Include analysis.detail from Dependency Track FPF in finding description#14931
Open
webdevred wants to merge 2 commits into
Open
Include analysis.detail from Dependency Track FPF in finding description#14931webdevred wants to merge 2 commits into
webdevred wants to merge 2 commits into
Conversation
When Dependency Track sends findings via the Finding Packaging Format, the analysis.detail field is now forwarded alongside analysis.state. This appends the audit detail text to the finding description under an "Audit Detail:" label, making analyst notes visible without switching back to Dependency Track.
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Show Dependency Track audit detail in finding description
When Dependency Track pushes findings via the Finding Packaging Format, analysts can attach free-text notes to each finding through the
analysis.detailfield. This field was already parsed and available in the FPF document but was silently ignored, so auditors working in DefectDojo had no way to see those notes without going back to Dependency Track.This appends the audit detail to the finding description under an "Audit Detail:" label when present. Findings without audit detail are unaffected. The change requires Dependency Track 4.14.0 or later, which is when
analysis.detailwas added to the FPF output (see companion PR in the Dependency Track repo).Related to DependencyTrack/dependency-track#6181