Initial Import closes findings in other tests

[AndreVirtimo]

The initial import to a new test closes findings in other tests.

I have an engagement with multiple tests based on Dependency Check reports. Deduplication is on engagement scope.

See the slack discussion for more information: https://defectdojocommunity.slack.com/archives/C0A4DBKANDS/p1771564613056809

Steps to reproduce
Steps to reproduce the behavior:

1. Go to engagement
2. Click on Tests menu -> Import Scan Results
3. Select type "Dependency Check Scan" and upload an empty Dependency Check report.
4. Activate "Close old findings"
5. Press "Import"
6. You can now see the notification "No findings were added/updated/closed/reactivated as the report is empty or the findings in Defect Dojo are identical to those in the uploaded report."
7. In the Import History you can the import with x closed findings (should be all other active findings with the same test Type)
   Expected behavior
   This should not close any finding outside the target test.

Deployment method (select with an X)

• Docker Compose
• Kubernetes
• GoDojo

Additional context (optional)
This also happens when you create the new test via the reimport API.

[valentijnscholten]

On Slack you mention this is about Reimport via the API which I think I understand and maybe needs a change/fix (see #14363)

Above you're mentioning Import via the UI which shows expected behaviour. If you upload an empty scan this means there are NO findings anymore and close_old_fidnings will close all existing active findings. If you want to close findings only inside the same test you should use reimport. But first import with close_old_findings=False.

[AndreVirtimo]

I have tried to reproduce the issue with the reimport API in the GUI. Never the less I also see the described behavior as unexpected.

I have done another test. I added a new test and then used the "Re-Upload Scan" in the test. In this case no other findings in other tests get closed. This is the expected behavior for me and should also apply in the "create test with initial import" and "reimport scan via API with automatically test creation" case.

[valentijnscholten]

So are you or are you not seeing the problem when using ReUpload in the UI? It sounds like it's working as expected?

[AndreVirtimo]

I try to summarize.

Expected behavior: An upload of an empty scan into an empty test dosen't affect any existing findings in others tests.

• Create an empty test and use "Re-Upload Scan" in the GUI -> ✅
• Create a new test with "Import Scan Results" -> ❌
• Create a new test with reimport API -> ❌

An import into an empty test should never close any finding.

[valentijnscholten]

When using import and you do not want it to close old findings you should disable that flag on the UI form (or API request). The scope for closing old findings on imports is always either product or engagement. Here's the link posted earlier on Slack: https://docs.defectdojo.com/open_source/archived_docs/usage/features/#deduplication

The third bullet (Create a new test with reimport AP) is a valid concern, for which #14363 was raised.

[AndreVirtimo]

Why should an initial empty import close all findings (with the same type) within the deduplication scope? There is no data to match the empty list to findings outside the test, when the test itself is empty. You. need a findings within the test which is a duplicate of another to close them.

When I have test a and test b with findings and I import an empty scan into a, then the findings only in a and their duplicates gets closed not all other findings with the same type in b.

I see the point that I can switch off the "close old findings" behavior, but this only covers up this unexpected behavior.

Why is this case different?

• Create an empty test
• "Re-Upload Scan" in the GUI with close old findings
• -> no other findings were closed

[valentijnscholten]

The docs describe how deduplication and close_old_findings work. If you have suggestions on how to make the docs more clear, please raise a PR.

In short:

• Import closes findings that are no longer present in the uploaded report. This is in product or engagement scope.
• Reimport closes findings that are no longer present in the uploaded report in Test scope.
  Both are unrelated to the number of duplicates any finding has.

Please try out our suggestions and let us know. Until now the described behaviour is per design.