feat(api): add bulk finding update endpoint#15240
Open
npeham wants to merge 2 commits into
Open
Conversation
Add PATCH /api/v2/findings/bulk/ to update an allowlisted set of fields (epss_score, epss_percentile, known_exploited, ransomware_used, kev_date) on many findings in a single atomic request. This closes the performance and atomicity gap for programmatic EPSS/KEV enrichment described in issue DefectDojo#13900, where updating many findings previously required one API call per finding. Behaviour: - Body: {"findings": [{"id": 123, "epss_score": 0.42, ...}, ...]}, max 200 findings per request. - Unknown fields, unknown/duplicate ids, invalid values and over-limit batches are rejected with a 400. - Edit permission is checked per finding; if the user cannot edit any one of them the whole batch is rejected with a 403 and rolled back (the work runs in a single transaction). - Findings are never pushed to JIRA from this endpoint. - Updates are plain row writes, so the pghistory audit trail is recorded exactly as for a normal PATCH; the irrelevant dedupe/JIRA/grading post-processing is skipped for performance. Add unit/API tests covering the happy path, validation, the per-request limit, atomic rollback on a permission failure, and audit history. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015aePDGyHBoxvfpz2iHGmtH
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the bulk finding-update capability requested in DefectDojo issue #13900 (bulk create/update/delete API for Findings). This PR delivers the update slice, scoped to a narrow, allowlisted set of threat-intelligence fields.
Description
Adds a new endpoint
PATCH /api/v2/findings/bulk/that updates many findings in a single atomic request, closing the performance and atomicity gap that today forces one API call per finding when enriching EPSS/KEV metadata programmatically.Design (as discussed in the issue):
{"findings": [{"id": 123, "epss_score": 0.42, ...}, ...]}, at most 200 findings per request.epss_score,epss_percentile,known_exploited,ransomware_used,kev_datemay be set. Any other field is rejected — the endpoint can never be used to mass-edit severity, status or ownership.[0, 1]), empty list, and over-limit batches all return400with a clear message.UserHasFindingPermissionobject permission. If the user cannot edit any referenced finding, the entire batch is rejected with403and rolled back — the whole operation runs in onetransaction.atomic()block.push_to_jira=False).Implementation:
dojo/finding/api/serializer.py:FindingBulkUpdateSerializer+FindingBulkUpdateFieldsSerializer, plus theBULK_UPDATE_ALLOWED_FIELDS/BULK_UPDATE_MAX_FINDINGSconstants.dojo/finding/api/views.py: abulk_updateaction onFindingViewSet(detail=False,url_path="bulk") with a fully documented@extend_schema.Test results
Added
unittests/test_finding_bulk_update_api.py(13 tests) covering the happy path, response shape, per-field validation, the per-request limit, atomic rollback on a permission failure, unauthenticated access, and that a bulk update produces a pghistory audit event just like a normal PATCH.All 13 new tests pass, and the existing
unittests.test_rest_framework.FindingsTest(27 tests) andunittests.test_apiv2_methods_and_endpointssuites still pass. The generated OpenAPI schema includes the new endpoint and validates cleanly (no drf-spectacular warnings). Ruff-compliant.Documentation
The endpoint is self-documenting via its
@extend_schemarequest/response and docstring, so it appears in the auto-generated OpenAPI/Swagger API docs. No separate docs-folder page is required for a new API action.Checklist
ruff.toml).Finding).Extra information
Suggested labels:
enhancement,performance,feature.