From 5e27a0119b78231767e959cb3f0dee36181559ed Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Wed, 24 Dec 2025 11:43:29 +0100 Subject: [PATCH 1/3] Fix test_type mismatch validation during reimport (#10219) - Add validation in consolidate_dynamic_tests to detect test_type mismatches during reimport - Raise ValidationError with descriptive message when test_type doesn't match - Validation occurs before any findings are processed or deduplication starts - Add test cases for matching test_type, mismatched test_type, and initial import scenarios - Create test data files for generic parser with different test types Fixes #10219 --- dojo/importers/base_importer.py | 16 ++ .../scans/generic/generic_test_type_1.json | 14 ++ .../scans/generic/generic_test_type_2.json | 14 ++ unittests/test_importers_importer.py | 169 ++++++++++++++++++ 4 files changed, 213 insertions(+) create mode 100644 unittests/scans/generic/generic_test_type_1.json create mode 100644 unittests/scans/generic/generic_test_type_2.json diff --git a/dojo/importers/base_importer.py b/dojo/importers/base_importer.py index 03bb801e32f..47128e4f0d0 100644 --- a/dojo/importers/base_importer.py +++ b/dojo/importers/base_importer.py @@ -209,6 +209,22 @@ def consolidate_dynamic_tests(self, tests: list[Test]) -> list[Finding]: if test_type_name != self.scan_type: test_type_name = f"{test_type_name} ({self.scan_type})" self.test = self.create_test(test_type_name) + else: + # During reimport, validate that the test_type matches + # Calculate the expected test_type_name from the incoming report + expected_test_type_name = self.scan_type + if test_raw.type: + expected_test_type_name = f"{test_raw.type} Scan" + if expected_test_type_name != self.scan_type: + expected_test_type_name = f"{expected_test_type_name} ({self.scan_type})" + # Compare with existing test's test_type name + if self.test.test_type.name != expected_test_type_name: + msg = ( + f"Test type mismatch: Test {self.test.id} has test_type '{self.test.test_type.name}', " + f"but the report contains test_type '{expected_test_type_name}'. " + f"Reimport with matching test_type or create a new test." + ) + raise ValidationError(msg) # This part change the name of the Test # we get it from the data of the parser # Update the test and test type with meta from the raw test diff --git a/unittests/scans/generic/generic_test_type_1.json b/unittests/scans/generic/generic_test_type_1.json new file mode 100644 index 00000000000..39e20b3a0c8 --- /dev/null +++ b/unittests/scans/generic/generic_test_type_1.json @@ -0,0 +1,14 @@ +{ + "name": "Test Tool1", + "type": "Tool1", + "findings": [ + { + "title": "Test Finding 1", + "description": "This is a test finding for Tool1", + "severity": "High", + "active": true, + "verified": true + } + ] +} + diff --git a/unittests/scans/generic/generic_test_type_2.json b/unittests/scans/generic/generic_test_type_2.json new file mode 100644 index 00000000000..29bf7112463 --- /dev/null +++ b/unittests/scans/generic/generic_test_type_2.json @@ -0,0 +1,14 @@ +{ + "name": "Test Tool2", + "type": "Tool2", + "findings": [ + { + "title": "Test Finding 2", + "description": "This is a test finding for Tool2", + "severity": "Medium", + "active": true, + "verified": true + } + ] +} + diff --git a/unittests/test_importers_importer.py b/unittests/test_importers_importer.py index cc5fb342df7..bf2ca0b0fb4 100644 --- a/unittests/test_importers_importer.py +++ b/unittests/test_importers_importer.py @@ -2,11 +2,13 @@ import uuid from unittest.mock import patch +from django.core.exceptions import ValidationError from django.utils import timezone from rest_framework.authtoken.models import Token from rest_framework.test import APIClient from dojo.importers.default_importer import DefaultImporter +from dojo.importers.default_reimporter import DefaultReImporter from dojo.models import Development_Environment, Engagement, Finding, Product, Product_Type, Test, User from dojo.tools.gitlab_sast.parser import GitlabSastParser from dojo.tools.sarif.parser import SarifParser @@ -148,6 +150,173 @@ def test_import_scan_without_test_scan_type(self): self.assertEqual(1, len_new_findings) self.assertEqual(0, len_closed_findings) + def test_import_generic_with_custom_test_type(self): + """Test Case 4: Initial import (should not trigger validation, should create new test)""" + generic_test_type_1 = get_unit_tests_scans_path("generic") / "generic_test_type_1.json" + with generic_test_type_1.open(encoding="utf-8") as scan: + scan_type = "Generic Findings Import" + user, _ = User.objects.get_or_create(username="admin") + product_type, _ = Product_Type.objects.get_or_create(name="test_generic") + product, _ = Product.objects.get_or_create( + name="TestGenericImporter", + prod_type=product_type, + ) + engagement, _ = Engagement.objects.get_or_create( + name="Test Generic Engagement", + product=product, + target_start=timezone.now(), + target_end=timezone.now(), + ) + environment, _ = Development_Environment.objects.get_or_create(name="Development") + import_options = { + "user": user, + "lead": user, + "scan_date": None, + "environment": environment, + "minimum_severity": "Info", + "active": True, + "verified": True, + "scan_type": scan_type, + "engagement": engagement, + "close_old_findings": False, + } + importer = DefaultImporter(**import_options) + test, _, len_new_findings, len_closed_findings, _, _, _ = importer.process_scan(scan) + # Verify test is created successfully + self.assertIsNotNone(test) + # Verify test_type is set correctly based on report's type field + self.assertEqual("Tool1 Scan (Generic Findings Import)", test.test_type.name) + self.assertEqual(1, len_new_findings) + self.assertEqual(0, len_closed_findings) + + def test_reimport_generic_with_matching_test_type(self): + """Test Case 1: Reimport with matching test_type (should succeed)""" + generic_test_type_1 = get_unit_tests_scans_path("generic") / "generic_test_type_1.json" + with generic_test_type_1.open(encoding="utf-8") as scan: + scan_type = "Generic Findings Import" + user, _ = User.objects.get_or_create(username="admin") + product_type, _ = Product_Type.objects.get_or_create(name="test_generic_reimport") + product, _ = Product.objects.get_or_create( + name="TestGenericReimport", + prod_type=product_type, + ) + engagement, _ = Engagement.objects.get_or_create( + name="Test Generic Reimport Engagement", + product=product, + target_start=timezone.now(), + target_end=timezone.now(), + ) + environment, _ = Development_Environment.objects.get_or_create(name="Development") + import_options = { + "user": user, + "lead": user, + "scan_date": None, + "environment": environment, + "minimum_severity": "Info", + "active": True, + "verified": True, + "scan_type": scan_type, + "engagement": engagement, + "close_old_findings": False, + } + # Initial import + importer = DefaultImporter(**import_options) + test, _, _, _, _, _, _ = importer.process_scan(scan) + original_test_type_name = test.test_type.name + self.assertEqual("Tool1 Scan (Generic Findings Import)", original_test_type_name) + + # Reimport with same test_type + reimport_options = { + "test": test, + "user": user, + "lead": user, + "scan_date": None, + "environment": environment, + "minimum_severity": "Info", + "active": True, + "verified": True, + "scan_type": scan_type, + "close_old_findings": False, + } + reimporter = DefaultReImporter(**reimport_options) + # Reset file pointer for reimport + scan.seek(0) + test_after_reimport, _, _, _, _, _, _ = reimporter.process_scan(scan) + # Verify reimport succeeds without ValidationError + self.assertEqual(test.id, test_after_reimport.id) + # Verify test_type remains unchanged + test.refresh_from_db() + self.assertEqual(original_test_type_name, test.test_type.name) + + def test_reimport_generic_with_different_test_type(self): + """Test Case 2: Reimport with different test_type (should fail with ValidationError)""" + generic_test_type_1 = get_unit_tests_scans_path("generic") / "generic_test_type_1.json" + generic_test_type_2 = get_unit_tests_scans_path("generic") / "generic_test_type_2.json" + with generic_test_type_1.open(encoding="utf-8") as scan: + scan_type = "Generic Findings Import" + user, _ = User.objects.get_or_create(username="admin") + product_type, _ = Product_Type.objects.get_or_create(name="test_generic_mismatch") + product, _ = Product.objects.get_or_create( + name="TestGenericMismatch", + prod_type=product_type, + ) + engagement, _ = Engagement.objects.get_or_create( + name="Test Generic Mismatch Engagement", + product=product, + target_start=timezone.now(), + target_end=timezone.now(), + ) + environment, _ = Development_Environment.objects.get_or_create(name="Development") + import_options = { + "user": user, + "lead": user, + "scan_date": None, + "environment": environment, + "minimum_severity": "Info", + "active": True, + "verified": True, + "scan_type": scan_type, + "engagement": engagement, + "close_old_findings": False, + } + # Initial import with Tool1 + importer = DefaultImporter(**import_options) + test, _, _, _, _, _, _ = importer.process_scan(scan) + original_test_type_name = test.test_type.name + self.assertEqual("Tool1 Scan (Generic Findings Import)", original_test_type_name) + original_finding_count = test.finding_set.count() + + # Attempt to reimport with Tool2 (different test_type) + reimport_options = { + "test": test, + "user": user, + "lead": user, + "scan_date": None, + "environment": environment, + "minimum_severity": "Info", + "active": True, + "verified": True, + "scan_type": scan_type, + "close_old_findings": False, + } + reimporter = DefaultReImporter(**reimport_options) + # Reset file pointer and use different file + with generic_test_type_2.open(encoding="utf-8") as scan2: + # Verify ValidationError is raised with appropriate message + with self.assertRaises(ValidationError) as context: + reimporter.process_scan(scan2) + error_message = str(context.exception) + self.assertIn("Test type mismatch", error_message) + self.assertIn("Tool1 Scan (Generic Findings Import)", error_message) + self.assertIn("Tool2 Scan (Generic Findings Import)", error_message) + self.assertIn(str(test.id), error_message) + + # Verify no findings are processed/updated + test.refresh_from_db() + self.assertEqual(original_finding_count, test.finding_set.count()) + # Verify test_type remains unchanged + self.assertEqual(original_test_type_name, test.test_type.name) + class FlexibleImportTestAPI(DojoAPITestCase): def __init__(self, *args, **kwargs): From 3c2ff319f9d78e904bfe1c33acec3a00522e923f Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Wed, 24 Dec 2025 19:06:27 +0100 Subject: [PATCH 2/3] fixes --- dojo/importers/base_importer.py | 20 ++++-- unittests/scans/generic/generic_no_type.json | 13 ++++ .../generic_test_type_equals_scan_type.json | 14 ++++ unittests/test_importers_importer.py | 64 +++++++++++++++++++ 4 files changed, 105 insertions(+), 6 deletions(-) create mode 100644 unittests/scans/generic/generic_no_type.json create mode 100644 unittests/scans/generic/generic_test_type_equals_scan_type.json diff --git a/dojo/importers/base_importer.py b/dojo/importers/base_importer.py index 47128e4f0d0..380fa24e4e0 100644 --- a/dojo/importers/base_importer.py +++ b/dojo/importers/base_importer.py @@ -205,18 +205,26 @@ def consolidate_dynamic_tests(self, tests: list[Test]) -> list[Finding]: if not self.test: # Determine if we should use a custom test type name if test_raw.type: - test_type_name = f"{tests[0].type} Scan" - if test_type_name != self.scan_type: - test_type_name = f"{test_type_name} ({self.scan_type})" + # If test_raw.type equals scan_type, use scan_type directly + if test_raw.type == self.scan_type: + test_type_name = self.scan_type + else: + test_type_name = f"{tests[0].type} Scan" + if test_type_name != self.scan_type: + test_type_name = f"{test_type_name} ({self.scan_type})" self.test = self.create_test(test_type_name) else: # During reimport, validate that the test_type matches # Calculate the expected test_type_name from the incoming report expected_test_type_name = self.scan_type if test_raw.type: - expected_test_type_name = f"{test_raw.type} Scan" - if expected_test_type_name != self.scan_type: - expected_test_type_name = f"{expected_test_type_name} ({self.scan_type})" + # If test_raw.type equals scan_type, use scan_type directly + if test_raw.type == self.scan_type: + expected_test_type_name = self.scan_type + else: + expected_test_type_name = f"{test_raw.type} Scan" + if expected_test_type_name != self.scan_type: + expected_test_type_name = f"{expected_test_type_name} ({self.scan_type})" # Compare with existing test's test_type name if self.test.test_type.name != expected_test_type_name: msg = ( diff --git a/unittests/scans/generic/generic_no_type.json b/unittests/scans/generic/generic_no_type.json new file mode 100644 index 00000000000..73a9ab85bd9 --- /dev/null +++ b/unittests/scans/generic/generic_no_type.json @@ -0,0 +1,13 @@ +{ + "name": "Test Without Type", + "findings": [ + { + "title": "Test Finding Without Type", + "description": "This is a test finding without type field", + "severity": "Medium", + "active": true, + "verified": true + } + ] +} + diff --git a/unittests/scans/generic/generic_test_type_equals_scan_type.json b/unittests/scans/generic/generic_test_type_equals_scan_type.json new file mode 100644 index 00000000000..3d65051de53 --- /dev/null +++ b/unittests/scans/generic/generic_test_type_equals_scan_type.json @@ -0,0 +1,14 @@ +{ + "name": "Test With Type Equal To Scan Type", + "type": "Generic Findings Import", + "findings": [ + { + "title": "Test Finding With Type Equal To Scan Type", + "description": "This is a test finding with type equal to scan_type", + "severity": "High", + "active": true, + "verified": true + } + ] +} + diff --git a/unittests/test_importers_importer.py b/unittests/test_importers_importer.py index bf2ca0b0fb4..4077648c812 100644 --- a/unittests/test_importers_importer.py +++ b/unittests/test_importers_importer.py @@ -317,6 +317,70 @@ def test_reimport_generic_with_different_test_type(self): # Verify