Home Original page

fix(github_sast): set unique_id_from_tool for dedup by samiat4911 · Pull Request #14591 · DefectDojo/django-DefectDojo

Description

Fixes #13681.
The Github SAST Scan parser was previously missing a unique_id_from_tool mapping and its deduplication algorithm fallback (DEDUPE_ALGO_HASH_CODE) included the line field. Because GitHub alerts frequently change lines during natural development, this caused duplicate findings to be created for the same alert on reimport.

This PR fixes the issue by:

  1. Extracting the stable alert number field from the GitHub JSON and mapping it to unique_id_from_tool in the GithubSASTParser.
  2. Setting the deduplication configuration for Github SAST Scan to use DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL in settings.dist.py.
# dojo/tools/github_sast/parser.py
finding = Finding(
    ...
    vuln_id_from_tool=rule_id,
    unique_id_from_tool=str(vuln.get("number")),
)

Test results

Extended the test suite in unittests/tools/test_github_sast_parser.py to ensure the new mapping is successfully parsed.

# unittests/tools/test_github_sast_parser.py
self.assertEqual("35", finding.unique_id_from_tool)
  • Ran local pytest manually for unittests.tools.test_github_sast_parser. All tests passed.
  • Verified parser extraction logic via a standalone script across multiple fixtures (github_sast_one_vul.json, github_sast_many_vul.json).

Documentation

No documentation updates are necessary for this bug fix as it aligns the parser with expected DefectDojo deduplication behavior without changing user-facing configurations.

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is Ruff compliant (see ruff.toml).
  • Your code is python 3.13 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.