reimport: optionally restart sla on reactivation

valentijnscholten · valentijnscholten · commit 2f1d9618b0fb · 2025-07-23T09:09:50.000+02:00
diff --git a/dojo/db_migrations/0239_sla_configuration_restart_sla_on_reactivation.py b/dojo/db_migrations/0239_sla_configuration_restart_sla_on_reactivation.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.1.8 on 2025-07-23 06:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0238_finding_fix_available'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='sla_configuration',
+            name='restart_sla_on_reactivation',
+            field=models.BooleanField(default=False, help_text='When enabled, findings that were previously mitigated but are reactivated durign reimport will have their SLA period restarted.', verbose_name='Restart SLA when findings are reactivated'),
+        ),
+    ]
diff --git a/dojo/forms.py b/dojo/forms.py
@@ -2793,10 +2793,12 @@ def __init__(self, *args, **kwargs):
             self.fields["low"].disabled = True
             self.fields["enforce_low"].disabled = True
             self.fields["low"].widget.attrs["message"] = msg
+            self.fields["restart_sla_on_reactivation"].disabled = True
+            self.fields["restart_sla_on_reactivation"].widget.attrs["message"] = msg
 
     class Meta:
         model = SLA_Configuration
-        fields = ["name", "description", "critical", "enforce_critical", "high", "enforce_high", "medium", "enforce_medium", "low", "enforce_low"]
+        fields = ["name", "description", "critical", "enforce_critical", "high", "enforce_high", "medium", "enforce_medium", "low", "enforce_low", "restart_sla_on_reactivation"]
 
 
 class DeleteSLAConfigForm(forms.ModelForm):
diff --git a/dojo/importers/default_reimporter.py b/dojo/importers/default_reimporter.py
@@ -498,6 +498,10 @@ def process_matched_mitigated_finding(
         component_version = getattr(unsaved_finding, "component_version", None)
         existing_finding.component_name = existing_finding.component_name or component_name
         existing_finding.component_version = existing_finding.component_version or component_version
+        if existing_finding.get_sla_configuration().restart_sla_on_reactivation:
+            # restart the sla start date to the current date, finding.save() will set new sla_expiration_date
+            existing_finding.sla_start_date = self.now
+
         existing_finding.save(dedupe_option=False)
         # don't dedupe before endpoints are added
         existing_finding.save(dedupe_option=False)
diff --git a/dojo/models.py b/dojo/models.py
@@ -1033,6 +1033,10 @@ class SLA_Configuration(models.Model):
         default=True,
         verbose_name=_("Enforce Low Finding SLA Days"),
         help_text=_("When enabled, low findings will be assigned an SLA expiration date based on the low finding SLA days within this SLA configuration."))
+    restart_sla_on_reactivation = models.BooleanField(
+        default=False,
+        verbose_name=_("Restart SLA when findings are reactivated"),
+        help_text=_("When enabled, findings that were previously mitigated but are reactivated durign reimport will have their SLA period restarted."))
     async_updating = models.BooleanField(
         default=False,
         help_text=_("Findings under this SLA configuration are asynchronously being updated"))
@@ -3104,8 +3108,11 @@ def get_sla_start_date(self):
             return self.sla_start_date
         return self.date
 
+    def get_sla_configuration(self):
+        return self.test.engagement.product.sla_configuration
+
     def get_sla_period(self):
-        sla_configuration = self.test.engagement.product.sla_configuration
+        sla_configuration = self.get_sla_configuration()
         sla_period = getattr(sla_configuration, self.severity.lower(), None)
         enforce_period = getattr(sla_configuration, str("enforce_" + self.severity.lower()), None)
         return sla_period, enforce_period
diff --git a/unittests/test_import_reimport.py b/unittests/test_import_reimport.py
@@ -1,9 +1,11 @@
-import datetime
-
 # from unittest import skip
 import logging
+import zoneinfo
+from datetime import datetime
 from pathlib import Path
+from unittest.mock import patch
 
+from dateutil.relativedelta import relativedelta
 from django.test import override_settings
 from django.test.client import Client
 from django.urls import reverse
@@ -777,13 +779,20 @@ def test_import_0_reimport_1_active_not_verified(self):
     # - active findings count should be 4
     # - total  findings count should be 5
     # - zap1 active, zap4 inactive
-    def test_import_0_reimport_1_active_verified_reimport_0_active_verified(self):
+    # - zap1 is reactivated but should not have a new sla start date and expiration date
+    def test_import_0_reimport_1_active_verified_reimport_0_active_verified_sla_no_restart(self):
         logger.debug("reimporting updated zap xml report, 1 new finding and 1 no longer present, verified=True and then 0 again")
 
         import0 = self.import_scan_with_params(self.zap_sample0_filename)
 
         test_id = import0["test"]
         findings = self.get_test_findings_api(test_id)
+
+        for finding in findings["results"]:
+            if "Zap1" in finding["title"]:
+                zap1_initial_sla_start_date = finding["sla_start_date"]
+                zap1_initial_sla_expiration_date = finding["sla_expiration_date"]
+
         self.log_finding_summary_json_api(findings)
 
         self.db_finding_count()
@@ -820,6 +829,8 @@ def test_import_0_reimport_1_active_verified_reimport_0_active_verified(self):
         for finding in findings["results"]:
             if "Zap1" in finding["title"]:
                 self.assertTrue(finding["active"])
+                self.assertEqual(finding["sla_start_date"], zap1_initial_sla_start_date)
+                self.assertEqual(finding["sla_expiration_date"], zap1_initial_sla_expiration_date)
                 zap1_ok = True
             if "Zap4" in finding["title"]:
                 self.assertFalse(finding["active"])
@@ -845,6 +856,90 @@ def test_import_0_reimport_1_active_verified_reimport_0_active_verified(self):
         # zap4 was created and then closed -> only 1 note
         self.assertEqual(notes_count_before + 2 + 1, self.db_notes_count())
 
