risk accepted findings are no longer mitigated

netceteragroup · May 31, 2024 · b8a1059 · b8a1059
1 parent 5922a01
commit b8a1059
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/dojo/importers/default_reimporter.py b/dojo/importers/default_reimporter.py
@@ -561,6 +561,13 @@ def process_matched_special_status_finding(
         ):
             unchanged_items.append(existing_finding)
             return existing_finding, True
+        # If the finding is risk accepted and inactive in Defectdojo we do not sync the status from the scanner
+        # We also need to add the finding to 'unchanged_items' as otherwise it will get mitigated by the reimporter
+        # (Risk accepted findings are not set to mitigated by Defectdojo)
+        # We however do not exit the loop as we do want to update the endpoints (in case some endpoints were fixed)
+        elif existing_finding.risk_accepted and not existing_finding.active:
+            unchanged_items.append(existing_finding)
+            return existing_finding, False
         # The finding was not an exact match, so we need to add more details about from the
         # new finding to the existing. Return False here to make process further
         return existing_finding, False

diff --git a/unittests/test_import_reimport.py b/unittests/test_import_reimport.py
@@ -1089,7 +1089,7 @@ def test_import_reimport_keep_false_positive_and_out_of_scope(self):
         active_findings_before = self.get_test_findings_api(test_id, active=True)
         self.assert_finding_count_json(0, active_findings_before)
 
-        with assertTestImportModelsCreated(self, reimports=1, affected_findings=1, created=1):
+        with assertTestImportModelsCreated(self, reimports=1, affected_findings=1, created=1, untouched=1):
             reimport0 = self.reimport_scan_with_params(test_id, self.zap_sample0_filename)
 
         self.assertEqual(reimport0['test'], test_id)