From 6e5e1f916ceab8e3bf33f42292b054c4fb97225f Mon Sep 17 00:00:00 2001 From: samiat4911 Date: Tue, 24 Feb 2026 14:42:57 +0100 Subject: [PATCH 1/2] Set unique_id_from_tool from matrix field in Dependency Track parser --- dojo/tools/dependency_track/parser.py | 1 + unittests/tools/test_dependency_track_parser.py | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/dojo/tools/dependency_track/parser.py b/dojo/tools/dependency_track/parser.py index 097db3883e2..11456c0c44d 100644 --- a/dojo/tools/dependency_track/parser.py +++ b/dojo/tools/dependency_track/parser.py @@ -230,6 +230,7 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin component_version=component_version, file_path=file_path, vuln_id_from_tool=vuln_id_from_tool, + unique_id_from_tool=dependency_track_finding.get("matrix"), static_finding=True, dynamic_finding=False) diff --git a/unittests/tools/test_dependency_track_parser.py b/unittests/tools/test_dependency_track_parser.py index c5deeec73c5..fcb02f5cd22 100644 --- a/unittests/tools/test_dependency_track_parser.py +++ b/unittests/tools/test_dependency_track_parser.py @@ -54,6 +54,10 @@ def test_dependency_track_parser_has_one_finding(self): parser = DependencyTrackParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) + self.assertEqual( + "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46", + findings[0].unique_id_from_tool, + ) def test_dependency_track_parser_v3_8_0(self): with ( @@ -64,6 +68,7 @@ def test_dependency_track_parser_v3_8_0(self): self.assertEqual(9, len(findings)) self.assertTrue(all(item.file_path is not None for item in findings)) self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings)) + self.assertTrue(all(item.unique_id_from_tool is not None for item in findings)) def test_dependency_track_parser_findings_with_alias(self): with ( @@ -75,6 +80,7 @@ def test_dependency_track_parser_findings_with_alias(self): self.assertEqual(12, len(findings)) self.assertTrue(all(item.file_path is not None for item in findings)) self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings)) + self.assertTrue(all(item.unique_id_from_tool is not None for item in findings)) self.assertIn("CVE-2022-42004", findings[0].unsaved_vulnerability_ids) def test_dependency_track_parser_findings_with_empty_alias(self): @@ -94,6 +100,7 @@ def test_dependency_track_parser_findings_with_cvssV3_score(self): self.assertEqual(12, len(findings)) self.assertTrue(all(item.file_path is not None for item in findings)) self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings)) + self.assertTrue(all(item.unique_id_from_tool is not None for item in findings)) self.assertIn("CVE-2022-42004", findings[0].unsaved_vulnerability_ids) self.assertEqual(8.3, findings[0].cvssv3_score) From e8ed27eaea897acf88b6afab12b6e2dcab506d4a Mon Sep 17 00:00:00 2001 From: Valentijn Scholten Date: Thu, 26 Feb 2026 21:27:17 +0100 Subject: [PATCH 2/2] fix(dependency-track): store matrix as unique_id_from_tool, uuid as vuln_id_from_tool - Initialize unique_id_from_tool from the top-level matrix field (backward compat) - Override with vulnerability.matrix if present (newer DT export formats) - Initialize vuln_id_from_tool to None before conditional assignment - Remove duplicate unique_id_from_tool kwarg that caused a syntax error - Update test assertion to expect the full composite matrix string --- dojo/tools/dependency_track/parser.py | 6 ++++-- unittests/tools/test_dependency_track_parser.py | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/dojo/tools/dependency_track/parser.py b/dojo/tools/dependency_track/parser.py index c86949e57fc..ab6844fe518 100644 --- a/dojo/tools/dependency_track/parser.py +++ b/dojo/tools/dependency_track/parser.py @@ -196,9 +196,12 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin vulnerability_description += "\nVulnerability Subtitle: {subtitle}".format(subtitle=dependency_track_finding["vulnerability"]["subtitle"]) if "description" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["description"] is not None: vulnerability_description += "\nVulnerability Description: {description}".format(description=dependency_track_finding["vulnerability"]["description"]) + vuln_id_from_tool = None + unique_id_from_tool = dependency_track_finding.get("matrix") if "uuid" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["uuid"] is not None: - unique_id_from_tool = dependency_track_finding["vulnerability"]["uuid"] vuln_id_from_tool = dependency_track_finding["vulnerability"]["uuid"] + if "matrix" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["matrix"] is not None: + unique_id_from_tool = dependency_track_finding["vulnerability"]["matrix"] # Get severity according to Dependency Track and convert it to a severity DefectDojo understands dependency_track_severity = dependency_track_finding["vulnerability"]["severity"] @@ -232,7 +235,6 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin file_path=file_path, unique_id_from_tool=unique_id_from_tool, vuln_id_from_tool=vuln_id_from_tool, - unique_id_from_tool=dependency_track_finding.get("matrix"), static_finding=True, dynamic_finding=False) diff --git a/unittests/tools/test_dependency_track_parser.py b/unittests/tools/test_dependency_track_parser.py index 8bfd3ac801e..b4fb2156af5 100644 --- a/unittests/tools/test_dependency_track_parser.py +++ b/unittests/tools/test_dependency_track_parser.py @@ -41,7 +41,7 @@ def test_dependency_track_parser_has_many_findings(self): self.assertIsNone(findings[1].unsaved_vulnerability_ids) self.assertEqual(1, len(findings[2].unsaved_vulnerability_ids)) self.assertEqual("CVE-2016-2097", findings[2].unsaved_vulnerability_ids[0]) - self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool) + self.assertEqual("8d7f5fcd-210b-491d-a29e-904c2e01b281:3e52f829-3317-48c3-bde1-342c610bd223:900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool) self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].vuln_id_from_tool) self.assertTrue(findings[2].false_p) self.assertTrue(findings[2].is_mitigated)