refactor(finding): Reorganize finding into self-contained dojo/finding/ package [5/10]

[valentijnscholten]

Stacked PRs

This is one of a stacked series that reorganizes dojo/ into self-contained dojo/{module}/ packages (matching the dojo/url/ reference). They are stacked — each PR is based on the previous one — so review and merge bottom-up in this order:

1. refactor(product_type): Extra ProductType models into dojo/product_type/ module [1/10] #14970 — product_type
2. refactor(test): Extract Test models into dojo/test/ module [2/10] #14971 — test
3. refactor(engagement): Extract Test models into dojo/test/ module [3/10] #14972 — engagement
4. refactor(product): Extract Product module into dojo/product/ [4/10] #14973 — product
5. refactor(finding): Reorganize finding into self-contained dojo/finding/ package [5/10] #14974 — finding (+ CWE & BurpRawRequestResponse fold-in) ◀ this PR
6. refactor(reorg): extract user + system_settings modules [6/10] #14981 — peripheral: user + system_settings
7. refactor(reorg): extract endpoint + tool_type/tool_config/tool_product modules [7/10] #14982 — peripheral: endpoint + tool_type/tool_config/tool_product
8. refactor(reorg): extract survey + benchmark modules [8/10] #14983 — peripheral: survey + benchmark
9. refactor(reorg): extract notes/note_type/file_uploads/reports/risk_acceptance [9/10] #14986 — peripheral: notes/note_type + file_uploads + reports + risk_acceptance
10. refactor(reorg): extract regulations/banner/announcement/development_environment/object [10/10] #14987 — peripheral: regulations + banner + announcement + development_environment + object

Merge #14970 first; each following branch is rebased onto the updated base and merged in turn. PRs 6–10 (draft, head branches on the DefectDojo upstream repo) continue the stack on top of #14974 — full implementation brief is the Phase 10 section in AGENTS.md.

Summary

Reorganizes the Finding domain (the largest module) into a self-contained dojo/finding/ package with ui/ and api/ sub-packages, matching the dojo/url/ reference layout. Pure code-movement: no behaviour or migration changes; backward-compat re-exports keep external consumers working.

Models

• Move Finding (+ custom FindingAdmin), Vulnerability_Id, Finding_Group, Finding_Template into dojo/finding/{models,admin}.py.
• Cross-module FKs use string references; downstream references use method-body lazy imports.
• Field-default callables (get_current_date, etc.) are imported from dojo.models to preserve their module path for migration serialization (no spurious migration).
• Preserves a load-bearing parse_cvss_data re-export whose import side-effect registers dojo.location models for apps.py:ready().

Services

• No services.py — the finding workflow logic already lives in dojo/finding/helper.py, deduplication.py, and queries.py (close/verify, group create/merge, dedup, copy-from-template, vulnerability-id save). Nothing to extract without duplicating well-placed code.

UI layer (dojo/finding/ui/)

• Move the finding forms into ui/forms.py; finding's own views import them directly, with re-exports left in dojo/forms.py only for the forms consumed by other modules.
• Move the finding UI filters into ui/filters.py and repoint every consumer (search, test, finding_group, metrics, product, reports, api views + tests). No dojo/filters.py re-exports (they would cycle). Shared filter bases (DojoFilter, the Finding* ChoiceFilter widgets, and FindingTagFilter/FindingTagStringFilter, the latter still subclassed by a remaining metrics filter) stay in dojo/filters.py.
• Move views.py and urls.py into ui/, repointing the dojo/urls.py include and external view importers.

API layer (dojo/finding/api/)

• Move the finding DRF serializers into api/serializer.py. To break the cycle with dojo/api_v2/serializers.py, the module carries zero top-level api_v2.serializers import — references to NoteSerializer/FileSerializer/TagListSerializerField/JIRAIssueSerializer/RiskAcceptanceSerializer/BurpRawRequestResponseSerializer/etc. are resolved lazily inside get_fields()/build_relational_field(), and @extend_schema_field overrides are applied lazily at module load.
• Re-export the moved serializers from dojo/api_v2/serializers.py: FindingSerializer/FindingToNotesSerializer are nested by the remaining ReportGenerateSerializer, and the full moved set is re-exported to preserve the exact dojo.api_v2.serializers module membership that the prefetcher's inspect.getmembers discovery relies on.
• Move ApiFindingFilter/ApiTemplateFindingFilter into api/filters.py and FindingViewSet/FindingTemplatesViewSet into api/views.py (preserving the @extend_schema_view decorators), repointing unittests/test_rest_framework.py and pruning the now-unused finding imports left in api_v2/views.py. No viewset re-export (would cycle).
• Add dojo/finding/api/urls.py with add_finding_urls(router) and wire it into dojo/urls.py, preserving the exact findings/finding and finding_templates/finding_template routes and basenames.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.