dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

DefectDojo risk acceptance sync to DependencyTrack

Open manuel-sommer opened this issue 3 years ago • 5 comments

Current Behavior:

DependencyTrack syncs the findings to DefectDojo. In DefectDojo there is the possibility to accept a risk for a finding, e.g. if a finding does not apply. These accepted risks are not synced back to DependencyTrack. Thus, the number of vulnerabilities between DefectDojo and DependencyTrack might be different.

Proposed Behavior:

DependencyTrack syncs the findings to DefectDojo. In DefectDojo there is the possibility to accept a risk for a finding, e.g. if a finding does not apply. It would be nice if DefectDojo and DependencyTrack are always on the same page (e.g. if in DefectDojo a finding was risk accepted) it will be closed in DependencyTrack as "suppressed" with "false positive" and an automatical comment "risk accepted in DefectDojo".

manuel-sommer avatar Aug 31 '22 10:08 manuel-sommer

I really like the idea of this feature and this might be something that we could use at my company as well!

However this seems like more a feature that should be build in Defectdojo than in Dependencytrack, i.e Defectdojo should get API token access to Dependencytrack and send supressions to the issues back to DependencyTrack. Alternatively Dependency-track could poll the findings inside Defectdojo (given enough permissions).

However for either solution Defectdojo should store some unique identifier for that particular finding (of that specific DepTrack project) in its findings. The "Unique ID from tool " field that defectdojo has could serve this purpose.

Would love some feedback from the dependency-track team on their thoughts on how such a feature could work.

lme-nca avatar Nov 03 '22 22:11 lme-nca

I would need this as well.

Ideal solution would be if DefectDojo supports generic WebHooks. I don't find such feature in their docs unfortunately, only specific webhook for e.g. JIRA is present as it seems? Either DefectDojo should provide a general webhook functionality, or a Dtrack plugin is necessary there I guess.

edit: Found a draft PR in work that would implement webhooks in DD: https://github.com/DefectDojo/django-DefectDojo/pull/7311 This would be the base we need

rkg-mm avatar Jul 11 '23 09:07 rkg-mm

In Defect Dojo findings can be marked as false positive, out of scope and possibly other statuses. Might be best to sync the status in general and not only risk acceptance.

valentijnscholten avatar Jul 13 '23 07:07 valentijnscholten

Yes all information should be synced back

rkg-mm avatar Jul 13 '23 10:07 rkg-mm

This would be a great feature, wether implemented here or in Dojo. It would greatly increase the usefulness of the integration.

We have pipeline fails based on Dependency Track info currently. If I triage something in Dojo but my pipeline still fails because DT doesn't know about it, I have an issue

Sebastianmueller22 avatar Dec 02 '25 15:12 Sebastianmueller22