WIP#15135
Closed
valentijnscholten wants to merge 6 commits into
Closed
Conversation
CWE is a weakness class, not a vulnerability instance id, so it gets its own Finding_CWE one-to-many relationship (separate from Vulnerability_Id) — it does not participate in hash_code, vulnerability-id dedup, or the cve field, so existing hashes/dedup are unchanged. Primary CWE stays on Finding.cwe; extras via unsaved_cwes. Populated on import/reimport (store_cwes/reconcile_cwes) and on UI/API create+edit (save_cwes); backfilled by migrate_cwe. Also adds autodetected Vulnerability_Id.vulnerability_id_type + a unique (finding, vulnerability_id) constraint (duplicates removed by the migration first).
Finding forms present one 'CWEs' textarea (one per line, e.g. 89 or CWE-89) exactly like the 'Vulnerability Ids' field: the first line is the primary Finding.cwe, the rest become Finding_CWE rows. CweFormMixin.save() parses it (parse_cwes) into instance.cwe + unsaved_cwes; save_cwes persists the rows. The model 'cwe' field is excluded from these forms; edit pre-fills all CWEs.
…bility_ids
Finding.cwes now returns canonical CWE-<n> strings; the form field shows/accepts CWE-<n>.
API: add a 'cwes' field on the finding serializer (nested [{"cwe": "CWE-79"}], sourced from
finding_cwe_set) mirroring 'vulnerability_ids' — the first entry sets the primary Finding.cwe,
the rest become Finding_CWE rows. The int 'cwe' field is retained for backward compatibility.
The 'cwes' textarea was picking up the EasyMDE markdown editor like description/mitigation. Exclude it (as vulnerability_ids and endpoints_to_add already are) so it renders as a plain textarea consistent with Vulnerability Ids.
- clean_cwes rejects non-numeric CWE tokens (was silently dropped) with a form error. - view_finding.html gains an 'Additional CWEs' panel mirroring 'Additional Vulnerability Ids' so multiple CWEs are visible (the header cell/findings list still show the primary only, consistent with first_vulnerability_id).
Finding.copy() didn't copy vulnerability_id_set (pre-existing gap — copies lost their vuln-id rows) nor the new finding_cwe_set. Copy both relations so cloned findings keep their identifiers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.