Fix risk-accepted findings not being closed when vulnerability is fixed (#14125)

Fixes #10769

When a finding is risk-accepted and the underlying vulnerability is subsequently fixed (no longer appears in scan reports), the import/reimport process was failing to properly close these findings. This occurred because:

1. DefaultImporter.close_old_findings() only queried for active=True findings, missing risk-accepted findings which have active=False
2. BaseImporter.mitigate_finding() did not remove the risk_accepted status when closing findings

Changes:
- Modified DefaultImporter.close_old_findings() to include risk-accepted findings in the query (Q(active=True) | Q(risk_accepted=True))
- Added risk_unaccept() call in BaseImporter.mitigate_finding() to remove risk acceptance when findings are closed
- Added comprehensive unit tests covering both scenarios:
  * Risk-accepted findings that are no longer in scan reports (should be closed and risk acceptance removed)
  * Risk-accepted findings that are still in scan reports (should remain risk-accepted)

The fix ensures that when a previously risk-accepted vulnerability is genuinely fixed, the finding status accurately reflects this by being mitigated and having the risk acceptance removed.

Author: valentijnscholten

dojo/importers/base_importer.py

@@ -13,6 +13,7 @@
 from django.utils.timezone import make_aware
 
 import dojo.finding.helper as finding_helper
+import dojo.risk_acceptance.helper as ra_helper
 from dojo import utils
 from dojo.importers.endpoint_manager import EndpointManager
 from dojo.importers.options import ImporterOptions
@@ -925,6 +926,9 @@ def mitigate_finding(
             author=self.user,
             entry=note_message,
         )
+        # Remove risk acceptance if present (vulnerability is now fixed)
+        # risk_unaccept will check if finding.risk_accepted is True before proceeding
+        ra_helper.risk_unaccept(self.user, finding, perform_save=False, post_comments=False)
         # Mitigate the endpoint statuses
         self.endpoint_manager.mitigate_endpoint_status(finding.status_finding.all(), self.user, kwuser=self.user, sync=True)
         # to avoid pushing a finding group multiple times, we push those outside of the loop

dojo/importers/default_importer.py

@@ -328,9 +328,11 @@ def close_old_findings(
                 new_unique_ids_from_tool.append(unique_id_from_tool)
         # Get the initial filtered list of old findings to be closed without
         # considering the scope of the product or engagement
+        # Include both active findings and risk-accepted findings (which have active=False)
+        # Risk-accepted findings should be closed if the vulnerability is actually fixed
         old_findings = Finding.objects.filter(
+            Q(active=True) | Q(risk_accepted=True),
             test__test_type=self.test.test_type,
-            active=True,
         ).exclude(test=self.test)
         # Filter further based on the deduplication algorithm set on the test
         self.deduplication_algorithm = self.determine_deduplication_algorithm()

