Finding Template applied only partially for new findings

[valentijnscholten]

Is your feature request related to a problem? Please describe
Based on a Slack discussion that found out that tags from tempalte are not applied to new findings:
https://owasp.slack.com/archives/C2P5BA8MN/p1739915838994189

When a finding template gets matched on creation of a new finding, only part of the template fields are applied.

The code only applies:

• impact
• mitigation
• references
  

  django-DefectDojo/dojo/utils.py

  Lines 1761 to 1768 in 73af855

  	if template:
  	finding.mitigation = template.mitigation
  	finding.impact = template.impact
  	finding.references = template.references
  	template.last_used = timezone.now()
  	template.save()
  	return finding

But the template contains more fields like:

• tags
• description
• cwe
• vulnerability ids
• CVSS
• severity

Describe the solution you'd like
It would be easy to add the tags from the template to the finding, but a more broader question is what to do with the other fields and if we still want to support this type of template matching.

[valentijnscholten]

We've discussed this internally, and realized this "auto template matching feature" is incomplete and stems from the days where most findings were manually entered into DefectDojo. In these days the CWE was the main reference to decide what the mitigation (text) and other fields should be. The auto matching was never fully completed and is an undocumented experimental feature. It is less useful in a world where recurring/automated/rich scan reports dictate most of the Defect Dojo landscape.

Defect Dojo has a rich API where this functionality (and more) can be achieved in a more flexible way. At the moment there are no plans to enhance the auto matching finding template feature and it might be deprecated in a future version of Defect Dojo.