Multiple CWEs on a single Finding

Some scan types parsed by DefectDojo are able to specify multiple CWEs for a single issue/vulnerability. For example, the Snyk scan format contains a identifiers.CWE field that contains a list of CWE IDs which apply to each identified vulnerability. Currently, this information is either lost during parsing or injected as a supplemental string in the references section.

For example, the sample Snyk scan found at django-DefectDojo/unittests/scans/snyk/single_project_many_vulns.json contains multiple CWEs on the first listed vulnerability:

{
  "vulnerabilities": [
    {
      "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "alternativeIds": [],
      "creationTime": "2019-05-29T13:04:45.907245Z",
      "credit": [
        "JLLeitschuh"
      ],
      "cvssScore": 5.6,
      "description": "...<snip>...",
      "disclosureTime": "2019-02-22T12:35:55Z",
      "exploit": "Not Defined",
      "fixedIn": [
        "1.75"
      ],
      "functions": [],
      "functions_new": [],
      "id": "SNYK-JAVA-COMBEUST-174815",
      "identifiers": {
        "CVE": [],
        "CWE": [
          "CWE-494",
          "CWE-829"
        ]
      },
   ...

When this is parsed, though, only the first CWE (CWE-494) is captured in the Finding.cwe field. The other CWE is only mentioned in the Finding.external_references field via a string like 'Several CWEs were reported: 494, 829' (although this also isn't working due to issue #7125. This is useful, but doesn't permit the full DefectDojo feature set to be used for CWE-829.

Ideally, I think the Finding model should contain a cwes field instead of a simple cwe field. The cwes field would be a list of integers representing all CWE IDs relevant to the Finding.

This model change would also require:

All parsers are updated to create the cwes field instead of the current cwe field
Tests are updated to verify the functionality

DefectDojo / django-DefectDojo

Multiple CWEs on a single Finding #7126