diff --git a/dojo/tools/dependency_track/parser.py b/dojo/tools/dependency_track/parser.py index 04a8fddc72f..ed258ebf6d6 100644 --- a/dojo/tools/dependency_track/parser.py +++ b/dojo/tools/dependency_track/parser.py @@ -154,6 +154,9 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin analysis = dependency_track_finding.get("analysis") is_false_positive = bool(analysis is not None and analysis.get("state") == "FALSE_POSITIVE") + if analysis is not None and analysis.get("detail"): + vulnerability_description = f"Audit Detail: {analysis['detail']}\n\n{vulnerability_description}" + # Get the EPSS details epss_percentile = dependency_track_finding["vulnerability"].get("epssPercentile", None) diff --git a/unittests/scans/dependency_track/one_finding_with_analysis_detail.json b/unittests/scans/dependency_track/one_finding_with_analysis_detail.json new file mode 100644 index 00000000000..1367b45ac88 --- /dev/null +++ b/unittests/scans/dependency_track/one_finding_with_analysis_detail.json @@ -0,0 +1,42 @@ +{ + "meta": { + "application": "Dependency-Track", + "version": "4.14.0", + "timestamp": "2026-01-01T00:00:00Z" + }, + "findings": [ + { + "component": { + "name": "log4j-core", + "project": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4", + "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1", + "uuid": "c8a65fcd-dbf4-41eb-b1ec-55e67c91b22b", + "version": "2.14.1" + }, + "attribution": { + "analyzerIdentity": "INTERNAL_ANALYZER", + "attributedOn": "2026-01-01 00:00:00.000" + }, + "vulnerability": { + "uuid": "f8469ce4-019a-4482-8510-624dcf65f005", + "source": "NVD", + "vulnId": "CVE-2021-44228", + "severity": "CRITICAL", + "description": "Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP.", + "aliases": [] + }, + "analysis": { + "state": "IN_TRIAGE", + "isSuppressed": false, + "detail": "Reviewed and confirmed vulnerable. Upgrade scheduled for next sprint." + }, + "matrix": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4:c8a65fcd-dbf4-41eb-b1ec-55e67c91b22b:f8469ce4-019a-4482-8510-624dcf65f005" + } + ], + "project": { + "name": "test-app", + "uuid": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4", + "version": "1.0.0" + }, + "version": "1.3" +} diff --git a/unittests/tools/test_dependency_track_parser.py b/unittests/tools/test_dependency_track_parser.py index 1fdbfb73427..661e949bb69 100644 --- a/unittests/tools/test_dependency_track_parser.py +++ b/unittests/tools/test_dependency_track_parser.py @@ -168,3 +168,10 @@ def test_dependency_track_parser_findings_with_epss_score(self): self.assertEqual(0.07756, findings[0].epss_percentile) self.assertEqual(4.2, findings[0].cvssv3_score) self.assertIn("CVE-2023-45803", findings[0].unsaved_vulnerability_ids) + + def test_dependency_track_parser_finding_with_analysis_detail(self): + with (get_unit_tests_scans_path("dependency_track") / "one_finding_with_analysis_detail.json").open(encoding="utf-8") as testfile: + parser = DependencyTrackParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + self.assertIn("Audit Detail: Reviewed and confirmed vulnerable. Upgrade scheduled for next sprint.", findings[0].description)