Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deduplication dedupe the oldest vulnerability #11948

Open
2 tasks
SeekNHack opened this issue Mar 5, 2025 · 5 comments
Open
2 tasks

Deduplication dedupe the oldest vulnerability #11948

SeekNHack opened this issue Mar 5, 2025 · 5 comments
Assignees
@valentijnscholten
Labels
bug pending-closure

Comments

@SeekNHack
Copy link

Be informative
I am running DefectDojo on Docker via Portainer. I set a env var to duplicate my test 'Pen Test' using Unique Id From Tool (that I calculate using a self-made python library to use API). My Unique Id is calculated by: Endpoint (host,port,protocol), IP Address and Vulnerability Title

Bug description
Duplication seems work, but DefectDojo set as "Duplicate" the oldest vulnerability (with a lower id and date) instead of the newest.

Expected behavior
The newest vulnerability is marked as "Duplicated"

Deployment method (select with an X)

  • [x ] Docker Compose
  • Kubernetes
  • GoDojo

Environment information

  • Operating System: Debian GNU/Linux 12 (bookworm)
  • Docker Compose version: 1
  • DefectDojo version (see footer): v. 2.43.3 ( release mode )

Screenshots
In this example, they have same UNIQUE ID FROM TOOLS but some differences about Severity, Date and descriptions. They are in 2 different Engagements.

Image

How can I fix this?
@SeekNHack SeekNHack added the bug label Mar 5, 2025
@valentijnscholten
Copy link
Member

Can you elaborate the exact steps that you take? Dit you create your own parser which sets the unique_id_from tool and then you see the behaviour? Or are you manipulating the unique_id_from tool via the API and using an existing parser/scantype?

@SeekNHack
Copy link
Author

SeekNHack commented Mar 6, 2025
edited
Loading

Yes

Creation of Product, Engagement, Test and Finding via API

First of all, I created via API a product, engagement, and a test (test type named Pen Test) and uploaded via API 2 findings.

Set up custom parser

Then, I set up in my env this variable:
DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Pen Test": "unique_id_from_tool"}' in uwsgi and both celerys.

Deduplication test

I created a new finding (it's the info one in the screenshot) in a different Engagement, with a test type Pen Test into it with the same Unique ID (inserted manually, not via API to test the duplication) then, I run this command on docker:

docker exec -it defectdojo-uwsgi-1 ./manage.py dedupe --parser "Pen Test" --dedupe_only

After 5 minutes, I found the oldest vulnerability was checked as Duplicated, like in the screenshot

@valentijnscholten valentijnscholten self-assigned this Mar 6, 2025
@valentijnscholten valentijnscholten mentioned this issue Mar 6, 2025
Closed
@valentijnscholten
Copy link
Member

@SeekNHack Could you try again after applying the changes from https://github.com/DefectDojo/django-DefectDojo/pull/11964/files ?

@SeekNHack
Copy link
Author

@valentijnscholten It works!

@valentijnscholten
Copy link
Member

@SeekNHack Turns out that the ordering was already correct even without the PR. Could it be that you run into a timing issue? Dedupe happens in the background so even with the correct ordering, there could be small timing changes, especially if you have multiple celery workers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@valentijnscholten valentijnscholten

Labels
bug pending-closure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valentijnscholten @SeekNHack