From 87baa1e809afa0f7c701b679283812d8adcaef4b Mon Sep 17 00:00:00 2001 From: webdevred <148627186+webdevred@users.noreply.github.com> Date: Thu, 28 May 2026 22:35:34 +0200 Subject: [PATCH 1/2] Include analysis.detail from Dependency Track FPF in finding description When Dependency Track sends findings via the Finding Packaging Format, the analysis.detail field is now forwarded alongside analysis.state. This appends the audit detail text to the finding description under an "Audit Detail:" label, making analyst notes visible without switching back to Dependency Track. --- dojo/tools/dependency_track/parser.py | 3 ++ .../one_finding_with_analysis_detail.json | 42 +++++++++++++++++++ .../tools/test_dependency_track_parser.py | 7 ++++ 3 files changed, 52 insertions(+) create mode 100644 unittests/scans/dependency_track/one_finding_with_analysis_detail.json diff --git a/dojo/tools/dependency_track/parser.py b/dojo/tools/dependency_track/parser.py index 04a8fddc72f..3f0191ed1c0 100644 --- a/dojo/tools/dependency_track/parser.py +++ b/dojo/tools/dependency_track/parser.py @@ -154,6 +154,9 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin analysis = dependency_track_finding.get("analysis") is_false_positive = bool(analysis is not None and analysis.get("state") == "FALSE_POSITIVE") + if analysis is not None and analysis.get("detail"): + vulnerability_description += f"\nAudit Detail: {analysis['detail']}" + # Get the EPSS details epss_percentile = dependency_track_finding["vulnerability"].get("epssPercentile", None) diff --git a/unittests/scans/dependency_track/one_finding_with_analysis_detail.json b/unittests/scans/dependency_track/one_finding_with_analysis_detail.json new file mode 100644 index 00000000000..1367b45ac88 --- /dev/null +++ b/unittests/scans/dependency_track/one_finding_with_analysis_detail.json @@ -0,0 +1,42 @@ +{ + "meta": { + "application": "Dependency-Track", + "version": "4.14.0", + "timestamp": "2026-01-01T00:00:00Z" + }, + "findings": [ + { + "component": { + "name": "log4j-core", + "project": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4", + "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1", + "uuid": "c8a65fcd-dbf4-41eb-b1ec-55e67c91b22b", + "version": "2.14.1" + }, + "attribution": { + "analyzerIdentity": "INTERNAL_ANALYZER", + "attributedOn": "2026-01-01 00:00:00.000" + }, + "vulnerability": { + "uuid": "f8469ce4-019a-4482-8510-624dcf65f005", + "source": "NVD", + "vulnId": "CVE-2021-44228", + "severity": "CRITICAL", + "description": "Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP.", + "aliases": [] + }, + "analysis": { + "state": "IN_TRIAGE", + "isSuppressed": false, + "detail": "Reviewed and confirmed vulnerable. Upgrade scheduled for next sprint." + }, + "matrix": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4:c8a65fcd-dbf4-41eb-b1ec-55e67c91b22b:f8469ce4-019a-4482-8510-624dcf65f005" + } + ], + "project": { + "name": "test-app", + "uuid": "d38ebf15-96cd-4a01-9bca-7b49b5b0e7c4", + "version": "1.0.0" + }, + "version": "1.3" +} diff --git a/unittests/tools/test_dependency_track_parser.py b/unittests/tools/test_dependency_track_parser.py index 1fdbfb73427..661e949bb69 100644 --- a/unittests/tools/test_dependency_track_parser.py +++ b/unittests/tools/test_dependency_track_parser.py @@ -168,3 +168,10 @@ def test_dependency_track_parser_findings_with_epss_score(self): self.assertEqual(0.07756, findings[0].epss_percentile) self.assertEqual(4.2, findings[0].cvssv3_score) self.assertIn("CVE-2023-45803", findings[0].unsaved_vulnerability_ids) + + def test_dependency_track_parser_finding_with_analysis_detail(self): + with (get_unit_tests_scans_path("dependency_track") / "one_finding_with_analysis_detail.json").open(encoding="utf-8") as testfile: + parser = DependencyTrackParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + self.assertIn("Audit Detail: Reviewed and confirmed vulnerable. Upgrade scheduled for next sprint.", findings[0].description) From 06fbd18664f3fae9f885fbcab8a8fafd7f73ab4f Mon Sep 17 00:00:00 2001 From: webdevred <148627186+webdevred@users.noreply.github.com> Date: Thu, 28 May 2026 23:32:45 +0200 Subject: [PATCH 2/2] Move audit detail to top of finding description --- dojo/tools/dependency_track/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/dependency_track/parser.py b/dojo/tools/dependency_track/parser.py index 3f0191ed1c0..ed258ebf6d6 100644 --- a/dojo/tools/dependency_track/parser.py +++ b/dojo/tools/dependency_track/parser.py @@ -155,7 +155,7 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin is_false_positive = bool(analysis is not None and analysis.get("state") == "FALSE_POSITIVE") if analysis is not None and analysis.get("detail"): - vulnerability_description += f"\nAudit Detail: {analysis['detail']}" + vulnerability_description = f"Audit Detail: {analysis['detail']}\n\n{vulnerability_description}" # Get the EPSS details epss_percentile = dependency_track_finding["vulnerability"].get("epssPercentile", None)