finding template refactor

[valentijnscholten]

Fixes #10619

Breaking changes / feature removal:

• As communicated in the 2025Q1 community update the automated matching of Finding Templates based on CWE and/or title has now been removed.

Enhancements to the Finding_Template model:

• added all relevant fields from the Finding model.
• added endpoints
• simplify vulnerability_id handling
• setting tags from template now works

[mtesauro]

Approved

[mtesauro]

I got DryRun Security and our Docs Dry Run mixed up. I don't see why that docs GHA is failing though.

[valentijnscholten]

@mtesauro Me neither, it seems to go OOM on generating an image. But I didn't touch anything related to that. But it does fail consistently on this PR. Who knows more about this docs thing? May be we need to increase the memory setting but we would have to do that on master possibly or at least dev to get GH to pick those up.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

This pull request introduces two issues: it allows unvalidated user input to be stored in Finding_Template.endpoints_text which can lead to stored XSS when that value is used as the initial value of a textarea in the admin UI, and it lacks validation for CVSS v3/v4 vector fields in ApplyFindingTemplateForm, permitting malformed vectors to be copied into Findings and potentially causing data integrity or silent failure problems.

Stored XSS via Unvalidated Endpoint URL in dojo/api_v2/serializers.py

Vulnerability

Stored XSS via Unvalidated Endpoint URL

Description

The API and helper functions allow unvalidated user input to be stored in the Finding_Template.endpoints_text field. This lack of validation permits storing arbitrary strings, including malicious schemes like javascript:. When an administrator views or edits the template via the web interface, the raw unvalidated string is retrieved and used as the initial value for a textarea form field, which often leads to Stored Cross-Site Scripting (XSS) if not aggressively escaped.

django-DefectDojo/dojo/api_v2/serializers.py

Lines 2069 to 2072 in 1b101b4

	endpoint_urls = [url.strip() for url in endpoint_urls.split("\n") if url.strip()]
	elif not isinstance(endpoint_urls, list):
	endpoint_urls = []

Missing Input Validation for CVSS Vector Fields in dojo/forms.py

Vulnerability

Missing Input Validation for CVSS Vector Fields

Description

The ApplyFindingTemplateForm does not validate the format of the CVSS v3 and v4 vectors (cvssv3, cvssv4) submitted via the form. This allows users to apply a template with malformed CVSS vector strings, which are then copied to the Finding object. Although the application attempts to calculate the CVSS score on save, relying on the save method for input validation is poor practice and can lead to data integrity issues or silent failures when applying a template.

django-DefectDojo/dojo/forms.py

Lines 1614 to 1617 in 1b101b4

	cvssv3 = forms.CharField(label="CVSSv3", max_length=117, required=False, widget=forms.TextInput(attrs={"class": "btn btn-secondary dropdown-toggle", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
	cvssv3_score = forms.FloatField(required=False, label="CVSSv3 Score")
	cvssv4 = forms.CharField(label="CVSSv4", max_length=255, required=False)
	cvssv4_score = forms.FloatField(required=False, label="CVSSv4 Score")

---

All finding details can be found in the DryRun Security Dashboard.