Skip to content

Prevent reimport from reactivating duplicate findings as active/verified#14935

Open
valentijnscholten wants to merge 2 commits into
DefectDojo:bugfixfrom
valentijnscholten:fix/duplicate-reactivation-14910
Open

Prevent reimport from reactivating duplicate findings as active/verified#14935
valentijnscholten wants to merge 2 commits into
DefectDojo:bugfixfrom
valentijnscholten:fix/duplicate-reactivation-14910

Conversation

@valentijnscholten
Copy link
Copy Markdown
Member

@valentijnscholten valentijnscholten commented May 31, 2026

Summary

  • Fixes Reimport reactivation can produce active/verified duplicate findings #14910: reimport reactivation could leave a finding in the invalid state active=true, verified=true, duplicate=true, which the finding edit form itself rejects (Duplicate findings cannot be verified or active).
  • Root cause: process_matched_mitigated_finding in dojo/importers/default_reimporter.py reactivated a matched mitigated finding by setting active=True/verified without checking whether the finding is a duplicate, bypassing the invariant enforced by set_duplicate (active=False, verified=False for duplicates). Postprocessing deduplication does not repair the state because the batch matcher skips findings already marked duplicate=True.
  • Fix: when the existing finding is a duplicate, un-mitigate it but keep it active=False/verified=False on reactivation, so duplicates stay inactive as documented. Non-duplicate findings reactivate exactly as before. The reactivation note text reflects the duplicate case.
  • Adds regression tests (ReimportDuplicateReactivationTest) covering both the duplicate path (stays inactive/unverified) and the regular path (still reactivates).

@valentijnscholten
Prevent reimport from reactivating duplicate findings as active/verified
6138824 
Fixes DefectDojo#14910. process_matched_mitigated_finding reactivated a matched
mitigated finding without checking whether it is a duplicate, producing
an invalid active/verified duplicate state that the finding edit form
rejects. Keep duplicates inactive/unverified on reactivation (un-mitigate
only), matching the set_duplicate invariant.
@valentijnscholten valentijnscholten added this to the 2.59.1 milestone May 31, 2026
@valentijnscholten
Initialise reimporter accumulators in duplicate reactivation tests
1d0e061 
process_matched_mitigated_finding appends to self.reactivated_items,
which is normally created in process_findings(). The tests drive the
method directly, so set the accumulator lists explicitly.
mtesauro
mtesauro approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@rossops rossops deleted the branch DefectDojo:bugfix June 1, 2026 16:18
@rossops rossops closed this Jun 1, 2026
@rossops rossops reopened this Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Jino-T Jino-T Jino-T approved these changes

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

unittests

Projects

None yet

Milestone

2.59.1

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @dogboat @Jino-T @rossops