Skip to content

Include analysis.detail from Dependency Track FPF in finding description #14931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
webdevred wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Include analysis.detail from Dependency Track FPF in finding description #14931

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9cbff68
Update versions in application files
May 26, 2026
ae0ea54
Merge pull request #14915 from DefectDojo/master-into-bugfix/2.58.4-2…
rossops May 26, 2026
f4e0606
Include analysis.detail from Dependency Track FPF in finding description
webdevred May 28, 2026
c3494e1
Move audit detail to top of finding description
webdevred May 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion components/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "defectdojo",
"version": "2.58.4",
"version": "2.59.0-dev",
"license" : "BSD-3-Clause",
"private": true,
"dependencies": {
Expand Down
3 changes: 3 additions & 0 deletions dojo/tools/dependency_track/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,9 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin
analysis = dependency_track_finding.get("analysis")
is_false_positive = bool(analysis is not None and analysis.get("state") == "FALSE_POSITIVE")

if analysis is not None and analysis.get("detail"):
vulnerability_description = f"Audit Detail: {analysis['detail']}\n\n{vulnerability_description}"
Copy link
Copy Markdown
Member

@valentijnscholten valentijnscholten May 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it make more sense to put the audit detail after the description? Or maybe even in the impact field?

Copy link
Copy Markdown
Author

@webdevred webdevred May 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, happy to discuss. My reasoning for putting it first: the audit detail is analyst-added context specific to this finding in your environment, whereas the vulnerability description is generic upstream text. When triaging, the analyst note is usually the more immediately relevant piece. Open to changing it if you feel strongly though.

On the impact field: that field has a specific semantic meaning (consequence of exploitation), so putting analyst workflow notes there felt wrong.

Also, I'll rebase against bugfix as requested.


# Get the EPSS details
epss_percentile = dependency_track_finding["vulnerability"].get("epssPercentile", None)

Expand Down
8 changes: 4 additions & 4 deletions helm/defectdojo/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
appVersion: "2.58.4"
appVersion: "2.59.0-dev"
description: A Helm chart for Kubernetes to install DefectDojo
name: defectdojo
version: 1.9.29
version: 1.9.30-dev
icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png
maintainers:
- name: madchap
Expand Down Expand Up @@ -33,5 +33,5 @@ dependencies:
# - kind: security
# description: Critical bug
annotations:
artifacthub.io/prerelease: "false"
artifacthub.io/changes: "- kind: changed\n description: Bump DefectDojo to 2.58.4\n"
artifacthub.io/prerelease: "true"
artifacthub.io/changes: ""
2 changes: 1 addition & 1 deletion helm/defectdojo/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -511,7 +511,7 @@ The HELM schema will be generated for you.
# General information about chart values
![Version: 1.9.29](https://img.shields.io/badge/Version-1.9.29-informational?style=flat-square) ![AppVersion: 2.58.4](https://img.shields.io/badge/AppVersion-2.58.4-informational?style=flat-square)
![Version: 1.9.30-dev](https://img.shields.io/badge/Version-1.9.30--dev-informational?style=flat-square) ![AppVersion: 2.59.0-dev](https://img.shields.io/badge/AppVersion-2.59.0--dev-informational?style=flat-square)
A Helm chart for Kubernetes to install DefectDojo
Expand Down
42 changes: 42 additions & 0 deletions unittests/scans/dependency_track/one_finding_with_analysis_detail.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"meta": {
"application": "Dependency-Track",
"version": "4.14.0",
"timestamp": "2026-01-01T00:00:00Z"
},
"findings": [
{
"component": {
"name": "log4j-core",
"project": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"uuid": "c8a65fcd-dbf4-41eb-b1ec-55e67c91b22b",
"version": "2.14.1"
},
"attribution": {
"analyzerIdentity": "INTERNAL_ANALYZER",
"attributedOn": "2026-01-01 00:00:00.000"
},
"vulnerability": {
"uuid": "f8469ce4-019a-4482-8510-624dcf65f005",
"source": "NVD",
"vulnId": "CVE-2021-44228",
"severity": "CRITICAL",
"description": "Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP.",
"aliases": []
},
"analysis": {
"state": "IN_TRIAGE",
"isSuppressed": false,
"detail": "Reviewed and confirmed vulnerable. Upgrade scheduled for next sprint."
},
"matrix": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4:c8a65fcd-dbf4-41eb-b1ec-55e67c91b22b:f8469ce4-019a-4482-8510-624dcf65f005"
}
],
"project": {
"name": "test-app",
"uuid": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4",
"version": "1.0.0"
},
"version": "1.3"
}
7 changes: 7 additions & 0 deletions unittests/tools/test_dependency_track_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,3 +168,10 @@ def test_dependency_track_parser_findings_with_epss_score(self):
self.assertEqual(0.07756, findings[0].epss_percentile)
self.assertEqual(4.2, findings[0].cvssv3_score)
self.assertIn("CVE-2023-45803", findings[0].unsaved_vulnerability_ids)

def test_dependency_track_parser_finding_with_analysis_detail(self):
with (get_unit_tests_scans_path("dependency_track") / "one_finding_with_analysis_detail.json").open(encoding="utf-8") as testfile:
parser = DependencyTrackParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
self.assertIn("Audit Detail: Reviewed and confirmed vulnerable. Upgrade scheduled for next sprint.", findings[0].description)
Loading