Skip to content

Send groupby to defect dojo#6130

Open
webdevred wants to merge 5 commits into
DependencyTrack:masterfrom
webdevred:send-groupby-to-defect-dojo
Open

Send groupby to defect dojo#6130
webdevred wants to merge 5 commits into
DependencyTrack:masterfrom
webdevred:send-groupby-to-defect-dojo

Conversation

@webdevred
Copy link
Copy Markdown

@webdevred webdevred commented May 12, 2026
edited
Loading

Description

DefectDojo's import-scan and reimport-scan endpoints accept a group_by parameter that clusters findings into Finding Groups on import, but Dependency-Track never forwarded it. This adds a new per-project property defectdojo.groupBy that, when set, is sent as group_by in the multipart form for both import and reimport requests.

Also removes a pre-existing dead .build() call at the end of the reimportDependencyTrackFindings fluent chain whose return value was discarded before request.setEntity() was called.

I have verified that after the findings groups are created in Defect Dojo in my own local test environment.

bild bild

Addressed Issue

Closes #6061

Additional Details

The implementation follows the same pattern as defectdojo.testTitle (#4796): a per-project ProjectProperty is read in DefectDojoUploader and forwarded as a multipart form field in DefectDojoClient. No new abstraction was introduced.

The fix to reimportDependencyTrackFindings (removing the dangling .build() call at the end of the fluent MultipartEntityBuilder chain) is included here because it was discovered while adding group_by support to that method. It was pre-existing dead code, the return value was discarded and the actual entity was set correctly via a later builder.build() call, so it had no runtime effect.

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@owasp-dt-bot
Copy link
Copy Markdown

owasp-dt-bot commented May 12, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented May 12, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · -50 duplication

Metric Results
Complexity 0
Duplication -50

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@webdevred webdevred force-pushed the send-groupby-to-defect-dojo branch from b32ecb7 to a39e973 Compare May 12, 2026 19:59
webdevred added 3 commits May 12, 2026 21:59
@webdevred
test(integrations): add tests for defectdojo.groupBy per-project prop…
c3cc615 
…erty

Signed-off-by: webdevred <148627186+webdevred@users.noreply.github.com>
@webdevred
feat(integrations): add defectdojo.groupBy per-project property
5c94d34 
When set, forwards the value as group_by in the DefectDojo import-scan
and reimport-scan multipart form requests, allowing findings to be
grouped into Finding Groups on import.

When not set, behavior is unchanged (backwards compatible).

Closes DependencyTrack#6061

Signed-off-by: webdevred <148627186+webdevred@users.noreply.github.com>
@webdevred
fix(integrations): remove spurious build() call in reimportDependency…
5025266 
…TrackFindings

Signed-off-by: webdevred <148627186+webdevred@users.noreply.github.com>
@webdevred webdevred force-pushed the send-groupby-to-defect-dojo branch from a39e973 to 5025266 Compare May 12, 2026 20:01
@webdevred
Updated the DefectDojo integration documentation
24c11df 
Signed-off-by: webdevred <148627186+webdevred@users.noreply.github.com>
@nscuro nscuro requested a review from Copilot May 13, 2026 17:39
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for forwarding DefectDojo’s group_by import option from a per-project Dependency-Track property, enabling DefectDojo finding grouping during import and reimport.

Changes:

  • Adds defectdojo.groupBy lookup in the DefectDojo uploader.
  • Sends group_by multipart form field for both import and reimport requests when configured.
  • Adds unit/integration-style tests and documentation for the new project property.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoUploader.java Reads the new per-project group-by property and passes it to the client.
src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoClient.java Adds group_by to DefectDojo import/reimport multipart requests.
src/test/java/org/dependencytrack/integrations/defectdojo/DefectDojoUploaderTest.java Tests configured and unconfigured groupBy property lookup.
src/test/java/org/dependencytrack/tasks/DefectDojoUploadTaskTest.java Verifies group_by is sent for import and reimport flows.
docs/_docs/integrations/defectdojo.md Documents the new defectdojo.groupBy project property.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/_docs/integrations/defectdojo.md Outdated
@webdevred
Potential fix for pull request finding
8a91c11 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: August Johansson <148627186+webdevred@users.noreply.github.com>
@webdevred
Copy link
Copy Markdown
Author

webdevred commented May 19, 2026

Pull request overview

This PR adds support for forwarding DefectDojo’s group_by import option from a per-project Dependency-Track property, enabling DefectDojo finding grouping during import and reimport.

Changes:

* Adds `defectdojo.groupBy` lookup in the DefectDojo uploader.

* Sends `group_by` multipart form field for both import and reimport requests when configured.

* Adds unit/integration-style tests and documentation for the new project property.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Applied, thanks

@nscuro
Copy link
Copy Markdown
Member

nscuro commented May 29, 2026

Hi @webdevred, please re-target your PR at either 4.14.x (for v4) or main (for v5) as per https://github.com/DependencyTrack/dependency-track/blob/main/V5_MIGRATION.md#contributors-and-pr-authors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add defectdojo.groupBy per-project property to control finding grouping on import

4 participants

@webdevred @owasp-dt-bot @nscuro