+    # import 0 and then reimport 1 with zap4 as extra finding, zap1 closed and then reimport 0 again
+    # - active findings count should be 4
+    # - total  findings count should be 5
+    # - zap1 active, zap4 inactive
+    # - zap1 is reactivated and should have a new sla start date and expiration date since we enabled that flag in the test case
+    @patch("django.utils.timezone.now")
+    def test_import_0_reimport_1_active_verified_reimport_0_active_verified_sla_restart(self, mock_now):
+        fake_now = datetime(2025, 7, 1, tzinfo=zoneinfo.ZoneInfo("UTC"))
+        mock_now.return_value = fake_now
+        logger.debug("reimporting updated zap xml report, 1 new finding and 1 no longer present, verified=True and then 0 again")
+
+        import0 = self.import_scan_with_params(self.zap_sample0_filename)
+
+        test_id = import0["test"]
+        findings = self.get_test_findings_api(test_id)
+
+        for finding in findings["results"]:
+            if "Zap1" in finding["title"]:
+                finding["sla_start_date"]
+                finding["sla_expiration_date"]
+                zap1 = Finding.objects.get(id=finding["id"])
+                sla_configuration = zap1.get_sla_configuration()
+                sla_configuration.restart_sla_on_reactivation = True
+                sla_configuration.save()
+
+        self.log_finding_summary_json_api(findings)
+
+        self.db_finding_count()
+        endpoint_count_before = self.db_endpoint_count()
+        endpoint_status_count_before_active = self.db_endpoint_status_count(mitigated=False)
+        endpoint_status_count_before_mitigated = self.db_endpoint_status_count(mitigated=True)
+        notes_count_before = self.db_notes_count()
+
+        reimport1 = self.reimport_scan_with_params(test_id, self.zap_sample1_filename)
+
+        # zap1 should be closed 2 endpoint statuses less, but 2 extra for zap4
+        self.assertEqual(endpoint_status_count_before_active - 3 + 2, self.db_endpoint_status_count(mitigated=False))
+        self.assertEqual(endpoint_status_count_before_mitigated + 2, self.db_endpoint_status_count(mitigated=True))
+
+        endpoint_status_count_before_active = self.db_endpoint_status_count(mitigated=False)
+        endpoint_status_count_before_mitigated = self.db_endpoint_status_count(mitigated=True)
+
+        with assertTestImportModelsCreated(self, reimports=1, affected_findings=2, closed=1, reactivated=1, untouched=3):
+            self.reimport_scan_with_params(test_id, self.zap_sample0_filename)
+
+        test_id = reimport1["test"]
+        self.assertEqual(test_id, test_id)
+
+        self.get_test_api(test_id)
+        findings = self.get_test_findings_api(test_id)
+        self.log_finding_summary_json_api(findings)
+
+        # active findings must be equal to those in both reports
+        findings = self.get_test_findings_api(test_id)
+        self.assert_finding_count_json(4 + 1, findings)
+
+        for finding in findings["results"]:
+            if "Zap1" in finding["title"]:
+                self.assertTrue(finding["active"])
+                self.assertEqual(finding["sla_start_date"], fake_now.date().isoformat())
+                sla_days = finding["severity"].lower()
+                sla_config = Finding.objects.get(id=finding["id"]).test.engagement.product.sla_configuration
+                sla_expiration_date = fake_now.date() + relativedelta(days=getattr(sla_config, sla_days))
+                self.assertEqual(finding["sla_expiration_date"], sla_expiration_date.isoformat())
+            else:
+                self.assertIsNone(finding["sla_start_date"])
+
+        # verified findings must be equal to those in report 0
+        findings = self.get_test_findings_api(test_id, verified=True)
+        self.assert_finding_count_json(0, findings)
+
+        findings = self.get_test_findings_api(test_id, verified=False)
+        self.assert_finding_count_json(5, findings)
+
+        self.assertEqual(endpoint_count_before, self.db_endpoint_count())
+
+        # zap4 should be closed again so 2 mitigated eps, zap1 should be open again so 3 active extra
+        self.assertEqual(endpoint_status_count_before_active + 3 - 2, self.db_endpoint_status_count(mitigated=False))
+        self.assertEqual(endpoint_status_count_before_mitigated - 3 + 2, self.db_endpoint_status_count(mitigated=True))
+
+        # zap1 was closed and then opened -> 2 notes
+        # zap4 was created and then closed -> only 1 note
+        self.assertEqual(notes_count_before + 2 + 1, self.db_notes_count())
+
     # import 0 and then reimport 2 with an extra endpoint for zap1
     # - extra endpoint should be present in db
     # - reimport doesn't look at endpoints to match against existing findings
@@ -1522,8 +1617,8 @@ def test_import_reimport_vulnerability_ids(self):
             engagement=test.engagement,
             test_type=test_type,
             scan_type=self.anchore_grype_scan_type,
-            target_start=datetime.datetime.now(datetime.UTC),
-            target_end=datetime.datetime.now(datetime.UTC),
+            target_start=datetime.now(timezone.get_current_timezone()),
+            target_end=datetime.now(timezone.get_current_timezone()),
         )
         reimport_test.save()
 
