Skip to content

Fix finding overrides wiping values copied from the threat#339

Open
NoodlesNZ wants to merge 1 commit into
OWASP:masterfrom
NoodlesNZ:bug/field_clobber
Open

Fix finding overrides wiping values copied from the threat#339
NoodlesNZ wants to merge 1 commit into
OWASP:masterfrom
NoodlesNZ:bug/field_clobber

Conversation

@NoodlesNZ

Copy link
Copy Markdown
Contributor

When a finding matched an element override, Finding.__init__ merged in the full model_dump() of the override. Since overrides backfill required fields with empty strings, an override that only set response or cvss would blank out the finding's description, severity, mitigations — and the finding id assigned by resolve().

The merge now uses model_dump(exclude_unset=True), and the constructor no longer records its backfilled placeholders in __pydantic_fields_set__, so only fields actually set on the override are applied.

Extended test_overrides to assert that threat-sourced fields and the finding id survive an override — it only checked the overridden fields before, which is how this slipped through.

@NoodlesNZ NoodlesNZ requested a review from izar as a code owner July 10, 2026 22:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant