Snyk Issue Api Scan "sca" import implementation

[dshafranskiy-r7]

Description

This code implements "sca" ( as opposed to "code" ) import feature for "Snyk Issue Api Scan" tool.

1. It is not possible to get ignore cause and expiration time from Json file.
   So we can only get if issue is "ignored", "open" or "resolved".
   You cannot distinguish between "Not Vulnerable, Won't Fix, or Accepted".

With what we have from .json file:

• resolved ( issue fixed and not appear in Snyk ) -> mitigated, inactive, verified
• open ( no ignores ) -> active
• ignored ( "Not Vulnerable, Won't Fix, or Accepted" ) -> Inactive, Mitigated, False Positive
  --
  See table below for transitions.

3. I had tried to reference Finding definitions but the mapping is not 100% clear, especially with point 2 ^.

Test results

I've extracted / updated 2 test files:

• test_snyk_issue_api_parser.py - unit tests - atomic feature tests
• test_snyk_issue_api_parser_with_json.py - line by line comparison of input Json and resulting finding, so it would be easy to follow value comparison.

Snyk issue transition state table:

Below is table transitioning from Open -> Ignored and Back.

Type	Reason	expiration	Snyk Rest API Json body
Not vulnerable	Empty	Does not expire	{reasonType: "not-vulnerable", reason: "", expires: null, disregardIfFixable: false}
Temporary	Empty	Does not expire	Not Possible, ERROR
Won't Fix	Empty	Does not expire	{reasonType: "wont-fix", reason: "", expires: null, disregardIfFixable: false}
Not vulnerable	Comment	24.09.2025	{"reasonType":"not-vulnerable","reason":"COMMENT","expires":"2025-09-23T22:00:00.000Z","disregardIfFixable":false}
Temporary	Empty	24.09.2025	{"reasonType":"temporary-ignore","reason":"","expires":"2025-09-23T22:00:00.000Z","disregardIfFixable":false}
Won't Fix	COMMENT	24.09.2025	{"reasonType":"wont-fix","reason":"COMMENT","expires":"2025-09-23T22:00:00.000Z","disregardIfFixable":false}
UNINGNORE	N/A	N/A	Empty, DELETE request
Update Details	N/A.	N/A.	Same data as above PUT request

Documentation

Updated contents of:
docs/content/en/connecting_your_tools/parsers/file/snyk_issue_api.md

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[dshafranskiy-r7]

Import Results - SCA:

[dshafranskiy-r7]

@valentijnscholten referencing you for review as well.

[dshafranskiy-r7]

Snyk Code import:

[valentijnscholten]

Thanks for the PR, it looks good. I have one question around deduplication. I notice that the existing Snyk Scan and Snyk Code Scan have different deduplication settings for the hash code generation. I wonder if this means that our "API" scanners should be two separate parsers to allow each of them to have their own hash code configuration?

[dshafranskiy-r7]

@valentijnscholten great point, I haven't actually focused on deduplication feature, let me spend more time testing that part.

Also if I may ask leading question:

• Should we also attempt / test correlation / deduplication with other tools, like SonarQube ?

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dshafranskiy-r7]

So I took a look at de-duplication of snyk plugins, and I can say that it is impossible to match those results, the way it is currently implemented:

• SCA: There is no way how we can get file_path from snyk api json. Other fields can be matched.
• SAST/CODE: it is impossible to get same vuln_id_from_tool field in api, unless we would use some smart Sarif header parser.

Below are example values for the fields, for reference:

Tools / Snyk / Parser (SCA)

Field	Value
vuln_id_from_tool	SNYK-JAVA-ORGAPACHESANTUARIO-460281
file_path	com.test:myframework > org.apache.santuario:xmlsec
component_name	org.apache.santuario:xmlsec
component_version	2.1.1

API Parser - SCA

Field	Value
vuln_id_from_tool	SNYK-PYTHON-ANYIO-7361842
file_path	anyio
component_name	anyio
component_version	3.7.1

Tools / Snyk Code / Parser (SAST)

Field	Value
vuln_id_from_tool	javascript/Sqli
file_path	routes/login.js

API Parser - Code / SAST

Field	Value
vuln_id_from_tool	9a29d87f-aa94-47eb-b46f-375b293a8631
file_path	path/path/file.abc

[mtesauro]

Approved