Generate DOCX report broken for existing findings with empty affected entities

[smcgu]

Describe the bug

Generating DOCX reports is broken for findings with empty affected entities. After upgrading from v4.1.0 to v4.2.0, generating a DOCX report is broken when findings have empty affected entities. The error is "Error at the affected entities section of finding REDACTED: Invalid template operation: expected string or bytes-like object".

Opening the affected findings and saving them (with no changes) resolves the errors. So, there is something broken or changed from v4.1.0 to v4.2.0.

To Reproduce

Steps to reproduce the error:

1. Upgrade Ghostwriter from v4.1.0 to v4.2.0
2. Open report
3. Navigate to Generate tab
4. Generate report -> Error

Steps to clear error:

1. Navigate to Findings tab
2. Open affected finding
3. Submit (to save the finding)
4. repeat for other findings
5. Navigate to Generate tab
6. Generate report

Expected Behavior

Findings with empty affected entities should not require them to be saved, again, after upgrade.

1. Upgrade Ghostwriter from v4.1.0 to v4.2.0
2. Open report
3. Navigate to Generate tab
4. Generate report -> no error

Screenshots

Available if needed.

Server Specs:

• OS: Ubuntu 22.04
• Docker: Docker version 26.1.1, build 4cf5afa
• Docker Compose: Docker Compose version v2.27.0
• Ghostwriter: v4.2.0, released 15 May 2024

Additional context

Reverting to v4.1.0 (and restoring backup postgres) resolves the issue.

[chrismaddalena]

Hey @smcgu, as I mentioned in your other issue, it's best to use the code in main or the latest archive of the latest release. The v4.2 development branch is not ready for production use right now.

How did you load these findings into the database? If opening the finding and saving it without making any changes resolves the problem, that suggests the database entry is in a bad state with fields set to null that should never be null. When you save the finding, Ghostwriter fixes the bad fields by setting them to blank (not null). I can only reproduce this issue if I manually edit the database to null a field.

[smcgu]

These findings were added to the findings library, added to the report, and edited in the Ghostwriter web UI. They were added to the report weeks ago and edited within Ghostwriter. There was no manual manipulation of the report findings through scripted API calls and no direct access of the database.

As mentioned, the findings and report generation work fine with v4.1.0, but are broken after upgrading to the latest v4.2.0 on the v4-1-dev branch.

The only possible thing that I can think of is that a few days ago I performed a bulk export and import of the findings library. However, report generation still works fine on v4.1.0 and my very limited understanding is that this process should only affect the findings library not findings already added to reports and their affected entities fields.

[github-actions]

This issue has been labeled as stale because it has been open for 30 days with no activity.