Skip to content

fix: ui must not overwrite service field from parser#13517

Merged
valentijnscholten merged 4 commits intoDefectDojo:devfrom
valentijnscholten:service-field-overwritten-by-ui-fix
Oct 27, 2025
Merged

fix: ui must not overwrite service field from parser#13517
valentijnscholten merged 4 commits intoDefectDojo:devfrom
valentijnscholten:service-field-overwritten-by-ui-fix

Conversation

@valentijnscholten
Copy link
Copy Markdown
Member

@valentijnscholten valentijnscholten commented Oct 23, 2025

Fixes #13461

The web form in the UI by default sends an empty string, which ended up overwriting the service value provided by parsers.

Only a few parsers do this, so the impact of this fix is low:

  • Trivy Scan
  • Trivy Operator Scan
  • Hydra Scan
  • JFrog Xray API Summary Artifact Scan
  • StackHawk HawkScan

The fix consists of:

  • Do not send empty string to the importer/reimporter
  • Always show service field on view_finding page, even if it's empty
  • Ensure None and empty string are treated equally in reimporter close findings, similar to other places

The bug did not affect hash_code calculations as an empty string is not used in the hash calculation:

django-DefectDojo/dojo/models.py

Lines 3011 to 3013 in 7c0d92a

for field in settings.HASH_CODE_FIELDS_ALWAYS:
if getattr(self, field):
fields_to_hash += str(getattr(self, field))

@valentijnscholten valentijnscholten added this to the 2.52.0 milestone Oct 23, 2025
@github-actions github-actions Bot added the ui label Oct 23, 2025
@valentijnscholten valentijnscholten force-pushed the service-field-overwritten-by-ui-fix branch from d217f09 to 0f62b50 Compare October 23, 2025 17:37
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 23, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions github-actions Bot added docker conflicts-detected settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests parser helm lint labels Oct 23, 2025
@valentijnscholten valentijnscholten changed the base branch from bugfix to dev October 23, 2025 17:38
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 23, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions github-actions Bot removed docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests parser helm lint labels Oct 23, 2025
@github-actions github-actions Bot added the docs label Oct 23, 2025
@valentijnscholten valentijnscholten mentioned this pull request Oct 23, 2025
Closed
3 tasks
@valentijnscholten valentijnscholten linked an issue Oct 23, 2025 that may be closed by this pull request
service field cleared by UI import #13461
Closed
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Oct 23, 2025
edited
Loading

DryRun Security

This pull request adds a debug log statement in dojo/models.py that logs fields listed in the HASH_CODE_FIELDS_ALWAYS setting, which could expose sensitive data (URLs, file paths, request/response data, PII, or credentials) if those fields are configured to include such information and debug logs are enabled or not properly secured. The scanner flags this as a risky practice (non-blocking) due to potential data exposure in production logs.

Sensitive Data in Logs in dojo/models.py
Vulnerability Sensitive Data in Logs
Description A new debug log statement has been added that logs the value of fields specified in the HASH_CODE_FIELDS_ALWAYS setting. If an administrator configures this setting to include fields containing sensitive data (e.g., URLs, file paths, request/response data, or other PII/credentials that might be stored in a Finding field), that data could be exposed in debug logs. This poses a risk if debug logging is enabled in a production environment or if logs are not properly secured.

django-DefectDojo/dojo/models.py

Lines 3013 to 3016 in eb1fc5e

deduplicationLogger.debug("adding HASH_CODE_FIELDS_ALWAYSfield %s to hash_fields: %s", field, getattr(self, field))
fields_to_hash += str(getattr(self, field))
logger.debug("fields_to_hash : %s", fields_to_hash)

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Oct 26, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten merged commit d8675fe into DefectDojo:dev Oct 27, 2025
546 of 552 checks passed
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@valentijnscholten
fix: ui must not overwrite service field from parser (DefectDojo#13517)
1213ccb 
* fix: ui must not overwrite service field from parser

* docs: add upgrade note
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

docs ui

Projects

None yet

Milestone

2.52.0

Development

Successfully merging this pull request may close these issues.

service field cleared by UI import

5 participants

@valentijnscholten @mtesauro @dogboat @Maffooch @blakeaowens