Add deduplicationOnEngagement

Signed-off-by: Martin Wrona <martin.wrona@digitecgalaxus.ch>

Author: mjwrona

docs/_docs/integrations/defectdojo.md

@@ -119,6 +119,10 @@ Enable auto-create by setting the following configuration property:
 | `defectdojo.autocreate.enabled` | `false` | Enable/disable auto context creation |
 | `defectdojo.autocreate.engagementName` | `dependencytrack` | Default engagement name for all projects |
 | `defectdojo.autocreate.productTypeName` | `Dependency Track` | Default product type name for all projects |
+| `defectdojo.autocreate.deduplicationOnEngagement` | `false` | Enable deduplication at engagement level instead of product level |
+
+**About Deduplication:**
+By default, DefectDojo deduplicates findings at the **Product level**, meaning duplicate findings are identified across all engagements within a product. Setting `deduplicationOnEngagement` to `true` changes this to deduplicate at the **Engagement level** instead, isolating duplicate detection within each engagement.
 
 #### Per-project Property Overrides (Optional)
 
@@ -145,6 +149,13 @@ You can override the default names on a per-project basis:
 | Property Value | Custom product type name (defaults to global config if not set) |
 | Property Type  | `STRING`                          |
 
+| Attribute      | Value                             |
+| ---------------| --------------------------------- |
+| Group Name     | `integrations`                    |
+| Property Name  | `defectdojo.autocreate.deduplicationOnEngagement`     |
+| Property Value | `true` or `false` (defaults to global config if not set) |
+| Property Type  | `BOOLEAN`                         |
+
 #### Configuration Priority
 
 The configuration follows this priority order:

src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoClient.java

@@ -56,11 +56,11 @@ public DefectDojoClient(final DefectDojoUploader uploader, final URL baseURL) {
     }
 
     public void uploadDependencyTrackFindings(final String token, final String engagementId, final InputStream findingsJson, final Boolean verifyFindings, final String testTitle) {
-        uploadDependencyTrackFindings(token, engagementId, findingsJson, verifyFindings, testTitle, null, null, null, false);
+        uploadDependencyTrackFindings(token, engagementId, findingsJson, verifyFindings, testTitle, null, null, null, false, false);
     }
 
     public void uploadDependencyTrackFindings(final String token, final String engagementId, final InputStream findingsJson, final Boolean verifyFindings, final String testTitle,
-                                               final String productTypeName, final String productName, final String engagementName, final boolean autoCreateContext) {
+                                               final String productTypeName, final String productName, final String engagementName, final boolean autoCreateContext, final boolean deduplicationOnEngagement) {
         LOGGER.debug("Uploading Dependency-Track findings to DefectDojo");
         HttpPost request = new HttpPost(baseURL + "/api/v2/import-scan/");
         InputStreamBody inputStreamBody = new InputStreamBody(findingsJson, ContentType.APPLICATION_OCTET_STREAM, "findings.json");
@@ -80,6 +80,7 @@ public void uploadDependencyTrackFindings(final String token, final String engag
         if (autoCreateContext) {
             // Use auto_create_context with product and engagement names
             builder.addPart("auto_create_context", new StringBody("true", ContentType.MULTIPART_FORM_DATA));
+            builder.addPart("deduplication_on_engagement", new StringBody(Boolean.toString(deduplicationOnEngagement), ContentType.MULTIPART_FORM_DATA));
             if (productTypeName != null) {
                 builder.addPart("product_type_name", new StringBody(productTypeName, ContentType.MULTIPART_FORM_DATA));
             }
@@ -183,15 +184,15 @@ public ArrayList<String> jsonToList(final JSONArray jsonArray) {
     }
 
     public void reimportDependencyTrackFindings(final String token, final String engagementId, final InputStream findingsJson, final String testId, final Boolean doNotReactivate, final Boolean verifyFindings, final String testTitle) {
-        reimportDependencyTrackFindings(token, engagementId, findingsJson, testId, doNotReactivate, verifyFindings, testTitle, null, null, null, false);
+        reimportDependencyTrackFindings(token, engagementId, findingsJson, testId, doNotReactivate, verifyFindings, testTitle, null, null, null, false, false);
     }
 
     /*
      * A Reimport will reuse (overwrite) the existing test, instead of create a new test.
      * The Successfully reimport will also  increase the reimport counter by 1.
      */
     public void reimportDependencyTrackFindings(final String token, final String engagementId, final InputStream findingsJson, final String testId, final Boolean doNotReactivate, final Boolean verifyFindings, final String testTitle,
-                                                 final String productTypeName, final String productName, final String engagementName, final boolean autoCreateContext) {
+                                                 final String productTypeName, final String productName, final String engagementName, final boolean autoCreateContext, final boolean deduplicationOnEngagement) {
         LOGGER.debug("Reimporting Dependency-Track findings to DefectDojo");
         HttpPost request = new HttpPost(baseURL + "/api/v2/reimport-scan/");
         InputStreamBody inputStreamBody = new InputStreamBody(findingsJson, ContentType.APPLICATION_OCTET_STREAM, "findings.json");
@@ -212,6 +213,7 @@ public void reimportDependencyTrackFindings(final String token, final String eng
         if (autoCreateContext) {
             // Use auto_create_context with product and engagement names
             builder.addPart("auto_create_context", new StringBody("true", ContentType.MULTIPART_FORM_DATA));
+            builder.addPart("deduplication_on_engagement", new StringBody(Boolean.toString(deduplicationOnEngagement), ContentType.MULTIPART_FORM_DATA));
             if (productTypeName != null) {
                 builder.addPart("product_type_name", new StringBody(productTypeName, ContentType.MULTIPART_FORM_DATA));
             }

src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoUploader.java

@@ -41,6 +41,7 @@
 import static org.dependencytrack.model.ConfigPropertyConstants.DEFECTDOJO_AUTOCREATE_ENABLED;
 import static org.dependencytrack.model.ConfigPropertyConstants.DEFECTDOJO_AUTOCREATE_ENGAGEMENT_NAME;
 import static org.dependencytrack.model.ConfigPropertyConstants.DEFECTDOJO_AUTOCREATE_PRODUCT_TYPE_NAME;
+import static org.dependencytrack.model.ConfigPropertyConstants.DEFECTDOJO_AUTOCREATE_DEDUPLICATION_ON_ENGAGEMENT;
 
 public class DefectDojoUploader extends AbstractIntegrationPoint implements ProjectFindingUploader {
 
