Depenency Track Parser doesn't set unique_id_from_tool

Findings from Dependency Track import will be recreated (old is closed, new one is created) when new vulnerability_ids are added by DT. This can not be fixed by setting deduplication algorithm to DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE because the parser sets the DT uuid to vuln_id_from_tool. But it has to be unique_id_from_tool.

See also discussion on Slack https://defectdojocommunity.slack.com/archives/C0A4DBKANDS/p1771402183329359

**Steps to reproduce**
Steps to reproduce the behavior:
1. Import Dependency Track finding with only a CVE vuln id
2. Reimport the same finding with an additional alias with a GHSA id

**Expected behavior**
The existing finding should get an update and stay open.

**Deployment method** *(select with an `X`)*
- [ ] Docker Compose
- [x] Kubernetes
- [ ] GoDojo

**Environment information**
 - DefectDojo version v. 2.55.1 

**Screenshots**

E-Mail:

<img width="661" height="480" alt="Image" src="https://github.com/user-attachments/assets/17b69353-d341-4bc2-bfb9-6894145e5533" />

New and old finding:

<img width="2430" height="994" alt="Image" src="https://github.com/user-attachments/assets/fe57e968-ea7f-4fd9-b220-04851fca8227" />


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Depenency Track Parser doesn't set unique_id_from_tool #14345

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Depenency Track Parser doesn't set unique_id_from_tool #14345

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions