Dependency track and Defectdojo integration: inactive status on re-import

[gulsezim11]

Current Behavior

I have configured the integration between DepTrack and DefectDojo. And currently, every 60 minutes there is a synchronization between two systems. But, when reimporting the same findings, the status of findings in DefectDojo becomes Inactive, Mitigated. I have tried to work with close_old_findings, deduplication, active parameters, it is not working. Also, I have heard that the test_title must be different each, it helps with status issues. In this case, I am not quite sure how can I configure properties of projects so that the value of test_title would be different each sync.

Steps to Reproduce

1. Configure integration as in the instruction https://docs.dependencytrack.org/integrations/defectdojo/

Expected Behavior

Every time in each sync I want the import not to change the status of findings. For ex, first import 23 active findings, second import the same 23 active findings should leave active status in defectdojo.

Dependency-Track Version

4.4.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Apple Safari

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[valentijnscholten]

I have tried to work with close_old_findings, deduplication, active parameters, it is not working

Do you mean your tried manual imports into DD with these parameters? These parameters are not supported by DT, so they won't have any effect. close_old_findings, active and verified are always set to True.

It might be DD closing your findings as it uses an algorithm for matching existing findings which is sometimes flaky, or can be easily broken if someone changes the hashcode algorithm. What happens if you upload the FPF export from DT manually, and reimport it?