Issue with DependencyTrack and DefectDojo Integration Creating Duplicate Findings Instead of Updating

Andre S. · 2026-02-18T08:09:43.329Z

Hello. I'm using DependencyTrack with DD and have configured the integration to import findings into DD. Sometime during a reimport a finding gets closed and the same finding was created. As you can see the Vuln ID from tool is the same. In the new finding I can see an EPSS Score. The rest is equal. I expect an update on the existing finding instead of a new finding. Is this a known issue?

7 comments

· Sorted by Oldest

Valentijn S.
·
·
In settings.dist.py you can see for each parser how the findings between imports are matched/deduplicated. For Dependency Track this config is "Dependency Track Finding Packaging Format (FPF) Export": ["component_name", "component_version", "vulnerability_ids"], and "Dependency Track Finding Packaging Format (FPF) Export": DEDUPE_ALGO_HASH_CODE,which means these findings are interpreted as different because of the difference in vulnerability. I guess it could make sense to update the parser to set the unique_id_from_toolfield with the uuid from dependency track and switch to DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE. Could you try that? And could you raise a GitHub issue about this and post your results/thoughts there? https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/settings.dist.py
Andre S.
·
·
I have checked the internal DT uuid. Is is already the "Vuln ID from tool" in the finding. So we only need to set the DEDUPE_ALGO_HASH_CODE. We use DD in K8s with Helm. I'm not sure. Would it be enough to add this in my helm configuration?
extraConfigs: DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Dependency Track Finding Packaging Format (FPF) Export": "DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE"}'
Valentijn S.
·
·
Just realized you cannot test my suggesgtion without modifying the parser. The field needed for DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE is unique_id_from_tool not vuln_id_from_tool.
Andre S.
·
·
Can I see in DD if unique_id_from_tool is set on a finding?
Andre S.
·
·
I have looked into a finding imported by DT and the parse. I think the DT parser needs some fixes. Before I go further, can you give me some details? The finding model has the fields cve and vuln_id_from_tool. What is the difference? Are there some recommendations how to use them? Is there a specific parser which can be used as a best practice example?
Andre S.
·
·
I raised an issue for this problem https://github.com/DefectDojo/django-DefectDojo/issues/14345 and provided a PR https://github.com/DefectDojo/django-DefectDojo/pull/14346
Valentijn S.
·
·
Thanks, looks good at first sight.

Valentijn S.
·
·
In settings.dist.py you can see for each parser how the findings between imports are matched/deduplicated. For Dependency Track this config is "Dependency Track Finding Packaging Format (FPF) Export": ["component_name", "component_version", "vulnerability_ids"], and "Dependency Track Finding Packaging Format (FPF) Export": DEDUPE_ALGO_HASH_CODE,which means these findings are interpreted as different because of the difference in vulnerability. I guess it could make sense to update the parser to set the unique_id_from_toolfield with the uuid from dependency track and switch to DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE. Could you try that? And could you raise a GitHub issue about this and post your results/thoughts there? https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/settings.dist.py
Andre S.
·
·
I have checked the internal DT uuid. Is is already the "Vuln ID from tool" in the finding. So we only need to set the DEDUPE_ALGO_HASH_CODE. We use DD in K8s with Helm. I'm not sure. Would it be enough to add this in my helm configuration?
extraConfigs: DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Dependency Track Finding Packaging Format (FPF) Export": "DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE"}'
Valentijn S.
·
·
Just realized you cannot test my suggesgtion without modifying the parser. The field needed for DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE is unique_id_from_tool not vuln_id_from_tool.
Andre S.
·
·
Can I see in DD if unique_id_from_tool is set on a finding?
Andre S.
·
·
I have looked into a finding imported by DT and the parse. I think the DT parser needs some fixes. Before I go further, can you give me some details? The finding model has the fields cve and vuln_id_from_tool. What is the difference? Are there some recommendations how to use them? Is there a specific parser which can be used as a best practice example?
Andre S.
·
·
I raised an issue for this problem https://github.com/DefectDojo/django-DefectDojo/issues/14345 and provided a PR https://github.com/DefectDojo/django-DefectDojo/pull/14346
Valentijn S.
·
·
Thanks, looks good at first sight.