Bug description
The fix_available tag in report is not being updated correctly when re-importing the scans (tested with Anchore Engine scan reports).
When a new scan report is re-imported and contains fixes for previously detected vulnerabilities, the mitigation field is not being updated accordingly.
Steps to reproduce
-
Import an initial Anchore Engine scan report into an engagement with the following settings: (Used many_vulns.json)
Active: True
Verified: True
Scan Type: Anchore Engine Scan
Apply Tags to Findings: Checked
Apply Tags to Endpoints: Checked
Group By: Component Name
Create finding groups for all findings : Checked
-
Modify the initial scan report by adding fixes for a few vulnerabilities (for example, changing entries from fix: None to include an actual fix version).
-
Re-import the modified scan report with the following settings:
Active: True
Verified: True
Close old findings: Checked
Apply Tags to Endpoints: Checked
Group By: Component Name
Create finding groups for all findings : Checked
-
Observe that:- The mitigation field remains unchanged.
- The fix_available tag is not updated and still reflects the old status.
Expected behavior
During re-import, if the new scan includes fixes for existing findings, both the mitigation field and the fix_available tag should update accordingly.
Deployment method (select with an X)
Environment information
- Operating System: Linux
- Docker Compose : v2.40.2
- DefectDojo version: 2.50.0+
Logs
No explicit errors observed in logs — re-import completes successfully but the mitigation and fix_available fields, as well as the Fixable count in test view, remain unchanged.
Screenshots
Initial upload result
Re-imported test result
Additional context
When the same scan is uploaded as a new test in the engagement (instead of re-importing), both the fix_available tag and Fixable count update correctly.
This indicates that the re-import logic might not be updating the mitigation, fix status, or fixable statistics fields.
I also tested this issue on the DefectDojo demo instance and observed the same results.
Question:
Is there a configuration variable or flag controlling whether the mitigation and fix-related fields update during re-import?
Bug description
The fix_available tag in report is not being updated correctly when re-importing the scans (tested with Anchore Engine scan reports).
When a new scan report is re-imported and contains fixes for previously detected vulnerabilities, the mitigation field is not being updated accordingly.
Steps to reproduce
Import an initial Anchore Engine scan report into an engagement with the following settings: (Used many_vulns.json)
Active: True
Verified: True
Scan Type: Anchore Engine Scan
Apply Tags to Findings: Checked
Apply Tags to Endpoints: Checked
Group By: Component Name
Create finding groups for all findings : Checked
Modify the initial scan report by adding fixes for a few vulnerabilities (for example, changing entries from fix: None to include an actual fix version).
Re-import the modified scan report with the following settings:
Active: True
Verified: True
Close old findings: Checked
Apply Tags to Endpoints: Checked
Group By: Component Name
Create finding groups for all findings : Checked
Observe that:- The mitigation field remains unchanged.
Expected behavior
During re-import, if the new scan includes fixes for existing findings, both the mitigation field and the fix_available tag should update accordingly.
Deployment method (select with an
X)Environment information
Logs
No explicit errors observed in logs — re-import completes successfully but the mitigation and fix_available fields, as well as the Fixable count in test view, remain unchanged.
Screenshots
Initial upload result
Re-imported test result
Additional context
When the same scan is uploaded as a new test in the engagement (instead of re-importing), both the fix_available tag and Fixable count update correctly.
This indicates that the re-import logic might not be updating the mitigation, fix status, or fixable statistics fields.
I also tested this issue on the DefectDojo demo instance and observed the same results.
Question:
Is there a configuration variable or flag controlling whether the mitigation and fix-related fields update during re-import?