fix(dependency-track): store matrix as unique_id_from_tool, uuid as vuln_id_from_tool

- Initialize unique_id_from_tool from the top-level matrix field (backward compat)
- Override with vulnerability.matrix if present (newer DT export formats)
- Initialize vuln_id_from_tool to None before conditional assignment
- Remove duplicate unique_id_from_tool kwarg that caused a syntax error
- Update test assertion to expect the full composite matrix string

Author: valentijnscholten

dojo/tools/dependency_track/parser.py

@@ -196,9 +196,12 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin
             vulnerability_description += "\nVulnerability Subtitle: {subtitle}".format(subtitle=dependency_track_finding["vulnerability"]["subtitle"])
         if "description" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["description"] is not None:
             vulnerability_description += "\nVulnerability Description: {description}".format(description=dependency_track_finding["vulnerability"]["description"])
+        vuln_id_from_tool = None
+        unique_id_from_tool = dependency_track_finding.get("matrix")
         if "uuid" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["uuid"] is not None:
-            unique_id_from_tool = dependency_track_finding["vulnerability"]["uuid"]
             vuln_id_from_tool = dependency_track_finding["vulnerability"]["uuid"]
+        if "matrix" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["matrix"] is not None:
+            unique_id_from_tool = dependency_track_finding["vulnerability"]["matrix"]
 
         # Get severity according to Dependency Track and convert it to a severity DefectDojo understands
         dependency_track_severity = dependency_track_finding["vulnerability"]["severity"]
@@ -232,7 +235,6 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin
             file_path=file_path,
             unique_id_from_tool=unique_id_from_tool,
             vuln_id_from_tool=vuln_id_from_tool,
-            unique_id_from_tool=dependency_track_finding.get("matrix"),
             static_finding=True,
             dynamic_finding=False)
 

unittests/tools/test_dependency_track_parser.py

@@ -41,7 +41,7 @@ def test_dependency_track_parser_has_many_findings(self):
             self.assertIsNone(findings[1].unsaved_vulnerability_ids)
             self.assertEqual(1, len(findings[2].unsaved_vulnerability_ids))
             self.assertEqual("CVE-2016-2097", findings[2].unsaved_vulnerability_ids[0])
-            self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool)
+            self.assertEqual("8d7f5fcd-210b-491d-a29e-904c2e01b281:3e52f829-3317-48c3-bde1-342c610bd223:900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool)
             self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].vuln_id_from_tool)
             self.assertTrue(findings[2].false_p)
             self.assertTrue(findings[2].is_mitigated)