Skip to content

Fix service field overwrite issue #13461#13466

Closed
Layyzyy wants to merge 1 commit intoDefectDojo:masterfrom
Layyzyy:fix/service-field-overwrite-issue-13461
Closed

Fix service field overwrite issue #13461#13466
Layyzyy wants to merge 1 commit intoDefectDojo:masterfrom
Layyzyy:fix/service-field-overwrite-issue-13461

Conversation

@Layyzyy
Copy link
Copy Markdown

@Layyzyy Layyzyy commented Oct 19, 2025

Description

This PR fixes issue #13461 where the service field set by parsers (like Trivy) gets overwritten with an empty string when the field is not specified in the UI.

Root Cause
The problem occurred in dojo/importers/default_importer.py where the code checked if self.service is not None: before overwriting the finding's service field. When the UI form left the service field empty, it passed an empty string ("") to the importer, which is not None, so the condition was True and the parser's value was overwritten with the empty string.

Solution
Modified the condition in two locations to check both:

  • if self.service is not None and self.service != "":

This ensures that:

  1. If service is None (not provided), the parser's value is preserved
  2. If service is an empty string (left empty in UI), the parser's value is preserved
  3. If service is a non-empty string (explicitly set in UI), it overwrites the parser's value

Changes

  • Modified dojo/importers/default_importer.py at lines 207 and 346
  • Applied the fix to both process_findings and close_old_findings methods

Test Results
The fix addresses the core issue where empty service fields in the UI were overwriting parser values. This is important because the service field is used for deduplication.

Impact
This change ensures that when uploading reports via the UI (e.g., Trivy reports), leaving the service field empty will preserve the value set by the parser, rather than overwriting it with an empty string.

Checklist

  • Give a meaningful name to the PR
  • Code changes are minimal and focused
  • Bugfix submitted against appropriate branch

@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Oct 19, 2025

DryRun Security

🔴 Risk threshold exceeded.

This pull request includes a sensitive edit to dojo/importers/default_importer.py, and the scanner notes that sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml; the change is flagged at the "failing" risk threshold but is not marked as blocking.

🔴 Configured Codepaths Edit in dojo/importers/default_importer.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten
Copy link
Copy Markdown
Member

valentijnscholten commented Oct 19, 2025

Thank you for the PR. We'll have to decide what the best solution is. As you can see the current fix in this PR breaks existing behaviour and affectts imports coming in from the API where the user might have sent the empty string on purpose.

Do you have ideas about these cases and a better fix?

A completely different option could be to not allow parsers to set the service field to avoid these kinds of confusions.

@valentijnscholten
Copy link
Copy Markdown
Member

valentijnscholten commented Oct 23, 2025

@Layyzyy Thank you for the PR, but we chose another approach: #13517

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Layyzyy @valentijnscholten