Include analysis.detail from Dependency Track FPF in finding description#14931
Include analysis.detail from Dependency Track FPF in finding description#14931webdevred wants to merge 3 commits into
Conversation
| is_false_positive = bool(analysis is not None and analysis.get("state") == "FALSE_POSITIVE") | ||
|
|
||
| if analysis is not None and analysis.get("detail"): | ||
| vulnerability_description = f"Audit Detail: {analysis['detail']}\n\n{vulnerability_description}" |
There was a problem hiding this comment.
Wouldn't it make more sense to put the audit detail after the description? Or maybe even in the impact field?
There was a problem hiding this comment.
Good point, happy to discuss. My reasoning for putting it first: the audit detail is analyst-added context specific to this finding in your environment, whereas the vulnerability description is generic upstream text. When triaging, the analyst note is usually the more immediately relevant piece. Open to changing it if you feel strongly though.
On the impact field: that field has a specific semantic meaning (consequence of exploitation), so putting analyst workflow notes there felt wrong.
Also, I'll rebase against bugfix as requested.
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
Can you rebase against the bugfix branch?
When Dependency Track sends findings via the Finding Packaging Format, the analysis.detail field is now forwarded alongside analysis.state. This appends the audit detail text to the finding description under an "Audit Detail:" label, making analyst notes visible without switching back to Dependency Track.
webdevred
force-pushed
the
forward-analysis-detail-from-dependency-track
branch
from
06fbd18 to
c3494e1
Compare
webdevred
force-pushed
the
forward-analysis-detail-from-dependency-track
branch
from
ff3a351 to
c3494e1
Compare
2 participants
Show Dependency Track audit detail in finding description
When Dependency Track pushes findings via the Finding Packaging Format, analysts can attach free-text notes to each finding through the
analysis.detailfield. This field was already parsed and available in the FPF document but was silently ignored, so auditors working in DefectDojo had no way to see those notes without going back to Dependency Track.This appends the audit detail to the finding description under an "Audit Detail:" label when present. Findings without audit detail are unaffected. The change requires Dependency Track 4.14.0 or later, which is when
analysis.detailwas added to the FPF output (see companion PR in the Dependency Track repo).Related to DependencyTrack/dependency-track#6181