Skip to content

feat: Add dry_run support for reimport-scan operations #13563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Siryu6 wants to merge 10,000 commits into from

Merge branch 'dev' into feature/dry-run-reimport

617afa6
Select commit
Loading
Failed to load commit list.
Closed

feat: Add dry_run support for reimport-scan operations #13563

Merge branch 'dev' into feature/dry-run-reimport
617afa6
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Nov 5, 2025 in 4s

DryRun Security

Details

General Security Analyzer Findings: 1 detected

⚠️ Information Disclosure in Dry Run Mode dojo/importers/default_reimporter.py (click for details)
Type Information Disclosure in Dry Run Mode
Description The dry_run mode in the re-importer serializes detailed finding information, including title, severity, description, cwe, cve, cvssv3, component_name, component_version, file_path, and line. This serialized data is returned in the API response. The reimport_scan API endpoint, which handles this functionality, only checks for Product_Type_Member or Product_Member permissions. These permissions are broad and do not granularly restrict access to specific finding details. Therefore, a user with these permissions could potentially trigger a dry run and view sensitive vulnerability details (e.g., detailed descriptions, file paths, CVEs) for findings they might not be authorized to see through the standard UI, or for findings that are otherwise mitigated or suppressed.
Filename dojo/importers/default_reimporter.py
CodeLink

django-DefectDojo/dojo/importers/default_reimporter.py

Lines 52 to 81 in 23a9b49

class DefaultReImporter(BaseImporter, DefaultReImporterOptions):
"""
The classic reimporter process used by DefectDojo
This importer is intended to be used when mitigation of
vulnerabilities is the ultimate tool for getting a current
point time view of security of a given product
Dry Run Mode:
-------------
When dry_run=True, the importer performs a simulation of the reimport process
without making any database changes. This allows users to preview what would
happen during a real reimport.
The dry_run mode uses in-memory tracking to accurately simulate deduplication,
including matches between findings within the same scan report. This means that
if finding 100 and 101 in the report have the same hash_code, finding 101 will
correctly be identified as a duplicate of finding 100, just as in a real import.
Known Limitations in Dry Run Mode:
- Endpoint updates are not simulated
- Finding groups are not processed
- JIRA integration is skipped
- No notifications are sent
- Test/engagement timestamps are not updated
"""
def __init__(self, *args, **kwargs):
View more details on DryRunSecurity