Skip to content

Fix Contrast parser collapsing findings with the same rule name#14714

Merged
mtesauro merged 3 commits intoDefectDojo:bugfixfrom
Jino-T:contrast-parser-update
Apr 24, 2026
Merged

Fix Contrast parser collapsing findings with the same rule name#14714
mtesauro merged 3 commits intoDefectDojo:bugfixfrom
Jino-T:contrast-parser-update

Conversation

@Jino-T
Copy link
Copy Markdown
Contributor

@Jino-T Jino-T commented Apr 20, 2026
edited
Loading

[sc-12973]

Summary

  • The dupe_key in the Contrast parser was hashed from vuln_id_from_tool (Rule Name), causing all findings of the same rule type (e.g. ldap-injection) to be collapsed into a single finding
  • Changed the dupe_key to hash unique_id_from_tool (Vulnerability ID) instead, since each Contrast Vulnerability ID uniquely identifies a distinct finding instance
  • The existing merge/aggregation block is retained as a safety net for the edge case of duplicate Vulnerability IDs in a report

Test plan

  • test_ldap_multiple_findings — verifies that 3 findings with the same Rule Name but different Vulnerability IDs are returned as 3 distinct findings (regression test for the bug)
  • test_duplicate_vuln_id_is_merged — verifies the merge safety net still works when a Vulnerability ID appears twice in a report
  • test_example_report and test_example2_report — existing tests updated to reflect correct post-fix finding counts

@Jino-T Jino-T force-pushed the contrast-parser-update branch from 015fd9d to 2ad265b Compare April 22, 2026 15:24
@Maffooch Maffooch added this to the 2.57.3 milestone Apr 22, 2026
valentijnscholten
valentijnscholten reviewed Apr 22, 2026
View reviewed changes
Comment thread dojo/tools/contrast/parser.py Outdated

dupe_key = hashlib.sha256(
f"{finding.vuln_id_from_tool}".encode(),
f"{finding.unique_id_from_tool}".encode(),
Copy link
Copy Markdown
Member

@valentijnscholten valentijnscholten Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might as well just use unique_id_from_tool and not hash it?

Copy link
Copy Markdown
Contributor Author

@Jino-T Jino-T Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, might as well save the extra work. Makes it easier to debug too

@Jino-T @claude
Use unique_id_from_tool directly as dupe_key in Contrast parser
9b7ae31 
No need to SHA256-hash a string that is already a usable dict key.
Aligns with the dominant pattern across parsers that use the tool's
native ID directly rather than computing a hash of it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mtesauro
mtesauro approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit f5ece47 into DefectDojo:bugfix Apr 24, 2026
157 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@paulOsinski paulOsinski Awaiting requested review from paulOsinski

Assignees

No one assigned

Labels

parser unittests

Projects

None yet

Milestone

2.57.3

Development

Successfully merging this pull request may close these issues.

5 participants

@Jino-T @mtesauro @valentijnscholten @Maffooch @blakeaowens