fix: don't close old findings when reimport auto-creates a new test (#14396)

* fix: don't close old findings when reimport auto-creates a new test

When auto_create_context=True and the test doesn't exist yet, the reimport
falls back to DefaultImporter. With close_old_findings=True, this would
incorrectly close findings from other tests in the same engagement/product
scope because the newly created test has no prior findings to compare against.

Suppress close_old_findings for this initial-import path. Fixes #14363.

* test: regression test for #14363 via API serializer path

Add test_reimport_auto_create_does_not_close_findings_in_existing_test to
ImportReimportTestAPI. It calls the reimport endpoint with
auto_create_context=True and close_old_findings=True targeting a non-existing
test title, verifying that the existing test's findings are not closed when
the endpoint auto-creates a new test. This test would fail if the
close_old_findings=False override in the serializer were reverted.

Author: valentijnscholten

dojo/api_v2/serializers.py

@@ -2711,8 +2711,11 @@ def process_scan(
                 # Attempt to create an engagement
                 logger.debug("reimport for non-existing test, using import to create new test")
                 context["engagement"] = auto_create_manager.get_or_create_engagement(**context)
+                # Do not close old findings when creating a brand new test: there are no
+                # existing findings to compare against, and close_old_findings would
+                # incorrectly close findings from other tests in the same scope.
                 context["test"], _, _, _, _, _, _ = self.get_importer(
-                    **context,
+                    **{**context, "close_old_findings": False},
                 ).process_scan(
                     context.pop("scan", None),
                 )

unittests/test_import_reimport.py

@@ -2582,6 +2582,63 @@ def test_reimport_set_scan_date_parser_sets_date(self):
         date = findings["results"][0]["date"]
         self.assertEqual(date, "2006-12-26")
 
+    def test_reimport_auto_create_does_not_close_findings_in_existing_test(self):
+        """
+        Regression test for #14363: when reimport with auto_create_context=True creates
+        a brand new test, close_old_findings must not close findings from other tests in
+        the same engagement scope.
+
+        The serializer now forces close_old_findings=False when calling DefaultImporter
+        in this path. Without the fix, all 4 findings from the pre-existing test would be
+        incorrectly closed.
+        """
+        product_type, _ = Product_Type.objects.get_or_create(name="PT CloseOld AutoCreate")
+        product, _ = Product.objects.get_or_create(
+            name="P CloseOld AutoCreate",
+            description="test",
+            prod_type=product_type,
+        )
+        engagement = Engagement.objects.create(
+            name="E CloseOld AutoCreate",
+            product=product,
+            target_start=timezone.now(),
+            target_end=timezone.now(),
+        )
+
+        acunetix_many_findings = get_unit_tests_scans_path("acunetix") / "many_findings.xml"
+
+        # Step 1: import 4 findings into an existing test (test1) in the engagement.
+        # minimum_severity="Info" is required to include all 4 findings in the file.
+        import1 = self.import_scan_with_params(
+            acunetix_many_findings,
+            scan_type=self.scan_type_acunetix,
+            engagement=engagement.id,
+            minimum_severity="Info",
+        )
+        test1_id = import1["test"]
+        self.assert_finding_count_json(4, self.get_test_findings_api(test1_id, active=True))
+
+        # Step 2: call the reimport endpoint with auto_create_context=True and a
+        # different test_title so a new test is created.  close_old_findings=True
+        # is the value a caller would pass (and the reimport default); the serializer
+        # must suppress it when auto-creating a new test.  The scan uses a different
+        # file so its hash codes don't overlap with test1's findings, meaning the
+        # bug would close all 4 of test1's findings if the fix were reverted.
+        self.reimport_scan_with_params(
+            None,
+            self.acunetix_file_name,
+            scan_type=self.scan_type_acunetix,
+            test_title="Brand New Test From Reimport",
+            product_name="P CloseOld AutoCreate",
+            engagement_name="E CloseOld AutoCreate",
+            product_type_name="PT CloseOld AutoCreate",
+            auto_create_context=True,
+            close_old_findings=True,
+        )
+
+        # Step 3: test1's 4 findings must all still be active
+        self.assert_finding_count_json(4, self.get_test_findings_api(test1_id, active=True))
+
     @override_settings(
         IMPORT_REIMPORT_DEDUPE_BATCH_SIZE=200,
         IMPORT_REIMPORT_MATCH_BATCH_SIZE=200,