Skip to content

feat(finding): pluggable false-positive-history candidate filter#15155

Draft
valentijnscholten wants to merge 1 commit into
DefectDojo:feat/cwe-vuln-id-consolidationfrom
valentijnscholten:feat/false-positive-history-hook
Draft

feat(finding): pluggable false-positive-history candidate filter#15155
valentijnscholten wants to merge 1 commit into
DefectDojo:feat/cwe-vuln-id-consolidationfrom
valentijnscholten:feat/false-positive-history-hook

Conversation

@valentijnscholten

@valentijnscholten valentijnscholten commented Jul 4, 2026

Copy link
Copy Markdown
Member

🔗 PR stack — CWE / vulnerability-ID consolidation (OSS)

dev
└─ #15145  feat: autodetected vulnerability-ID type + uniqueness constraint
   └─ #15143  feat: multiple CWEs per finding
      ├─ #15154  docs: Pro set-based dedup hash-code fields
      └─ #15155  feat: pluggable false-positive-history candidate filter

Merge bottom-up: #15145#15143 → (#15154, #15155). 👉 This PR: #15155


Adds FINDING_FALSE_POSITIVE_HISTORY_CANDIDATE_FILTER_METHOD, a plugin hook in do_false_positive_history_batch. After the per-finding candidate list is resolved by the deduplication algorithm, it is passed through the configured method before the false-positive decision, letting a plugin (Pro) narrow candidates by fields that are excluded from the hash string but compared per pair (set-match tokens on vulnerability_ids / CWEs). Resolved once via get_custom_method; a no-op when unset, so default behavior is unchanged.

Mirrors the existing FINDING_DEDUPE_BATCH_METHOD pattern. Covers the batch path (import, reimport, bulk-edit, async importer). The edit-view reactivation path (match_finding_to_existing_findings) is unchanged and can be a follow-up.

Tests (unittests/test_false_positive_history_logic.py): hook can suppress matches (drops candidates → no FP replication) and passthrough matches the default path.

Add FINDING_FALSE_POSITIVE_HISTORY_CANDIDATE_FILTER_METHOD hook to
do_false_positive_history_batch. When configured, the per-finding candidate
list resolved by the deduplication algorithm is passed through the plugin
method before the FP decision, letting a plugin (Pro) narrow candidates by
fields excluded from the hash string but compared per pair (set-match tokens
on vulnerability_ids / CWEs). Resolved once via get_custom_method; a no-op
when unset, so default behavior is unchanged.

Tests: hook can suppress matches (drops candidates -> no FP replication) and
passthrough matches the default path.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant