From ef02236e995afcabc7614ea17384cb1f6e28d7d0 Mon Sep 17 00:00:00 2001 From: Andre Schlegel-Tylla Date: Thu, 19 Feb 2026 10:34:44 +0100 Subject: [PATCH 1/2] Store DT uuid into unique_id_from_tool instead of vuln_id_from_tool change default deduplication algorithm to DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE --- dojo/settings/settings.dist.py | 2 +- dojo/tools/dependency_track/parser.py | 4 ++-- unittests/tools/test_dependency_track_parser.py | 9 ++++++--- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index ca0c28d76f6..c453c4a169e 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1634,7 +1634,7 @@ def saml2_attrib_map_format(din): "Coverity Scan JSON Report": DEDUPE_ALGO_HASH_CODE, "Cobalt.io API": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, "Crunch42 Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, - "Dependency Track Finding Packaging Format (FPF) Export": DEDUPE_ALGO_HASH_CODE, + "Dependency Track Finding Packaging Format (FPF) Export": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, "Horusec Scan": DEDUPE_ALGO_HASH_CODE, "Mobsfscan Scan": DEDUPE_ALGO_HASH_CODE, "SonarQube Scan detailed": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, diff --git a/dojo/tools/dependency_track/parser.py b/dojo/tools/dependency_track/parser.py index 097db3883e2..3c21f30e5a8 100644 --- a/dojo/tools/dependency_track/parser.py +++ b/dojo/tools/dependency_track/parser.py @@ -197,7 +197,7 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin if "description" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["description"] is not None: vulnerability_description += "\nVulnerability Description: {description}".format(description=dependency_track_finding["vulnerability"]["description"]) if "uuid" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["uuid"] is not None: - vuln_id_from_tool = dependency_track_finding["vulnerability"]["uuid"] + unique_id_from_tool = dependency_track_finding["vulnerability"]["uuid"] # Get severity according to Dependency Track and convert it to a severity DefectDojo understands dependency_track_severity = dependency_track_finding["vulnerability"]["severity"] @@ -229,7 +229,7 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin component_name=component_name, component_version=component_version, file_path=file_path, - vuln_id_from_tool=vuln_id_from_tool, + unique_id_from_tool=unique_id_from_tool, static_finding=True, dynamic_finding=False) diff --git a/unittests/tools/test_dependency_track_parser.py b/unittests/tools/test_dependency_track_parser.py index c5deeec73c5..c36eb1d4c19 100644 --- a/unittests/tools/test_dependency_track_parser.py +++ b/unittests/tools/test_dependency_track_parser.py @@ -41,6 +41,7 @@ def test_dependency_track_parser_has_many_findings(self): self.assertIsNone(findings[1].unsaved_vulnerability_ids) self.assertEqual(1, len(findings[2].unsaved_vulnerability_ids)) self.assertEqual("CVE-2016-2097", findings[2].unsaved_vulnerability_ids[0]) + self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool) self.assertTrue(findings[2].false_p) self.assertTrue(findings[2].is_mitigated) self.assertFalse(findings[2].active) @@ -63,7 +64,7 @@ def test_dependency_track_parser_v3_8_0(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(9, len(findings)) self.assertTrue(all(item.file_path is not None for item in findings)) - self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings)) + self.assertTrue(all(item.unique_id_from_tool is not None for item in findings)) def test_dependency_track_parser_findings_with_alias(self): with ( @@ -74,8 +75,10 @@ def test_dependency_track_parser_findings_with_alias(self): self.assertEqual(12, len(findings)) self.assertTrue(all(item.file_path is not None for item in findings)) - self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings)) + self.assertTrue(all(item.unique_id_from_tool is not None for item in