Skip to content

feat(finding): copy finding fix + autodetected vulnerability id type + uniqueness constraint#15145

Open
valentijnscholten wants to merge 1 commit into
DefectDojo:devfrom
valentijnscholten:feat/vulnerability-id-type
Open

feat(finding): copy finding fix + autodetected vulnerability id type + uniqueness constraint#15145
valentijnscholten wants to merge 1 commit into
DefectDojo:devfrom
valentijnscholten:feat/vulnerability-id-type

Conversation

@valentijnscholten

@valentijnscholten valentijnscholten commented Jul 2, 2026

Copy link
Copy Markdown
Member

Description

Adds an autodetected type to each vulnerability identifier, and a uniqueness constraint on (finding, vulnerability_id).

  • Vulnerability_Id gains a vulnerability_id_type field, autodetected from the identifier's leading prefix — the part before the first -: CVE-2024-1234CVE, GHSA-…GHSA, RUSTSEC-2021-0001RUSTSEC, ALINUX2-SA-…ALINUX2. It is derived structurally (no registry) and is NULL when there is no non-numeric prefix (bare numbers / UUIDs / no dash). The column is indexed so identifiers can be filtered and grouped by type efficiently.
  • The type is populated automatically: on import (the bulk-create paths set it at construction) and on save()/get_or_create (via a save() override). Existing rows are backfilled by the migration.
  • A unique constraint is added on (finding, vulnerability_id). Pre-existing duplicate rows (unintended) are consolidated first (keeping the earliest) so the constraint can be created.

vulnerability_id_type is a denormalized, derived attribute — it does not participate in hash_code, so existing hash codes and deduplication are unaffected by this change.

Stacked PRs — this is the base of the stack. The multiple-CWEs-per-finding change is stacked on top of this PR in #15143. Merge this PR first; #15143 builds on it (and its migrations 0279/0280 chain after the 02760278 migrations here).

Migrations

  • 0276_vulnerability_id_type — adds the indexed vulnerability_id_type column and a leading index on vulnerability_id.
  • 0277_backfill_vulnerability_id_type — backfills vulnerability_id_type for existing rows and removes duplicate (finding, vulnerability_id) rows (keeping the earliest).
  • 0278_unique_finding_vulnerability_id — adds the unique constraint on (finding, vulnerability_id).

Test results

  • New unittests/test_vulnerability_id_type.py covers prefix autodetection, that save() and the bulk import path populate the type, and that the uniqueness constraint is enforced.

Documentation

  • Added docs/content/releases/os_upgrading/3.2.md.

Checklist

  • Rebased against the latest dev.
  • Submitted against dev.
  • Model changes include the necessary migrations in dojo/db_migrations.
  • Added tests to the unit tests.

@valentijnscholten

Copy link
Copy Markdown
Member Author

Sibling PR (independent split): #15143 — multiple CWEs per finding.

@github-actions github-actions Bot added New Migration Adding a new migration file. Take care when merging. docs unittests labels Jul 2, 2026
@valentijnscholten valentijnscholten changed the title feat(finding): autodetected vulnerability id type + uniqueness constraint feat(finding): copy finding fix + autodetected vulnerability id type + uniqueness constraint Jul 2, 2026
@valentijnscholten valentijnscholten added this to the 3.2.0 milestone Jul 2, 2026
…aint

Adds Vulnerability_Id.vulnerability_id_type, autodetected from the id's
leading prefix (CVE-2024-1234 -> CVE, GHSA-... -> GHSA), stored and indexed
so identifiers can be filtered/grouped by type. Populated on import (bulk)
and on save(); existing rows backfilled by migration.

Also de-duplicates (finding, vulnerability_id) rows and adds a unique
constraint on the pair. CWE is a weakness class and is intentionally NOT
part of this change; vulnerability_id_type does not participate in
hash_code, so existing hash codes and deduplication are unaffected.

Migrations: 0276 (type column + lookup index), 0277 (dedupe + backfill,
data), 0278 (unique constraint).
@valentijnscholten valentijnscholten marked this pull request as ready for review July 2, 2026 18:21
@valentijnscholten valentijnscholten force-pushed the feat/vulnerability-id-type branch from 5506d52 to c356327 Compare July 2, 2026 20:37

@mtesauro mtesauro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs New Migration Adding a new migration file. Take care when merging. unittests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants