Vulnerability IDs: Do not allow users to import empty strings (#14017)

* added code to remove unwanted vulnerability ids

* Update dojo/finding/helper.py

---------

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

Author: Jino-T

dojo/finding/helper.py

@@ -775,13 +775,20 @@ def add_endpoints(new_finding, form):
             endpoint=endpoint, defaults={"date": form.cleaned_data["date"] or timezone.now()})
 
 
+def sanitize_vulnerability_ids(vulnerability_ids) -> None:
+    """Remove undisired vulnerability id values"""
+    vulnerability_ids = [x for x in vulnerability_ids if x.strip()]
+
+
 def save_vulnerability_ids(finding, vulnerability_ids):
     # Remove duplicates
     vulnerability_ids = list(dict.fromkeys(vulnerability_ids))
 
     # Remove old vulnerability ids
     Vulnerability_Id.objects.filter(finding=finding).delete()
 
+    # Remove undisired vulnerability ids
+    sanitize_vulnerability_ids(vulnerability_ids)
     # Save new vulnerability ids
     # Using bulk create throws Django 50 warnings about unsaved models...
     for vulnerability_id in vulnerability_ids:

dojo/importers/base_importer.py

@@ -797,6 +797,11 @@ def process_endpoints(
             logger.debug("endpoints_to_add: %s", endpoints_to_add)
             self.endpoint_manager.chunk_endpoints_and_disperse(finding, endpoints_to_add)
 
+    def sanitize_vulnerability_ids(self, finding) -> None:
+        """Remove undisired vulnerability id values"""
+        if finding.unsaved_vulnerability_ids:
+            finding.unsaved_vulnerability_ids = [x for x in finding.unsaved_vulnerability_ids if x.strip()]
+
     def process_cve(
         self,
         finding: Finding,
@@ -805,6 +810,8 @@ def process_cve(
         # Synchronize the cve field with the unsaved_vulnerability_ids
         # We do this to be as flexible as possible to handle the fields until
         # the cve field is not needed anymore and can be removed.
+        # Remove undisired vulnerability ids
+        self.sanitize_vulnerability_ids(finding)
         if finding.unsaved_vulnerability_ids and finding.cve:
             # Make sure the first entry of the list is the value of the cve field
             finding.unsaved_vulnerability_ids.insert(0, finding.cve)
@@ -825,6 +832,8 @@ def process_vulnerability_ids(
         Parse the `unsaved_vulnerability_ids` field from findings after they are parsed
         to create `Vulnerability_Id` objects with the finding associated correctly
         """
+        # Remove undisired vulnerability ids
+        self.sanitize_vulnerability_ids(finding)
         if finding.unsaved_vulnerability_ids:
             # Remove old vulnerability ids - keeping this call only because of flake8
             Vulnerability_Id.objects.filter(finding=finding).delete()