Dependency Track parser: Store DT uuid into unique_id_from_tool instead of vuln_id_from_tool

[AndreVirtimo]

Store DT uuid into unique_id_from_tool instead of vuln_id_from_tool
change default deduplication algorithm to DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE

Fixing #14345

[Maffooch]

This is a good change, but I think we should also maintain the value of vuln_id_from_tool to accommodate folks who have customized the dedupe settings in their local_settings.py files. If the vuln_id_from_tool field is suddenly empty, any existing DT findings would not be matched again

[Maffooch]

Suggested change

	unique_id_from_tool = dependency_track_finding["vulnerability"]["uuid"]
	unique_id_from_tool = dependency_track_finding["vulnerability"]["uuid"]
	vuln_id_from_tool = dependency_track_finding["vulnerability"]["uuid"]

[Maffooch]

Suggested change

	unique_id_from_tool=unique_id_from_tool,
	unique_id_from_tool=unique_id_from_tool,
	vuln_id_from_tool=vuln_id_from_tool,

[Maffooch]

Suggested change

	self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool)
	self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].unique_id_from_tool)
	self.assertEqual("900991f6-335a-49cb-9bf6-87b545f960ce", findings[2].vuln_id_from_tool)

[Maffooch]

Suggested change

	self.assertTrue(all(item.unique_id_from_tool is not None for item in findings))
	self.assertTrue(all(item.unique_id_from_tool is not None for item in findings))
	self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings))

[Maffooch]

Suggested change

	self.assertTrue(all(item.unique_id_from_tool is not None for item in findings))
	self.assertTrue(all(item.unique_id_from_tool is not None for item in findings))
	self.assertTrue(all(item.vuln_id_from_tool is not None for item in findings))

[AndreVirtimo]

This is a good change, but I think we should also maintain the value of vuln_id_from_tool to accommodate folks who have customized the dedupe settings in their local_settings.py files. If the vuln_id_from_tool field is suddenly empty, any existing DT findings would not be matched again

I don't agree. There is not deduplication algorithm which uses vuln_id_from_tool. The field description for vuln_id_from_tool is "Non-unique technical id from the source tool associated with the vulnerability type." which does not fit to the uuid from DT.

[valentijnscholten]

I don't agree. There is not deduplication algorithm which uses vuln_id_from_tool. The field description for vuln_id_from_tool is "Non-unique technical id from the source tool associated with the vulnerability type." which does not fit to the uuid from DT.

Users can customize the deduplication behaviour via the settings in settings.dist.py. If users have chosen vuln_id_from_tool in there, their hash_code calculations will change which might break their dedupe for newly imported reports.

In general I don't like vuln_id_from_tool AND unique_id_from_tool being populated with the same unique id, but maybe in this case it's better to do it to avoid a painful upgrade for users using vuln_id_from_tool. Alternatively we can do a "v2 style" approach as we did with for example OpenVAS: https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/openvas/parser.py

[valentijnscholten]

@AndreVirtimo Do you have aliases enabled in your DT instance? The example vulnerabilities you provided on Slack seem to be aliases of eachother. Usually DT exports this in the report that is being sent to Dojo and Dojo will import all aliases as vulnerability_ids. This way both vulnerabilities should result in the same hash_code and become duplicates and work OK in reimports.