dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Filter out rejected findings to not sync with DefectDojo

Open manuel-sommer opened this issue 3 years ago • 0 comments

Current Behavior:

Findings are synced from DependencyTrack to DefectDojo. Then, findings can be rejected. DependencyTrack does not update or close rejected findings in DefectDojo. (e.g. CVE-2021-20095 or CVE-2018-1000643) To outline the exact problem:

  1. A CVE is synced from DependencyTrack to DefectDojo (e.g. severity High)
  2. This CVE is rejected and DependencyTrack notes the severity for the finding as "unassigned"
  3. This CVE is synced again from DependencyTrack to DefectDojo. Now the finding is not closed / patched to be an "info" finding as the upload to Defectdojo does not consider a new severity. Thus, DependencyTrack has to patch the finding if the severity changes.

Proposed Behavior:

Rejected vulnerabilities should be automatically closed in DefectDojo.

manuel-sommer avatar Aug 25 '22 09:08 manuel-sommer