test_type remains unchanged self.assertEqual(original_test_type_name, test.test_type.name) + def test_reimport_generic_type_equals_scan_type(self): + """Test reimport when type field equals scan_type (should succeed)""" + generic_no_type = get_unit_tests_scans_path("generic") / "generic_no_type.json" + generic_test_type_equals_scan_type = get_unit_tests_scans_path("generic") / "generic_test_type_equals_scan_type.json" + with generic_no_type.open(encoding="utf-8") as scan: + scan_type = "Generic Findings Import" + user, _ = User.objects.get_or_create(username="admin") + product_type, _ = Product_Type.objects.get_or_create(name="test_generic_type_equals_scan_type") + product, _ = Product.objects.get_or_create( + name="TestGenericTypeEqualsScanType", + prod_type=product_type, + ) + engagement, _ = Engagement.objects.get_or_create( + name="Test Generic Type Equals Scan Type Engagement", + product=product, + target_start=timezone.now(), + target_end=timezone.now(), + ) + environment, _ = Development_Environment.objects.get_or_create(name="Development") + import_options = { + "user": user, + "lead": user, + "scan_date": None, + "environment": environment, + "minimum_severity": "Info", + "active": True, + "verified": True, + "scan_type": scan_type, + "engagement": engagement, + "close_old_findings": False, + } + # Initial import without type field + importer = DefaultImporter(**import_options) + test, _, _, _, _, _, _ = importer.process_scan(scan) + original_test_type_name = test.test_type.name + # Should create test_type as just scan_type (no type field) + self.assertEqual("Generic Findings Import", original_test_type_name) + + # Reimport with type field equal to scan_type + reimport_options = { + "test": test, + "user": user, + "lead": user, + "scan_date": None, + "environment": environment, + "minimum_severity": "Info", + "active": True, + "verified": True, + "scan_type": scan_type, + "close_old_findings": False, + } + reimporter = DefaultReImporter(**reimport_options) + # Use file with type field equal to scan_type + with generic_test_type_equals_scan_type.open(encoding="utf-8") as scan2: + # Should succeed without ValidationError + test_after_reimport, _, len_new_findings, _, _, _, _ = reimporter.process_scan(scan2) + # Verify reimport succeeds + self.assertEqual(test.id, test_after_reimport.id) + # Verify test_type remains unchanged (should still be "Generic Findings Import") + test.refresh_from_db() + self.assertEqual("Generic Findings Import", test.test_type.name) + # Verify findings were processed + self.assertGreater(len_new_findings, 0) + class FlexibleImportTestAPI(DojoAPITestCase): def __init__(self, *args, **kwargs): From 782cd256eca18ce9e217739335cf6c10545c6bcc Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Wed, 24 Dec 2025 19:17:05 +0100 Subject: [PATCH 3/3] add docs --- .../product_hierarchy.md | 37 +++++++++++++++---- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/docs/content/en/working_with_findings/organizing_engagements_tests/product_hierarchy.md b/docs/content/en/working_with_findings/organizing_engagements_tests/product_hierarchy.md index d2105b75ac5..093ba1d90e0 100644 --- a/docs/content/en/working_with_findings/organizing_engagements_tests/product_hierarchy.md +++ b/docs/content/en/working_with_findings/organizing_engagements_tests/product_hierarchy.md @@ -25,9 +25,9 @@ Product Types can have Role\-Based Access Control rules applied, which limit tea #### What can a Product Type represent? -* If a particular software project has many distinct deployments or versions, it may be worth creating a single Product Type which covers the scope of the entire project, and having each version exist as individual Products. +* If a particular software project has many distinct deployments or versions, it may be worth creating a single Product Type which covers the scope of the entire project, and having each version exist as individual Products. ​ -* You also might consider using Product Types to represent stages in your software development process: one Product Type for 'In Development', one Product Type for 'In Production', etc. +* You also might consider using Product Types to represent stages in your software development process: one Product Type for 'In Development', one Product Type for 'In Production', etc. ​ * Ultimately, it's your decision how you wish to organize your Products, and what you Product Type to represent. Your DefectDojo hierarchy may need to change to fit your security teams' needs. @@ -58,11 +58,11 @@ The following scenarios are good reasons to consider creating a separate DefectD * "**ExampleProduct 1\.0**" uses completely different software components from "**ExampleProduct 2\.0**", and both versions are actively supported by your company. * The team assigned to work on "**ExampleProduct version A**" is different than the product team assigned to work on "**ExampleProduct version B**", and needs to have different security permissions assigned as a result. -These variations within a single Product can also be handled at the Engagement level. Note that Engagements don't have access control in the way Products and Product Types do. +These variations within a single Product can also be handled at the Engagement level. Note that Engagements don't have access control in the way Products and Product Types do. ## **Engagements** -Once a Product is set up, you can begin creating and scheduling Engagements. Engagements are meant to represent moments in time when testing is taking place, and contain one or more **Tests**. +Once a Product is set up, you can begin creating and scheduling Engagements. Engagements are meant to represent moments in time when testing is taking place, and contain one or more **Tests**. Engagements always have: @@ -72,12 +72,12 @@ Engagements always have: * an assigned **Testing Lead** * an associated **Product** -There are two types of Engagement: **Interactive** and **CI/CD**. +There are two types of Engagement: **Interactive** and **CI/CD**. * An **Interactive Engagement** is typically run by an engineer. Interactive Engagements are focused on testing the application while the app is running, using an automated test, human tester, or any activity “interacting” with the application functionality. See [OWASP's definition of IAST](https://owasp.org/www-project-devsecops-guideline/latest/02c-Interactive-Application-Security-Testing#:~:text=Interactive%20Application%20Security%20Testing,interacting%E2%80%9D%20with%20the%20application%20functionality.). * A **CI/CD Engagement** is for automated integration with a CI/CD pipeline. CI/CD Engagements are meant to import data as an automated action, triggered by a step in the release process. -Engagements can be tracked using DefectDojo's **Calendar** view. +Engagements can be tracked using DefectDojo's **Calendar** view. #### What can an Engagement represent? @@ -91,7 +91,7 @@ If you have a planned testing effort scheduled, an Engagement offers you a place * **Test:** Nessus Scan Results (March 12\) * **Test:** NPM Scan Audit Results (March 12\) -* **Test:** Snyk Scan Results (March 12\) +* **Test:** Snyk Scan Results (March 12\) ​ You can also organize CI/CD Test results within an Engagement. These kinds of Engagements are 'Open\-Ended' meaning that they don't have a date, and will instead add additional data each time the associated CI/CD actions are run. @@ -137,6 +137,29 @@ The following Test Types appear in the "Scan Type" dropdown when creating a new Non-parser Test Types should be used when you need to manually create findings that require remediation but don't originate from automated scanner output. +#### **Parser-based Test Types** + +Parser-based test types can be categorized by how their test type name is determined: + +- **Fixed Test Type Names**: The test type name is predefined and known before import (e.g., "ZAP Scan", "Nessus Scan"). + +- **Report-Defined Test Type Names**: The test type name is extracted from the scan report content at import time. + +Examples include: + - **Generic Findings Import**: Creates test types based on the `type` field in JSON reports + - **SARIF**: Creates test types based on tool names in the SARIF report (e.g., "Dockle Scan (SARIF)") + - **OpenReports**: Creates separate test types per source found in the report + +**Report-Defined Test Type Naming Rules:** +- If the report's `type` field equals the scan type → uses scan type directly (e.g., "Generic Findings Import") +- If the report's `type` field differs → creates "{type} Scan ({scan_type})" format (e.g., "Tool1 Scan (Generic Findings Import)") +- If no `type` field is provided → uses scan type directly + +**Important Considerations:** +- Report-defined test types are automatically created when a new type is detected during import or reimport. +- For reimports, the test type name must match exactly - mismatches will raise a validation error +- Deduplication settings (`HASHCODE_FIELDS_PER_SCANNER`) use test type names as keys, so report-defined names must be configured accordingly if you want custom deduplication behavior + #### **How do Tests interact with each other?** Tests take your testing data and group it into Findings. Generally, security teams will be running the same testing effort repeatedly, and Tests in DefectDojo allow you to handle this process in an elegant way.