findings)) self.assertIn("CVE-2022-42004", findings[0].unsaved_vulnerability_ids) + self.assertIn("DSA-5283-1", findings[0].unsaved_vulnerability_ids) + self.assertIn("GHSA-rgv9-q543-rqg4", findings[0].unsaved_vulnerability_ids) def test_dependency_track_parser_findings_with_empty_alias(self): with ( @@ -93,7 +96,7 @@ def test_dependency_track_parser_findings_with_cvssV3_score(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(12, len(findings)) self.assertTrue(all(item.file_path is not None for item in findings)) - self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings)) + self.assertTrue(all(item.unique_id_from_tool is not None for item in findings)) self.assertIn("CVE-2022-42004", findings[0].unsaved_vulnerability_ids) self.assertEqual(8.3, findings[0].cvssv3_score) From 8fc618363e41acd69d019fff2edb0e635049a1c6 Mon Sep 17 00:00:00 2001 From: Andre Schlegel-Tylla Date: Mon, 23 Feb 2026 06:09:48 +0100 Subject: [PATCH 2/2] Keep the DT uuid in `vuln_id_from_tool` for backward compatibility --- dojo/tools/dependency_track/parser.py | 2 ++ unittests/tools/test_dependency_track_parser.py | 3 +++ 2 files changed, 5 insertions(+) diff --git a/dojo/tools/dependency_track/parser.py b/dojo/tools/dependency_track/parser.py index 3c21f30e5a8..c08f368a592 100644 --- a/dojo/tools/dependency_track/parser.py +++ b/dojo/tools/dependency_track/parser.py @@ -198,6 +198,7 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin vulnerability_description += "\nVulnerability Description: {description}".format(description=dependency_track_finding["vulnerability"]["description"]) if "uuid" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["uuid"] is not None: unique_id_from_tool = dependency_track_finding["vulnerability"]["uuid"] + vuln_id_from_tool = dependency_track_finding["vulnerability"]["uuid"] # Get severity according to Dependency Track and convert it to a severity DefectDojo understands dependency_track_severity = dependency_track_finding["vulnerability"]["severity"] @@ -230,6 +231,7 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin component_version=component_version, file_path=file_path, unique_id_from_tool=unique_id_from_tool, + vuln_id_from_tool=vuln_id_from_tool, static_finding=True, dynamic_finding=False) diff --git a/unittests/tools/test_dependency_track_parser.py b/unittests/tools/test_dependency_track_parser.py index c36eb1d4c19..34c85f0849d 100644 --- a/unittests/tools/test_dependency_track_parser.py +++ b/unittests/tools/test_dependency_track_parser.py @@ -42,6 +42,7 @@ def test_dependency_track_parser_has_many_findings(self): self.assertEqual(1, len(findings[2].unsaved_vulnerability_ids)) self.assertEqual("CVE-2016-2097", findings[2].unsaved_vulnerability_ids[0]) self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool) + self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].vuln_id_from_tool) self.assertTrue(findings[2].false_p) self.assertTrue(findings[2].is_mitigated) self.assertFalse(findings[2].active) @@ -76,6 +77,7 @@ def test_dependency_track_parser_findings_with_alias(self): self.assertEqual(12, len(findings)) self.assertTrue(all(item.file_path is not None for item in findings)) self.assertTrue(all(item.unique_id_from_tool is not None for item in findings)) + self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings)) self.assertIn("CVE-2022-42004", findings[0].unsaved_vulnerability_ids) self.assertIn("DSA-5283-1", findings[0].unsaved_vulnerability_ids) self.assertIn("GHSA-rgv9-q543-rqg4", findings[0].unsaved_vulnerability_ids) @@ -97,6 +99,7 @@ def test_dependency_track_parser_findings_with_cvssV3_score(self): self.assertEqual(12, len(findings)) self.assertTrue(all(item.file_path is not None for item in findings)) self.assertTrue(all(item.unique_id_from_tool is not None for item in findings)) + self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings)) self.assertIn("CVE-2022-42004", findings[0].unsaved_vulnerability_ids) self.assertEqual(8.3, findings[0].cvssv3_score)