Skip to content

WIP#15135

Closed
valentijnscholten wants to merge 6 commits into
devfrom
feat/cwe-vuln-id-consolidation
Closed

WIP#15135
valentijnscholten wants to merge 6 commits into
devfrom
feat/cwe-vuln-id-consolidation

Conversation

@valentijnscholten

Copy link
Copy Markdown
Member

No description provided.

CWE is a weakness class, not a vulnerability instance id, so it gets its own Finding_CWE
one-to-many relationship (separate from Vulnerability_Id) — it does not participate in
hash_code, vulnerability-id dedup, or the cve field, so existing hashes/dedup are unchanged.
Primary CWE stays on Finding.cwe; extras via unsaved_cwes. Populated on import/reimport
(store_cwes/reconcile_cwes) and on UI/API create+edit (save_cwes); backfilled by migrate_cwe.
Also adds autodetected Vulnerability_Id.vulnerability_id_type + a unique (finding, vulnerability_id)
constraint (duplicates removed by the migration first).
Finding forms present one 'CWEs' textarea (one per line, e.g. 89 or CWE-89) exactly like the
'Vulnerability Ids' field: the first line is the primary Finding.cwe, the rest become Finding_CWE
rows. CweFormMixin.save() parses it (parse_cwes) into instance.cwe + unsaved_cwes; save_cwes
persists the rows. The model 'cwe' field is excluded from these forms; edit pre-fills all CWEs.
…bility_ids

Finding.cwes now returns canonical CWE-<n> strings; the form field shows/accepts CWE-<n>.
API: add a 'cwes' field on the finding serializer (nested [{"cwe": "CWE-79"}], sourced from
finding_cwe_set) mirroring 'vulnerability_ids' — the first entry sets the primary Finding.cwe,
the rest become Finding_CWE rows. The int 'cwe' field is retained for backward compatibility.
The 'cwes' textarea was picking up the EasyMDE markdown editor like description/mitigation.
Exclude it (as vulnerability_ids and endpoints_to_add already are) so it renders as a plain
textarea consistent with Vulnerability Ids.
- clean_cwes rejects non-numeric CWE tokens (was silently dropped) with a form error.
- view_finding.html gains an 'Additional CWEs' panel mirroring 'Additional Vulnerability Ids'
  so multiple CWEs are visible (the header cell/findings list still show the primary only,
  consistent with first_vulnerability_id).
Finding.copy() didn't copy vulnerability_id_set (pre-existing gap — copies lost their vuln-id
rows) nor the new finding_cwe_set. Copy both relations so cloned findings keep their identifiers.
@github-actions github-actions Bot added New Migration Adding a new migration file. Take care when merging. docs unittests ui labels Jul 1, 2026
@valentijnscholten valentijnscholten changed the title WIP: multiple CWEs per finding (Finding_CWE) + vulnerability_id type WIP Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs New Migration Adding a new migration file. Take care when merging. ui unittests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant