Should work now!
         )
         response2 = self.client.post(
             reverse("finding_bulk_update_all"),
@@ -586,25 +593,34 @@ def test_bulk_edit_shows_multiple_warning_messages(self):
         messages2 = self._get_messages_text(response2)
         all_messages = messages1 + messages2
 
+        # Verify duplicate warning appears
         duplicate_warnings = [
             m for m in all_messages if "duplicate findings" in m.lower()
         ]
+        self.assertGreater(
+            len(duplicate_warnings),
+            0,
+            f"Expected duplicate warning, got: {all_messages}",
+        )
+
+        # Verify NO warning about active findings and risk acceptance
         active_warnings = [
             m
             for m
             in all_messages
             if "active findings" in m.lower() and "risk" in m.lower()
         ]
-
-        self.assertGreater(
-            len(duplicate_warnings),
-            0,
-            f"Expected duplicate warning, got: {all_messages}",
-        )
-        self.assertGreater(
+        self.assertEqual(
             len(active_warnings),
             0,
-            f"Expected active risk acceptance warning, got: {all_messages}",
+            f"Unexpected active risk acceptance warning: {active_warnings}",
+        )
+
+        # Verify active finding was successfully risk accepted
+        self.active_finding.refresh_from_db()
+        self.assertTrue(
+            self.active_finding.risk_accepted,
+            "Active finding should be risk accepted successfully",
         )
 
     def test_bulk_edit_no_warning_when_no_conflicts(self):