Discussing Default Branch Baseline Feature for DefectDojo to Improve Findings Management Across Branches | DefectDojo Community

DefectDojo Community Icon

Valentijn S.
·
·
I think I understand what you're running into, but what would/could be the/a solution? In the past I've been pondering about improving reimport to have something like a seen_in and not_seen_in field that contains a list of versions that could be queried similarly to your examples above. But at some point I realized it would be hard to implement, but can't remember why. Probably because we don't know which reimport is the latest version. And there can be multiple latest versions, probably one per branch.
Filipe P.
·
·
I think main problem with designing it is that Dojo is not strictly pinned to VCS projects (like sonarqube is), however I’d start by thinking along the same lines. sonar knows the branch by passing the branch to the scanner (that uploads it). It knows the default branch because it’s explicitly configured in sonarqube Dojo already takes branch on imports. But it complicates as it can have different tests scanning the same branch, not just different branches… However keeping it simple:
Product or Engagement configuration (as Repo is in engagement 🤷) to specify default branch - “baselining” behavior enabled only for these engagements
Reimport “branch” is attached to those findings in the test
Deduplication would only consider findings on this branch and default branch - same finding in other branch is not a duplicate (to avoid missing findings later on)
Whenever an import is done on default branch and finding is marked as duplicate of a non-default branch, it “takes over” that finding
The one in default branch is the active one, the one in non-default becomes duplicate
Some tweaking on how this can happen, to preserve old links and history from the non-default finding (as it’s the oldest)
Branch filter can then be used to see findings only on default branch or any specific branch / pull request / merge request
Andre S.
·
·
Interesting idea. How does deduplication decide which finding is the active (original) one? I could imagine some kind of priority could help. For example I can add a priority on my tests and engagement and the finding which is in the highest priority group become the original/active finding. For this case there needs to be a mechanism to switch the original/active finding in a cluster.
Filipe P.
·
·
which finding is the active (original) one
you mean now or in this setup? I believe now the “latest finding” (the one under analysis) is always the duplicate. In this scenario, I was suggesting that deduplication would consider the “default branch” when doing this. I think it still should keep the oldest as the main one (due to links as I mentioned including the clusters you mention), but it would have to “move it” to the default branch. I haven’t looked into technical details but maybe the original finding could be moved from the test import on the non-default branch to the new test import that is on default branch. And the latest finding the other way around, and marked as duplicate as it would normally be. Anything linked to finding_id would then still be linking to the original finding However this ignores details such as a finding having a date different than the import it belongs to (among other things), not sure if there are expectations on those details
Pedro F.
·
·
Hi all — new guy here, so apologies if I am stepping out of line 🙂 , just testing this out really. Wouldn’t adding a strong “branch” concept on top of the already flexible model of Products, Engagements and Tests mostly benefit SAST/SCA use cases? For other test types it feels less natural. DAST baselines are usually tied to a release, environment or deployed version rather than a branch, and infra scans are often even more disconnected from development branches. So maybe instead of a “default branch”, we could think about defining a baseline import set, and then compare other runs against that baseline. In this approach:
1.
a test import set is marked as baseline, regardless of test type
2.
findings in the baseline represent the current product state
3.
findings in other runs are treated as emerging issues
4.
fixes seen outside the baseline are tracked, but would not affect the product score until that (re)import (or set of imports) is promoted to baseline
We could still support automatic baseline selection rules using metadata like branch=main, release tags, environment, etc., but the core logic would not depend on VCS concepts. We could also move most of the version/context metadata from engagement closer to the test import itself, where it naturally belongs. Just a thought — curious if this makes sense, or if there is any specific issue with branch I am missing.
Filipe P.
·
·
IMO that sounds simpler indeed. And it also has the benefit of creating something new rather than using the existing import branch as I suggesting which comes with the issue of retro compatibility with anything using branch However, it’s a similar approach whether it’s branch field in import or a new field in import, it still requires defining how findings are handled when it’s first seen in non-baseline import and then it’s imported into the baseline Or are you suggesting not caring for that? Whenever a finding goes into the baseline import, the other one (and its history) becomes duplicate and maybe an automatic system note is added to the new finding (just to keep some link)? That could work and probably simplify things
Filipe P.
·
·
Could there be multiple “baseline tests” (to support multiple tools)? How do they interact with each other in terms of precedence?
Pedro F.
·
·
Hi, I guess I was suggesting that yes.. but....just "thinking while typing" now... so bear with me and my darkest thoughts 🙂 this is not trivial to map. There are implici ways on how you use defectDojo, how you govern your "produt/engagement" etc. that may change how it can work. one shot linear flow:
Development cycle - lots of branches, commits, PR validations etc. -> (eventually) branch main deployed to staging.

SAST was runned and test results imported (or pushed) to dojo.
SCA runs...
secrets...
...Dast
Someone finds a bug... the thing does not move on. Go back...
New dev cycle, more SAST, DAST, ... (new imports/pushes to dojo??)
AProved... goes to prd...
OK the "last" push means PRD. But...DAST was only in staging... out of step and infra hasn't change (in this case, bear metal or vm for instance) so the previous version aplies. Now, if it moves to production you could "automagically" promote those imports to baseline... So it seems it could sort out "this view for governance" on defectDojo, But, other cenario: Development cenario. Different scanners PMD, SemGrep, SOnar... all pushing to DefectDojo. PR could check status on DefectDojo. Risk Accepted in Dojo etc. then for this the governance on dojo is diferent. and in this "branch" view would be helpful/desirable... are those 2 different view "joinable"? sorry, not much help. But I will think about this and come back.
Filipe P.
·
·
I guess we won’t solve it in OSS after all - https://defectdojocommunity.slack.com/archives/C0A494XJ95G/p1772565341169759?thread_ts=1772565263.075929&cid=C0A494XJ95G 😞
Valentijn S.
·
·
Have you checked out the False Positive history feature that might provide some relief when (re)importing multiple branches: https://github.com/DefectDojo/django-DefectDojo/pull/8125
Filipe P.
·
·
looks interesting to check, thanks!