@@ -53,6 +54,7 @@ public class DefectDojoUploader extends AbstractIntegrationPoint implements Proj
     private static final String AUTOCREATE_PRODUCT_NAME_PROPERTY = "defectdojo.autocreate.productName";
     private static final String AUTOCREATE_ENGAGEMENT_NAME_PROPERTY = "defectdojo.autocreate.engagementName";
     private static final String AUTOCREATE_PRODUCT_TYPE_NAME_PROPERTY = "defectdojo.autocreate.productTypeName";
+    private static final String AUTOCREATE_DEDUPLICATION_ON_ENGAGEMENT_PROPERTY = "defectdojo.autocreate.deduplicationOnEngagement";
 
     public boolean isReimportConfigured(final Project project) {
         final ProjectProperty reimport = qm.getProjectProperty(project, DEFECTDOJO_ENABLED.getGroupName(), REIMPORT_PROPERTY);
@@ -127,6 +129,18 @@ public String getProductTypeName(final Project project) {
         return "Dependency Track";
     }
 
+    public boolean isDeduplicationOnEngagementEnabled(final Project project) {
+        final ProjectProperty deduplicationOnEngagement = qm.getProjectProperty(project, DEFECTDOJO_ENABLED.getGroupName(), AUTOCREATE_DEDUPLICATION_ON_ENGAGEMENT_PROPERTY);
+        if (deduplicationOnEngagement != null) {
+            return Boolean.parseBoolean(deduplicationOnEngagement.getPropertyValue());
+        }
+        final ConfigProperty globalDeduplicationOnEngagement = qm.getConfigProperty(DEFECTDOJO_AUTOCREATE_DEDUPLICATION_ON_ENGAGEMENT.getGroupName(), DEFECTDOJO_AUTOCREATE_DEDUPLICATION_ON_ENGAGEMENT.getPropertyName());
+        if (globalDeduplicationOnEngagement != null) {
+            return Boolean.parseBoolean(globalDeduplicationOnEngagement.getPropertyValue());
+        }
+        return false;
+    }
+
     @Override
     public String name() {
         return "DefectDojo";
@@ -166,6 +180,7 @@ public void upload(final Project project, final InputStream payload) {
         final boolean globalReimportEnabled = qm.isEnabled(DEFECTDOJO_REIMPORT_ENABLED);
         final ProjectProperty engagementId = qm.getProjectProperty(project, DEFECTDOJO_ENABLED.getGroupName(), ENGAGEMENTID_PROPERTY);
         final boolean verifyFindings = isVerifiedConfigured(project);
+        final boolean deduplicationOnEngagement = isDeduplicationOnEngagementEnabled(project);
 
         try {
             final DefectDojoClient client = new DefectDojoClient(this, URI.create(defectDojoUrl.getPropertyValue()).toURL());
@@ -207,7 +222,8 @@ public void upload(final Project project, final InputStream payload) {
                             productTypeName,
                             productName,
                             engagementName,
-                            true // Enable auto-create context
+                            true, // Enable auto-create context
+                            deduplicationOnEngagement
                         );
                     } else {
                         // Use import-scan for first-time creation
@@ -221,7 +237,8 @@ public void upload(final Project project, final InputStream payload) {
                             productTypeName,
                             productName,
                             engagementName,
-                            true // Enable auto-create context
+                            true, // Enable auto-create context
+                            deduplicationOnEngagement
                         );
                     }
                     LOGGER.info("Successfully uploaded findings to DefectDojo with auto-created context");

src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java

@@ -102,6 +102,7 @@ public enum ConfigPropertyConstants {
     DEFECTDOJO_AUTOCREATE_ENABLED("integrations", "defectdojo.autocreate.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable DefectDojo auto context creation"),
     DEFECTDOJO_AUTOCREATE_ENGAGEMENT_NAME("integrations", "defectdojo.autocreate.engagementName", "dependencytrack", PropertyType.STRING, "Default engagement name for DefectDojo auto context creation"),
     DEFECTDOJO_AUTOCREATE_PRODUCT_TYPE_NAME("integrations", "defectdojo.autocreate.productTypeName", "Dependency Track", PropertyType.STRING, "Default product type name for DefectDojo auto context creation"),
+    DEFECTDOJO_AUTOCREATE_DEDUPLICATION_ON_ENGAGEMENT("integrations", "defectdojo.autocreate.deduplicationOnEngagement", "false", PropertyType.BOOLEAN, "Flag to enable deduplication on engagement level instead of product level"),
     KENNA_ENABLED("integrations", "kenna.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable Kenna Security integration"),
     KENNA_API_URL("integrations", "kenna.api.url", "https://api.kennasecurity.com", PropertyType.STRING, "Kenna Security API URL"),
     KENNA_SYNC_CADENCE("integrations", "kenna.sync.cadence", "60", PropertyType.INTEGER, "The cadence (in minutes) to upload to Kenna Security"),