Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter out rejected findings to not sync with DefectDojo #1915

Closed
manuel-sommer opened this issue Aug 25, 2022 · 2 comments
Closed

Filter out rejected findings to not sync with DefectDojo #1915

manuel-sommer opened this issue Aug 25, 2022 · 2 comments
Labels
enhancement New feature or request integration/defectdojo Related to the Defect Dojo integration

Comments

@manuel-sommer
Copy link
Contributor

manuel-sommer commented Aug 25, 2022
edited
Loading

Current Behavior:

Findings are synced from DependencyTrack to DefectDojo. Then, findings can be rejected. DependencyTrack does not update or close rejected findings in DefectDojo. (e.g. CVE-2021-20095 or CVE-2018-1000643)
To outline the exact problem:

  1. A CVE is synced from DependencyTrack to DefectDojo (e.g. severity High)
  2. This CVE is rejected and DependencyTrack notes the severity for the finding as "unassigned"
  3. This CVE is synced again from DependencyTrack to DefectDojo. Now the finding is not closed / patched to be an "info" finding as the upload to Defectdojo does not consider a new severity. Thus, DependencyTrack has to patch the finding if the severity changes.

Proposed Behavior:

Rejected vulnerabilities should be automatically closed in DefectDojo.
@manuel-sommer manuel-sommer added the enhancement New feature or request label Aug 25, 2022
@manuel-sommer manuel-sommer changed the title Filter out rejected findings Filter out rejected findings to not sync with DefectDojo Aug 31, 2022
@nscuro nscuro added the integration/defectdojo Related to the Defect Dojo integration label Jul 19, 2023
@manuel-sommer manuel-sommer mentioned this issue Dec 5, 2023
Merged
@kepten
Copy link
Contributor

kepten commented Jan 10, 2024

I think a better solution would be if rejected vulnerabilities would not be sent to DefectDojo at all. That should close them in DD if close_old_findings is set to True during import which is how the current DD integration works.

@kepten kepten mentioned this issue Jan 11, 2024
Closed
3 tasks
@github-actions GitHub Actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request integration/defectdojo Related to the Defect Dojo integration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kepten @nscuro @manuel-sommer