Mend Scan Findings API response vulnerability_ids[] list contains +1 repeated vulnerability_id entries for each Finding during reimport-scan

[testaccount90009]

**I've raised an issue in slack here - https://owasp.slack.com/archives/C2P5BA8MN/p1715638859962089 **

Bug description Steps to reproduce Steps to reproduce the behavior:

1. Make an API call to the Findings for a Mend Scan test type
2. Observe the Findings API response containing the mentioned issue of 6x vulnerability_id repeat in vulnerability_ids list

Expected behavior Expected behavior is this would not have a 6x repeated entry for each CVE in the list of vuln_ids and instead have the vulnerability_id = CVE or unique_id_from_tool or vuln_id_from_tool, but not a repeat of a single CVE 6x as the vulnerability_ids list of the Findings. (See Screenshots)

Deployment method (select with an X)

• [X] Docker Compose
• [ ] Kubernetes
• [ ] GoDojo

Environment information

• Operating System: [e.g. Ubuntu 18.04]
• DefectDojo version (see footer) or commit message: [use git show -s --format="[%ci] %h: %s [%d]"]

Logs Use docker-compose logs (or similar, depending on your deployment method) to get the logs and add the relevant sections here showing the error occurring (if applicable).

Can see this error in the response when making API call to /findings/ in 2.34.1

Sample scan files If applicable, add sample scan files to help reproduce your problem.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context (optional) Add any other context about the problem here.

[testaccount90009]

In Slack it was confirmed by another person (in direct messages) that they are seeing this duplicative behavior against all importers, not just Mend Scans and reimports where the vulnerability_ids are being processed/retrieved.

[testaccount90009]

Our automation runs the reimport-scan each night, so I tested again today and saw that instead of 6x, it's now 7x. If tomorrow it is 8, then the below must be true...

I think there is a problem with the way the vulnerability_id at import gets appended to a vulnerability_ids list, instead of overwriting that dictionary/list.

I'm a potato at programming, so while I think I see some of the files changed for the parsers and how the 'vulnerabiity_ids' is being referenced - I have zero clue if this is even the issue that caused this.

To confirm - this was not an issue prior to 2.34.0 and our automation was not displaying this behavior. Only until after we upgraded from 2.33.7 to 2.34.1 (including 2.34.0) that we began to see the +1 for each reimport-scan adding to the vulnerability_ids of the same vulnerability_id on each reimport... It should probably be something like an overwrite vs an append style of a list/dictionary, but again - I am a potato at python programming and have no clue how to do this, or if I'm even in the ballpark.

[testaccount90009]

@hblankenship you are a champion - much appreciated! I'll close this. For what it's worth, I ended up just making a modification in my script to solve the issue, so that it gathers the unique vulnerability_id from the vulnerability_ids list instead.