🎉 Advance reimport to update fix_available field #12633

[manuel-sommer]

• I advanced fix_available to be updated within each reimport: Add "has fix" filter for CVE finding #12633 (comment)
• I added field fix_version to populate a dedicated fixed version in the header of a finding. This field can also be used to be updated equal to fix_available within the reimport. An example screenshot can be found here:

- I added anchore grype to populate these fields

#12633 (comment)

[manuel-sommer]

@valentijnscholten is this the right direction for updating fix_available in reimport?

[valentijnscholten]

Yes

[manuel-sommer]

Shall I target this against bugfix, or do we want a longer testphase and keep it against dev?

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request modifies several sensitive files (dojo/models.py, dojo/importers/default_reimporter.py, dojo/templates/dojo/view_finding.html, dojo/db_migrations/0247_remove_finding_insert_insert_and_more.py) flagged by the configured codepaths scanner and also includes a change in default_reimporter.py where the re-import process updates finding metadata (fix_available and fix_version) without explicit authorization checks, potentially allowing users with only scan import permissions to alter finding metadata. Please verify that these edits are intentional and either restrict the affected codepaths/authors in .dryrunsecurity.yaml or add proper authorization checks to prevent unauthorized metadata modification.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/db_migrations/0247_remove_finding_insert_insert_and_more.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

Unauthorized Modification of Finding Metadata in dojo/importers/default_reimporter.py

Vulnerability

Unauthorized Modification of Finding Metadata

Description

The re-import process, triggered by a user with scan import permissions, updates the fix_available and fix_version fields of an existing finding. This update occurs within the process_matched_active_finding function without performing explicit authorization checks to ensure the user has the necessary permissions to directly edit the finding's metadata. This allows a user with potentially lower privileges (scan import) to modify critical information on a finding that they might not otherwise be authorized to change.

django-DefectDojo/dojo/importers/default_reimporter.py

Lines 599 to 601 in d82dfdd

	if existing_finding.fix_available != unsaved_finding.fix_available:
	existing_finding.fix_available = unsaved_finding.fix_available
	existing_finding.fix_version = unsaved_finding.fix_version

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.

[valentijnscholten]

The main reason fields are not updated during reimport is that there's a risk it overwrites fields that were changed by the user. At least that's what I think the reason is. And this could be an issue here are the user may have set the fix_available field to None or False explicity. On the other hand we want to make that if a fix has become available we update the finding. What are your thoughts on this @Maffooch @mtesauro

[manuel-sommer]

I mean that is what is requested also in the linked issue explicitly.

[valentijnscholten]

We've discussed this and since this is sort of a "status" field or "meta" field it's OK to let reimport update it. Two remarks:

• I think we would just always need to update it, so also the case where it goes from True to False (or to None)
• I think it would have to be updated for any existing finding, so all branches of process_matched_finding.

[Maffooch]

We've discussed this and since this is sort of a "status" field or "meta" field it's OK to let reimport update it. Two remarks:

• I think we would just always need to update it, so also the case where it goes from True to False (or to None)
• I think it would have to be updated for any existing finding, so all branches of process_matched_finding.

I agree with this approach

[manuel-sommer]

Please review @valentijnscholten

[manuel-sommer]

Another point @valentijnscholten :
I can also remove the mitigation field from the deduplication settings in general and update it as well. Also take a look here:
#13053
#13055
With these two PRs, all mitigation fields in use would be removed from HASHCODE_FIELDS_PER_SCANNER in settings.dist.py
This enables us to update the mitigation field also as soon as a fix_available changes. These two fields often correlate.

[valentijnscholten]

Maybe start with just the fix_available field first as we are all in agreement that is good change to make.

[manuel-sommer]

Could we release this for the next release on Monday @mtesauro ?

[valentijnscholten]

@manuel-sommer I think this PR is a nice addition. Do you need any help to get across?

[manuel-sommer]

@valentijnscholten , as there were multiple rebases, the db migration causes these failures. I just rebased again and adapted the db migration, everything should be fine.

[valentijnscholten]

@manuel-sommer Can you regenerated the migrations? This is needed due to the addition of django-pghistory.

[manuel-sommer]

@manuel-sommer Can you regenerated the migrations? This is needed due to the addition of django-pghistory.

just regenerated a new migration @valentijnscholten

[manuel-sommer]

I would love to see this being released as I opened the PR already in August.

[valentijnscholten]

Approved. Do you think a small note in 2.52.md should be added to make users aware? It's the first time we let reimport override any non-status fields.

[manuel-sommer]

Approved. Do you think a small note in 2.52.md should be added to make users aware? It's the first time we let reimport override any non-status fields.

done @valentijnscholten

[manuel-sommer]

Updated the upgrading notes to 2.53

Just checking in to see if there's a timeline for the review. I'd really appreciate it if this could be merged soon – it would also save me from having to maintain the upgrade notes and db migrations every month. @mtesauro