Dependency Track parser: Store DT uuid into unique_id_from_tool instead of vuln_id_from_tool (#14346)

* Store DT uuid into unique_id_from_tool instead of vuln_id_from_tool
change default deduplication algorithm to DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE

* Keep the DT uuid in `vuln_id_from_tool` for backward compatibility

Author: AndreVirtimo

dojo/settings/settings.dist.py

@@ -1634,7 +1634,7 @@ def saml2_attrib_map_format(din):
     "Coverity Scan JSON Report": DEDUPE_ALGO_HASH_CODE,
     "Cobalt.io API": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
     "Crunch42 Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
-    "Dependency Track Finding Packaging Format (FPF) Export": DEDUPE_ALGO_HASH_CODE,
+    "Dependency Track Finding Packaging Format (FPF) Export": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
     "Horusec Scan": DEDUPE_ALGO_HASH_CODE,
     "Mobsfscan Scan": DEDUPE_ALGO_HASH_CODE,
     "SonarQube Scan detailed": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,

dojo/tools/dependency_track/parser.py

@@ -197,6 +197,7 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin
         if "description" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["description"] is not None:
             vulnerability_description += "\nVulnerability Description: {description}".format(description=dependency_track_finding["vulnerability"]["description"])
         if "uuid" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["uuid"] is not None:
+            unique_id_from_tool = dependency_track_finding["vulnerability"]["uuid"]
             vuln_id_from_tool = dependency_track_finding["vulnerability"]["uuid"]
 
         # Get severity according to Dependency Track and convert it to a severity DefectDojo understands
@@ -229,6 +230,7 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin
             component_name=component_name,
             component_version=component_version,
             file_path=file_path,
+            unique_id_from_tool=unique_id_from_tool,
             vuln_id_from_tool=vuln_id_from_tool,
             static_finding=True,
             dynamic_finding=False)

unittests/tools/test_dependency_track_parser.py

@@ -41,6 +41,8 @@ def test_dependency_track_parser_has_many_findings(self):
             self.assertIsNone(findings[1].unsaved_vulnerability_ids)
             self.assertEqual(1, len(findings[2].unsaved_vulnerability_ids))
             self.assertEqual("CVE-2016-2097", findings[2].unsaved_vulnerability_ids[0])
+            self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool)
+            self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].vuln_id_from_tool)
             self.assertTrue(findings[2].false_p)
             self.assertTrue(findings[2].is_mitigated)
             self.assertFalse(findings[2].active)
@@ -63,7 +65,7 @@ def test_dependency_track_parser_v3_8_0(self):
             findings = parser.get_findings(testfile, Test())
             self.assertEqual(9, len(findings))
             self.assertTrue(all(item.file_path is not None for item in findings))
-            self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings))
+            self.assertTrue(all(item.unique_id_from_tool is not None for item in findings))
 
     def test_dependency_track_parser_findings_with_alias(self):
         with (
@@ -74,8 +76,11 @@ def test_dependency_track_parser_findings_with_alias(self):
 
             self.assertEqual(12, len(findings))
             self.assertTrue(all(item.file_path is not None for item in findings))
+            self.assertTrue(all(item.unique_id_from_tool is not None for item in findings))
             self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings))
             self.assertIn("CVE-2022-42004", findings[0].unsaved_vulnerability_ids)
+            self.assertIn("DSA-5283-1", findings[0].unsaved_vulnerability_ids)
+            self.assertIn("GHSA-rgv9-q543-rqg4", findings[0].unsaved_vulnerability_ids)
 
     def test_dependency_track_parser_findings_with_empty_alias(self):
         with (
@@ -93,6 +98,7 @@ def test_dependency_track_parser_findings_with_cvssV3_score(self):
             findings = parser.get_findings(testfile, Test())
         self.assertEqual(12, len(findings))
         self.assertTrue(all(item.file_path is not None for item in findings))
+        self.assertTrue(all(item.unique_id_from_tool is not None for item in findings))
         self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings))
         self.assertIn("CVE-2022-42004", findings[0].unsaved_vulnerability_ids)
         self.assertEqual(8.3, findings[0].cvssv3_score)