Skip to content

fix_available tag and fixable count not updating on re-import scans #13627

New issue
New issue
Closed as duplicate
Closed as duplicate
fix_available tag and fixable count not updating on re-import scans#13627
Labels
enhancement
@Kasyap7

Description

@Kasyap7
Kasyap7
opened on Nov 5, 2025

Bug description
The fix_available tag in report is not being updated correctly when re-importing the scans (tested with Anchore Engine scan reports).

When a new scan report is re-imported and contains fixes for previously detected vulnerabilities, the mitigation field is not being updated accordingly.

Steps to reproduce

  1. Import an initial Anchore Engine scan report into an engagement with the following settings: (Used many_vulns.json)
    Active: True
    Verified: True
    Scan Type: Anchore Engine Scan
    Apply Tags to Findings: Checked
    Apply Tags to Endpoints: Checked
    Group By: Component Name
    Create finding groups for all findings : Checked

  2. Modify the initial scan report by adding fixes for a few vulnerabilities (for example, changing entries from fix: None to include an actual fix version).

  3. Re-import the modified scan report with the following settings:
    Active: True
    Verified: True
    Close old findings: Checked
    Apply Tags to Endpoints: Checked
    Group By: Component Name
    Create finding groups for all findings : Checked

  4. Observe that:- The mitigation field remains unchanged.

    • The fix_available tag is not updated and still reflects the old status.

Expected behavior
During re-import, if the new scan includes fixes for existing findings, both the mitigation field and the fix_available tag should update accordingly.

Deployment method (select with an X)

  • Docker Compose
  • Kubernetes
  • GoDojo

Environment information

  • Operating System: Linux
  • Docker Compose : v2.40.2
  • DefectDojo version: 2.50.0+

Logs
No explicit errors observed in logs — re-import completes successfully but the mitigation and fix_available fields, as well as the Fixable count in test view, remain unchanged.

Screenshots
Initial upload result
Image

Re-imported test result
Image

Additional context
When the same scan is uploaded as a new test in the engagement (instead of re-importing), both the fix_available tag and Fixable count update correctly.

This indicates that the re-import logic might not be updating the mitigation, fix status, or fixable statistics fields.
I also tested this issue on the DefectDojo demo instance and observed the same results.

Image

Question:
Is there a configuration variable or flag controlling whether the mitigation and fix-related fields update during re-import?

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions