Skip to content

Preserve verified flag when promoting duplicate to new original#14934

Open
valentijnscholten wants to merge 1 commit into
DefectDojo:bugfixfrom
valentijnscholten:fix/preserve-verified-on-duplicate-promotion
Open

Preserve verified flag when promoting duplicate to new original#14934
valentijnscholten wants to merge 1 commit into
DefectDojo:bugfixfrom
valentijnscholten:fix/preserve-verified-on-duplicate-promotion

Conversation

@valentijnscholten
Copy link
Copy Markdown
Member

@valentijnscholten valentijnscholten commented May 31, 2026

Summary

  • When the original of a duplicate cluster is deleted (e.g. via engagement deletion), reconfigure_duplicate_cluster in dojo/finding/helper.py promotes the first remaining duplicate to the new primary. It already copies active and is_mitigated from the original, but not verified.
  • The promoted finding therefore kept its own verified=False, which blocks Jira's "Push All Issues" (requires Active and Verified). Vulnerability stayed visible in DefectDojo with no Jira ticket.
  • Fix: also copy verified from the original to the new primary.
  • Regression tests in unittests/test_prepare_duplicates_for_delete.py cover both directions (original verified+active+not-mitigated, and original unverified+inactive+mitigated), with the duplicate starting in the opposite state for each field so every copy is observable.
  • Fixes Deleting an engagement can promote duplicate findings without verified flag, preventing Jira creation #14911

Out of scope for this PR (potential follow-ups):

  • Relinking the existing JIRA_Issue from the deleted original to the new primary (instead of creating a new ticket). The current JIRA_Issue.finding is a OneToOneField with on_delete=CASCADE, so the row is gone before promotion runs — requires intercepting pre-delete.
  • Auto-closing the Jira ticket when no replacement duplicate exists.
  • Finding_Group-level Jira relinking.

@valentijnscholten
Preserve verified flag when promoting duplicate to new original
13ce5ad 
When the original of a duplicate cluster is deleted (e.g. via engagement
deletion), reconfigure_duplicate_cluster promotes the first remaining
duplicate to the new primary. It already copies active and is_mitigated
from the original, but not verified. The promoted finding kept its own
verified=False, which blocked Jira's "Push All Issues" (requires
active+verified).

Add verified to the fields copied to the new original.

Fixes DefectDojo#14911
@valentijnscholten valentijnscholten added this to the 2.59.1 milestone May 31, 2026
mtesauro
mtesauro approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@rossops rossops deleted the branch DefectDojo:bugfix June 1, 2026 16:18
@rossops rossops closed this Jun 1, 2026
@rossops rossops reopened this Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Jino-T Jino-T Jino-T approved these changes

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

unittests

Projects

None yet

Milestone

2.59.1

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @dogboat @Jino-T @rossops