unittests/scans/zap/0_zap_sample_without_zap3.xml

@@ -0,0 +1,174 @@
+<?xml version="1.0"?><OWASPZAPReport version="2.9.0" generated="Tue, 12 May 2020 20:57:30">
+  <site name="https://mainsite.com" host="mainsite.com" port="443" ssl="true"><alerts><alertitem>
+    <pluginid>10011</pluginid>
+    <alert>zap1: Cookie Without Secure Flag</alert>
+    <name>Cookie Without Secure Flag</name>
+    <riskcode>1</riskcode>
+    <confidence>2</confidence>
+    <riskdesc>Low (Medium)</riskdesc>
+    <desc>A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.</desc>
+    <instances>
+    <instance>
+    <uri>https://mainsite.com/dashboard</uri>
+    <method>GET</method>
+    <param>opvc</param>
+    <evidence>Set-Cookie: opvc</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com/dashboard</uri>
+    <method>GET</method>
+    <param>dmid</param>
+    <evidence>Set-Cookie: dmid</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <param>sitevisitscookie</param>
+    <evidence>Set-Cookie: sitevisitscookie</evidence>
+    </instance>
+    </instances>
+    <count>3</count>
+    <solution>Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.</solution>
+    <reference>http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)</reference>
+    <cweid>614</cweid>
+    <wascid>13</wascid>
+    <sourceid>3</sourceid>
+  </alertitem>
+  <alertitem>
+    <pluginid>10054</pluginid>
+    <alert>zap2: Cookie Without SameSite Attribute</alert>
+    <name>Cookie Without SameSite Attribute</name>
+    <riskcode>1</riskcode>
+    <confidence>2</confidence>
+    <riskdesc>Low (Medium)</riskdesc>
+    <desc>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a &apos;cross-site&apos; request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</desc>
+    <instances>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <param>sitevisitscookie</param>
+    <evidence>Set-Cookie: sitevisitscookie</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com/dashboard</uri>
+    <method>GET</method>
+    <param>dmid</param>
+    <evidence>Set-Cookie: dmid</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <param>JSESSIONID</param>
+    <evidence>Set-Cookie: JSESSIONID</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com/dashboard</uri>
+    <method>GET</method>
+    <param>opvc</param>
+    <evidence>Set-Cookie: opvc</evidence>
+    </instance>
+    </instances>
+    <count>4</count>
+    <solution>Ensure that the SameSite attribute is set to either &apos;lax&apos; or ideally &apos;strict&apos; for all cookies.</solution>
+    <reference>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site</reference>
+    <cweid>16</cweid>
+    <wascid>13</wascid>
+    <sourceid>3</sourceid>
+  </alertitem>
+  <!-- <alertitem>
+    <pluginid>10055</pluginid>
+    <alert>zap3: CSP Scanner: Wildcard Directive</alert>
+    <name>CSP Scanner: Wildcard Directive</name>
+    <riskcode>2</riskcode>
+    <confidence>2</confidence>
+    <riskdesc>Medium (Medium)</riskdesc>
+    <desc>The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, frame-src, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src</desc>
+    <instances>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <param>Content-Security-Policy</param>
+    <evidence>frame-ancestors &apos;self&apos;;</evidence>
+    </instance>
+    </instances>
+    <count>1</count>
+    <solution>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</solution>
+    <reference>http://www.w3.org/TR/CSP2/http://www.w3.org/TR/CSP/http://caniuse.com/#search=content+security+policyhttp://content-security-policy.com/https://github.com/shapesecurity/salvation</reference>
+    <cweid>16</cweid>
+    <wascid>15</wascid>
+    <sourceid>3</sourceid>
+  </alertitem> -->
+  <!-- <alertitem>
+    <pluginid>10010</pluginid>
+    <alert>zap4: Cookie No HttpOnly Flag</alert>
+    <name>Cookie No HttpOnly Flag</name>
+    <riskcode>1</riskcode>
+    <confidence>2</confidence>
+    <riskdesc>Low (Medium)</riskdesc>
+    <desc>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.</desc>
+    <instances>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <param>opvc</param>
+    <evidence>Set-Cookie: opvc</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <param>dmid</param>
+    <evidence>Set-Cookie: dmid</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <param>sitevisitscookie</param>
+    <evidence>Set-Cookie: sitevisitscookie</evidence>
+    </instance>
+    </instances>
+    <count>3</count>
+    <solution>Ensure that the HttpOnly flag is set for all cookies.</solution>
+    <reference>http://www.owasp.org/index.php/HttpOnly</reference>
+    <cweid>16</cweid>
+    <wascid>13</wascid>
+    <sourceid>3</sourceid>
+  </alertitem> -->
+  <alertitem>
+    <pluginid>10096</pluginid>
+    <alert>zap5: Timestamp Disclosure - Unix</alert>
+    <name>Timestamp Disclosure - Unix</name>
+    <riskcode>1</riskcode>
+    <confidence>1</confidence>
+    <riskdesc>Low (Medium)</riskdesc>
+    <desc>A timestamp was disclosed by the application/web server - Unix</desc>
+    <instances>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <evidence>265151019</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <evidence>398525181</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com</uri>
+    <method>GET</method>
+    <evidence>153792000</evidence>
+    </instance>
+    <instance>
+    <uri>https://mainsite.com/dashboard</uri>
+    <method>GET</method>
+    <evidence>1028274645</evidence>
+    </instance>
+    </instances>
+    <count>4</count>
+    <solution>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</solution>
+    <otherinfo>265151019, which evaluates to: 1978-05-27 22:03:39</otherinfo>
+    <reference>https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposurehttp://projects.webappsec.org/w/page/13246936/Information%20Leakage</reference>
+    <cweid>200</cweid>
+    <wascid>13</wascid>
+    <sourceid>3</sourceid>
+  </alertitem>
+  </alerts></site></OWASPZAPReport>

unittests/test_import_reimport.py

@@ -60,6 +60,7 @@ def __init__(self, *args, **kwargs):
         self.zap_sample1_filename = get_unit_tests_scans_path("zap") / "1_zap_sample_0_and_new_absent.xml"
         self.zap_sample2_filename = get_unit_tests_scans_path("zap") / "2_zap_sample_0_and_new_endpoint.xml"
         self.zap_sample3_filename = get_unit_tests_scans_path("zap") / "3_zap_sampl_0_and_different_severities.xml"
+        self.zap_sample_without_zap3_filename = get_unit_tests_scans_path("zap") / "0_zap_sample_without_zap3.xml"
 
         self.anchore_file_name = get_unit_tests_scans_path("anchore_engine") / "one_vuln_many_files.json"
         self.scan_type_anchore = "Anchore Engine Scan"
@@ -1573,6 +1574,110 @@ def test_import_reimport_keep_false_positive_and_out_of_scope(self):
                 self.assertFalse(finding["risk_accepted"])
                 self.assertFalse(finding["is_mitigated"])
 
+    def test_reimport_closes_risk_accepted_when_vulnerability_fixed(self):
+        """Test that risk-accepted findings are closed when vulnerability no longer in scan"""
+        logger.debug("importing zap0, risk accepting zap3, reimporting without zap3, expecting zap3 to be closed")
+
+        # Import Zap0 with 4 findings (Zap1, Zap2, Zap3, Zap5)
+        import0 = self.import_scan_with_params(self.zap_sample0_filename)
+        test_id = import0["test"]
+
+        # Enable simple risk acceptance
+        test_api_response = self.get_test_api(test_id)
+        product_api_response = self.get_engagement_api(test_api_response["engagement"])
+        product_id = product_api_response["product"]
+        self.patch_product_api(product_id, {"enable_simple_risk_acceptance": True})
+
+        # Get all findings and risk accept Zap3
+        findings = self.get_test_findings_api(test_id, active=True)
+        self.assert_finding_count_json(4, findings)
+
+        zap3_id = None
+        for finding in findings["results"]:
+            if "Zap3" in finding["title"]:
+                # Risk accept via API (sets active=False, risk_accepted=True)
+                self.patch_finding_api(finding["id"], {
+                    "risk_accepted": True,
+                    "active": False,
+                })
+                zap3_id = finding["id"]
+                break
+
+        self.assertIsNotNone(zap3_id, "Zap3 finding should exist")
+
+        # Verify risk acceptance was applied
+        finding = self.get_finding_api(zap3_id)
+        self.assertTrue(finding["risk_accepted"])
+        self.assertFalse(finding["active"])
+        self.assertFalse(finding["is_mitigated"])
+
+        # Reimport scan WITHOUT Zap3 (vulnerability is fixed)
+        # This should close the risk-accepted finding and remove risk acceptance
+        # Zap1, Zap2, and Zap5 are still in the scan, so they are untouched
+        with assertTestImportModelsCreated(self, reimports=1, affected_findings=1, closed=1, untouched=3):
+            reimport0 = self.reimport_scan_with_params(test_id, self.zap_sample_without_zap3_filename)
+
+        self.assertEqual(reimport0["test"], test_id)
+
+        # Verify Zap3 is now mitigated and risk acceptance removed
+        finding = self.get_finding_api(zap3_id)
+        self.assertTrue(finding["is_mitigated"], "Finding should be mitigated when vulnerability is fixed")
+        self.assertFalse(finding["active"], "Finding should remain inactive")
+        self.assertFalse(finding["risk_accepted"], "Risk acceptance should be removed when vulnerability is fixed")
+
+        # Verify note was added explaining the closure
+        self.assertIsNotNone(finding.get("notes"))
+
+    def test_reimport_keeps_risk_accepted_when_still_in_scan(self):
+        """Test that risk-accepted findings remain risk-accepted when still in scan (Scenario A)"""
+        logger.debug("importing zap0, risk accepting zap3, reimporting same scan, expecting zap3 to remain risk-accepted")
+
+        # Import Zap0 with 4 findings (Zap1, Zap2, Zap3, Zap5)
+        import0 = self.import_scan_with_params(self.zap_sample0_filename)
+        test_id = import0["test"]
+
+        # Enable simple risk acceptance
+        test_api_response = self.get_test_api(test_id)
+        product_api_response = self.get_engagement_api(test_api_response["engagement"])
+        product_id = product_api_response["product"]
+        self.patch_product_api(product_id, {"enable_simple_risk_acceptance": True})
+
+        # Get all findings and risk accept Zap3
+        findings = self.get_test_findings_api(test_id, active=True)
+        self.assert_finding_count_json(4, findings)
+
+        zap3_id = None
+        for finding in findings["results"]:
+            if "Zap3" in finding["title"]:
+                # Risk accept via API (sets active=False, risk_accepted=True)
+                self.patch_finding_api(finding["id"], {
+                    "risk_accepted": True,
+                    "active": False,
+                })
+                zap3_id = finding["id"]
+                break
+
+        self.assertIsNotNone(zap3_id, "Zap3 finding should exist")
+
+        # Verify risk acceptance was applied
+        finding = self.get_finding_api(zap3_id)
+        self.assertTrue(finding["risk_accepted"])
+        self.assertFalse(finding["active"])
+        self.assertFalse(finding["is_mitigated"])
+
+        # Reimport SAME scan (Zap3 is still present in scan)
+        # The risk-accepted finding should remain risk-accepted (NOT closed)
+        with assertTestImportModelsCreated(self, reimports=1, untouched=4):
+            reimport0 = self.reimport_scan_with_params(test_id, self.zap_sample0_filename)
+
+        self.assertEqual(reimport0["test"], test_id)
+
+        # Verify Zap3 is still risk-accepted (NOT closed)
+        finding = self.get_finding_api(zap3_id)
+        self.assertTrue(finding["risk_accepted"], "Finding should remain risk-accepted when still in scan")
+        self.assertFalse(finding["active"], "Finding should remain inactive")
+        self.assertFalse(finding["is_mitigated"], "Finding should NOT be mitigated when still risk-accepted and present in scan")
+
     # import gitlab_dep_scan_components_filename with 6 findings
     # findings 1, 2 and 3 have the same component_name (golang.org/x/crypto) and the same CVE (CVE-2020-29652), but different component_version
     # findings 4 and 5 have the same component_name (golang.org/x/text) and the same CVE (CVE-2020-14040), but different component_version

