use tags.add() instead of tags.set() on reimport (#14459)

paulOsinski · Maffooch · web-flow · commit aff8d4a4af00 · 2026-03-09T10:13:20.000-06:00
* change logic to add tags instead of set

* update unit tests

* ruff

---------

Co-authored-by: Cody Maffucci &lt;46459665+Maffooch@users.noreply.github.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -149,3 +149,6 @@ docs/.devcontainer/Dockerfile
 docs/LICENSE
 docs/.hugo_build.lock
 .cursor-rules
+
+# claude etc
+MEMORY.md
diff --git a/dojo/importers/default_importer.py b/dojo/importers/default_importer.py
@@ -243,9 +243,9 @@ def process_findings(
             # Parsers must use unsaved_tags to store tags, so we can clean them
             cleaned_tags = clean_tags(finding.unsaved_tags)
             if isinstance(cleaned_tags, list):
-                finding.tags.set(cleaned_tags)
+                finding.tags.add(*cleaned_tags)
             elif isinstance(cleaned_tags, str):
-                finding.tags.set([cleaned_tags])
+                finding.tags.add(cleaned_tags)
             # Process any files
             self.process_files(finding)
             # Process vulnerability IDs
diff --git a/dojo/importers/default_reimporter.py b/dojo/importers/default_reimporter.py
@@ -945,9 +945,9 @@ def finding_post_processing(
         if finding_from_report.unsaved_tags:
             cleaned_tags = clean_tags(finding_from_report.unsaved_tags)
             if isinstance(cleaned_tags, list):
-                finding.tags.set(cleaned_tags)
+                finding.tags.add(*cleaned_tags)
             elif isinstance(cleaned_tags, str):
-                finding.tags.set([cleaned_tags])
+                finding.tags.add(cleaned_tags)
         # Process any files
         if finding_from_report.unsaved_files:
             finding.unsaved_files = finding_from_report.unsaved_files
diff --git a/unittests/test_tags.py b/unittests/test_tags.py
@@ -279,6 +279,7 @@ def setUp(self):
         self.zap_sample5_filename = get_unit_tests_scans_path("zap") / "5_zap_sample_one.xml"
         self.generic_sample_with_tags_filename = get_unit_tests_scans_path("generic") / "generic_report1.json"
         self.generic_sample_with_more_tags_filename = get_unit_tests_scans_path("generic") / "generic_report1_more_tags.json"
+        self.trivy_filename = get_unit_tests_scans_path("trivy") / "scheme_2_many_vulns.json"
 
     def test_import_and_reimport_with_tags(self):
         """Test that tags passed as import parameter are applied to the test."""
@@ -304,6 +305,54 @@ def test_import_and_reimport_with_tags(self):
         for tag in tags:
             self.assertIn(tag, response["tags"])
 
+    def test_manually_set_tags_preserved_on_reimport(self):
+        """
+        Manually set tags on findings must survive a reimport.
+
+        Regression test for finding_post_processing() using tags.set() instead of
+        tags.add(), which caused manually-set tags to be silently wiped when reimporting
+        with parsers that populate unsaved_tags (Trivy, SARIF, SonarQube, etc.).
+        """
+        # 1. Import a Trivy scan
+        import0 = self.import_scan_with_params(
+            self.trivy_filename,
+            scan_type="Trivy Scan",
+            minimum_severity="Info",
+        )
+        test_id = import0["test"]
+
+        # 2. Fetch findings and manually tag each one with "bla_bla"
+        findings_before = self.get_test_findings_api(test_id)["results"]
+        self.assertGreater(len(findings_before), 0, "Expected findings from Trivy scan")
+        for finding in findings_before:
+            self.patch_finding_api(finding["id"], {"tags": ["bla_bla"]})
+
+        # 3. Confirm the tag was applied before reimport
+        findings_before = self.get_test_findings_api(test_id)["results"]
+        for finding in findings_before:
+            self.assertIn(
+                "bla_bla",
+                finding["tags"],
+                f"Tag 'bla_bla' was not set on finding {finding['id']} before reimport",
+            )
+
+        # 4. Reimport the same scan
+        self.reimport_scan_with_params(
+            test_id,
+            self.trivy_filename,
+            scan_type="Trivy Scan",
+            minimum_severity="Info",
+        )
+
+        # 5. Confirm manually set tags survived — reimport must not overwrite them
+        findings_after = self.get_test_findings_api(test_id)["results"]
+        for finding in findings_after:
+            self.assertIn(
+                "bla_bla",
+                finding["tags"],
+                f"Manually set tag 'bla_bla' was overwritten on finding {finding['id']} during reimport",
+            )
+
     def test_import_report_with_tags(self):
         """Test that parser-generated tags on findings are preserved during import/reimport."""
         def assert_tags_in_findings(findings: list[dict], expected_finding_count: int, desired_tags: list[str]) -> None:
