aboutcode-org · tdruez · May 26, 2026 · May 25, 2026 · May 25, 2026 · May 26, 2026
diff --git a/product_portfolio/templates/product_portfolio/product_details.html b/product_portfolio/templates/product_portfolio/product_details.html
@@ -173,9 +173,8 @@
 
 {% block javascripts %}
   {{ block.super }}
-  {% if has_edit_productpackage or has_edit_productcomponent %}
-    <script src="{% static 'js/csrf_header.js' %}" integrity="sha384-H61e46QMjASwnZFb/rwCl9PANtdqt1dbKU8gnGOh9lIGQEoi1B6qkWROHnrktD3R" crossorigin="anonymous"></script>
-  {% endif %}
+  {# Always render the CSRF token: required by the vulnerability analysis form, even on read-only products #}
+  <script src="{% static 'js/csrf_header.js' %}" integrity="sha384-H61e46QMjASwnZFb/rwCl9PANtdqt1dbKU8gnGOh9lIGQEoi1B6qkWROHnrktD3R" crossorigin="anonymous"></script>
   <script src="{% static 'js/jquery.jsPlumb-1.7.2-min.js' %}" integrity="sha384-ITD4LUuh8ImLrJ5g55OIlG2QoiYVUuXLN9CStlO1e2SQZm0SyGfNkMiwPboMOv8D" crossorigin="anonymous"></script>
   {% include 'product_portfolio/includes/product_hierarchy.js.html' with relations_feature_grouped=tabsets.Hierarchy.fields.0.1.relations_feature_grouped %}
   {% if tabsets.Owner.extra %}
@@ -346,7 +345,9 @@
   {% if purldb_enabled %}
     <script>
       document.addEventListener('DOMContentLoaded', function () {
-        document.getElementById('check-package-versions').addEventListener('click', function (event) {
+        const checkPackageVersions = document.getElementById('check-package-versions');
+        if (!checkPackageVersions) return;
+        checkPackageVersions.addEventListener('click', function (event) {
           event.preventDefault();
           let checkPackageLink = this;
           checkPackageLink.classList.add("disabled");
@@ -446,7 +447,9 @@
     </script>
     <script>
       document.addEventListener('DOMContentLoaded', function () {
-        document.querySelector('#improve_from_purldb').addEventListener('click', function() {
+        const improveFromPurldb = document.querySelector('#improve_from_purldb');
+        if (!improveFromPurldb) return;
+        improveFromPurldb.addEventListener('click', function() {
           NEXB.displayOverlay("Fetching data from PurlDB...");
         })
       });

diff --git a/product_portfolio/tests/test_views.py b/product_portfolio/tests/test_views.py
@@ -455,6 +455,13 @@ def test_product_portfolio_detail_view_include_tab_vulnerability_analysis_modal(
         response = self.client.get(url)
         self.assertContains(response, modal_id)
         self.assertContains(response, modal_js)
+        self.assertContains(response, "csrf_header.js")
+
+        # Ensure the CSRF script is present even if product is locked
+        locked_status = make_product_status(self.dataspace)
+        self.product1.update(configuration_status=locked_status)
+        response = self.client.get(url)
+        self.assertContains(response, "csrf_header.js")
 
     @mock.patch("dejacode_toolkit.vulnerablecode.VulnerableCode.is_configured")
     def test_product_portfolio_detail_view_tab_vulnerability_label(self, mock_is_configured):