unittests/test_importers_closeold.py

@@ -2,6 +2,7 @@
 
 from django.utils import timezone
 
+import dojo.risk_acceptance.helper as ra_helper
 from dojo.importers.default_importer import DefaultImporter
 from dojo.models import Development_Environment, Engagement, Product, Product_Type, User
 
@@ -171,3 +172,62 @@ def test_close_old_same_product_scan_matching_with_unique_id_from_tool(self):
             _, _, len_new_findings, len_closed_findings, _, _, _ = importer.process_scan(many_findings_scan)
             self.assertEqual(1, len_new_findings)
             self.assertEqual(1, len_closed_findings)
+
+    def test_close_old_closes_risk_accepted_findings(self):
+        """Test that close_old_findings closes risk-accepted findings when not in new scan"""
+        scan_type = "Acunetix Scan"
+        user, _ = User.objects.get_or_create(username="admin")
+        product_type, _ = Product_Type.objects.get_or_create(name="closeold_risk")
+        product, _ = Product.objects.get_or_create(
+            name="TestCloseOldRiskAccepted",
+            prod_type=product_type,
+        )
+        product.enable_simple_risk_acceptance = True
+        product.save()
+
+        engagement, _ = Engagement.objects.get_or_create(
+            name="Close Old Risk Accepted",
+            product=product,
+            target_start=timezone.now(),
+            target_end=timezone.now(),
+        )
+        environment, _ = Development_Environment.objects.get_or_create(name="Development")
+        import_options = {
+            "user": user,
+            "lead": user,
+            "scan_date": None,
+            "environment": environment,
+            "active": True,
+            "verified": False,
+            "engagement": engagement,
+            "scan_type": scan_type,
+        }
+
+        # Import many findings
+        with (get_unit_tests_scans_path("acunetix") / "many_findings.xml").open(encoding="utf-8") as scan:
+            importer = DefaultImporter(close_old_findings=False, **import_options)
+            test, _, len_new, len_closed, _, _, _ = importer.process_scan(scan)
+            self.assertEqual(4, len_new)
+            self.assertEqual(0, len_closed)
+
+        # Risk accept one finding
+        finding_to_accept = test.finding_set.first()
+        ra_helper.simple_risk_accept(user, finding_to_accept)
+        finding_to_accept.refresh_from_db()
+        self.assertTrue(finding_to_accept.risk_accepted)
+        self.assertFalse(finding_to_accept.active)
+
+        # Import scan with only one finding (different from risk-accepted one)
+        # close_old_findings should close the risk-accepted finding
+        with (get_unit_tests_scans_path("acunetix") / "one_finding.xml").open(encoding="utf-8") as scan:
+            importer = DefaultImporter(close_old_findings=True, **import_options)
+            _, _, len_new, len_closed, _, _, _ = importer.process_scan(scan)
+            self.assertEqual(1, len_new)
+            # At least 3 findings should be closed (including the risk-accepted one)
+            # The exact number depends on deduplication, but we verify below
+            self.assertGreaterEqual(len_closed, 3)
+
+        # Verify risk-accepted finding was closed
+        finding_to_accept.refresh_from_db()
+        self.assertTrue(finding_to_accept.is_mitigated, "Risk-accepted finding should be mitigated when vulnerability is fixed")
+        self.assertFalse(finding_to_accept.risk_accepted, "Risk acceptance should be removed when vulnerability is fixed")