Skip to content

fix: guard legacy endpoint access in Make Template / Merge Findings under V3_FEATURE_LOCATIONS#15139

Open
stevewallone wants to merge 1 commit into
DefectDojo:bugfixfrom
stevewallone:bugfix-15123-endpoint-init
Open

fix: guard legacy endpoint access in Make Template / Merge Findings under V3_FEATURE_LOCATIONS#15139
stevewallone wants to merge 1 commit into
DefectDojo:bugfixfrom
stevewallone:bugfix-15123-endpoint-init

Conversation

@stevewallone

Copy link
Copy Markdown

Fixes #15123.

Problem: Creating a Finding Template from a finding ("Make Template") or merging findings returns a 500 when V3_FEATURE_LOCATIONS is enabled and the finding still carries legacy Endpoint rows. The locations migration deliberately keeps legacy endpoint rows as backup, so any finding created before the migration trips this; findings created after V3 are unaffected — which is why the crash is data-dependent.

Root cause: two sites in dojo/finding/views.py iterate finding.endpoints.all() without the Endpoint.allow_endpoint_init() escape hatch. Iterating the queryset hydrates Endpoint instances via Model.from_db()Endpoint.__init__ raises NotImplementedError: Endpoint model is deprecated when V3_FEATURE_LOCATIONS is enabled:

  • mktemplate[str(ep) for ep in finding.endpoints.all()]
  • merge_finding_productfinding_to_merge_into.endpoints.add(*finding.endpoints.all())

Fix: wrap both sites in with Endpoint.allow_endpoint_init():, matching the existing convention at the other legacy endpoint call sites (product/views.py, product_type/views.py, api_v2/views.py, api_v2/mixins.py), each tagged # TODO: Delete this after the move to Locations. This is also the approach the reporter (@DarkR0ast) suggested.

Tests: unittests/test_finding_template_merge_endpoints_v3.py — regression tests modeled on test_delete_with_endpoints_v3.py: a finding carrying a legacy endpoint row under V3_FEATURE_LOCATIONS=True, exercising both views. Both error with the production NotImplementedError before the fix and pass after; endpoint data is verified copied (template endpoints_text / merged finding's endpoints). Also verified manually in a local instance against both UI flows.

Note on scope: this restores the pre-V3 merge/template behavior for legacy endpoint data (no more 500). Two adjacent gaps exist but look like design decisions beyond this issue: (1) legacy finding.endpoints rows are not displayed anywhere in the V3 UI (the finding page renders only finding.locations), so merged legacy endpoints are invisible under V3; (2) the merge and mktemplate views do not carry over V3 finding.locations at all, even though Location.associate_with_finding() exists. Happy to file/take a follow-up issue for a locations-aware merge if wanted.

🤖 Generated with Claude Code

…ATURE_LOCATIONS

Creating a Finding Template from a finding or merging findings crashed with
NotImplementedError when V3_FEATURE_LOCATIONS is enabled and the finding still
carries legacy Endpoint rows (kept as backup by the locations migration).
Both sites in dojo/finding/views.py iterated finding.endpoints.all() without
the Endpoint.allow_endpoint_init() escape hatch used by the other legacy
endpoint call sites. Fixes DefectDojo#15123.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Maffooch Maffooch added this to the 3.1.0 milestone Jul 1, 2026

@mtesauro mtesauro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants