Bug Description
Currently the govulncheck parser in DefectDojo does not parse properly the NDJSON output of the govulncheck results. I checked everywhere the govulncheck outputs Newline-Delimited JSON (NDJSON) — a stream of independent JSON objects, each on its own, separated by newlines. The objects come in this sequence:
{ "config": ... } ← scanner metadata, one per run
{ "SBOM": ... } ← all modules in go.mod with versions
{ "progress": ... } ← status messages (can appear multiple times)
{ "osv": ... } ← one per vulnerability CHECKED (entire vuln DB scan)
{ "osv": ... } ← ...repeated for every CVE govulncheck evaluated
{ "osv": ... }
{ "progress": ... }
{ "finding": ... } ← ONE per actual vulnerability found in YOUR code
{ "finding": ... } ← (can have multiple findings per OSV if multiple call sites)
But the DefectDojo requires a regular JSON which is why DefectDojo fails to import govulncheck report.
Logs captured.
[01/Apr/2026 10:02:35] WARNING [dojo.importers.base_importer:179] Invalid JSON format
[01/Apr/2026 10:02:35] ERROR [dojo.engagement.views:984] An exception error occurred during the report import
Traceback (most recent call last):
File "/app/dojo/tools/govulncheck/parser.py", line 74, in get_findings
data = json.load(scan_file)
File "/usr/local/lib/python3.13/json/__init__.py", line 298, in load
return loads(fp.read(),
cls=cls, object_hook=object_hook,
parse_float=parse_float, parse_int=parse_int,
parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
File "/usr/local/lib/python3.13/json/__init__.py", line 352, in loads
return _default_decoder.decode(s)
~~~~~~~~~~~~~~~~~~~~~~~^^^
File "/usr/local/lib/python3.13/json/decoder.py", line 348, in decode
raise JSONDecodeError("Extra data", s, end)
json.decoder.JSONDecodeError: Extra data: line 13 column 1 (char 289)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/app/dojo/importers/base_importer.py", line 177, in parse_findings_static_test_type
return parser.get_findings(scan, self.test)
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/app/dojo/tools/govulncheck/parser.py", line 77, in get_findings
raise ValueError(msg)
ValueError: Invalid JSON format
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/app/dojo/engagement/views.py", line 975, in import_findings
context["test"], _, finding_count, closed_finding_count, _, _, _ = importer_client.process_scan(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
context.pop("scan", None),
^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/app/dojo/importers/default_importer.py", line 113, in process_scan
parsed_findings = self.parse_findings(scan, parser) or []
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
File "/app/dojo/importers/base_importer.py", line 282, in parse_findings
parsed_findings = self.parse_findings_static_test_type(scan, parser)
File "/app/dojo/importers/default_importer.py", line 417, in parse_findings_static_test_type
return super().parse_findings_static_test_type(scan, parser)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
File "/app/dojo/importers/base_importer.py", line 180, in parse_findings_static_test_type
raise ValidationError(e)
django.core.exceptions.ValidationError: ['Invalid JSON format']
I am not allowed to share the JSON output from the govulncheck as its confidential. So I have not attached any JSON results to this issue.
But here is the command used
govulncheck -format json . > dependency-report.json
govulncheck -format json ./... > dependency-report.json
govulncheck -json . > dependency-report.json
govulncheck -json ./... > dependency-report.json
Once the report is generated.
Steps to reproduce.
- Go to the engagement
- Import scan results
- Select the type as Govulncheck Scanner
- Attach the dependency-report.json
- Click on Import
- Check the logs or alert for errors.
DefectDojo version used 2.55.2
Expected behavior
Users should be able to just scan and upload the output for Govulncheck scanner
Deployment method (select with an X)
Bug Description
Currently the govulncheck parser in DefectDojo does not parse properly the NDJSON output of the govulncheck results. I checked everywhere the govulncheck outputs Newline-Delimited JSON (NDJSON) — a stream of independent JSON objects, each on its own, separated by newlines. The objects come in this sequence:
But the DefectDojo requires a regular JSON which is why DefectDojo fails to import govulncheck report.
Logs captured.
I am not allowed to share the JSON output from the govulncheck as its confidential. So I have not attached any JSON results to this issue.
But here is the command used
Once the report is generated.
Steps to reproduce.
DefectDojo version used 2.55.2
Expected behavior
Users should be able to just scan and upload the output for Govulncheck scanner
Deployment method (select with an
X)