First call to reimport closes findings outside test

[valentijnscholten]

As per: https://defectdojocommunity.slack.com/archives/C0A4DBKANDS/p1771564613056809

We have a lot of tests which are based on Dependency Check reports. All imports are done by Jenkins pipelines. Yesterday we set up a new pipeline and the first import of an empty DC report closed a bunch of findings a test which was not addressed by the import. The second run closed again some findings but this time it was a test which was not affected by the first import.
I can't see the import in the history of the wrong test, but I can see them in the reimport history on the affected findings within the tests.

This was the initial reimport call (the report has no findings).

curl --fail --location --request POST https://.../api/v2/reimport-scan/ --header Authorization: Token **** --form 
minimum_severity="Info" --form active="true" --form verified="true" --form scan_type="Dependency Check Scan" --form 
test_title="be-collaboration - Dependency Check Scan" --form product_type_name="Portal" --form product_name="BPC" --form engagement_name="support/4.2.x" --form auto_create_context="true" --form skip_duplicates="true" --form 
deduplication_on_engagement="true" --form close_old_findings="true" --form branch_tag="support/4.2.x" --form 
commit_hash="d2bcb5c8d3385df8ca5b3c3f6d652d07bd7c1489" --form build_id="1" --form 
group_by="component_name+component_version" --form file=@".../workspace/target/dependency-check-report.xml"

This issue sounds like #14353 but that's about an explicity initial Import which is expected behaviour.

[valentijnscholten]

Reimports do not affected other tests. The initial reimport on a non-existing test will become an Import behind the scenes.  I haven't had this report before but my first though would be that this is something to think about. Maybe in this scenario DD should not close any old findings. We could leave this a responsibility of the client/user, but that would mean the client would have to know whether this is a first time import or a reimport which kinda defeats the purpose of having the "one api call to rule them all" approach.

[valentijnscholten]

@Maffooch @paulOsinski I'm having a split brain on this. At first I thought it would make sense to update our codebase to NOT close_old_findings on the first call to reimport with auto_create_context=True. The reasoning is that auto create context is typically used in (CI) environments where it is not known if a Test already exists or what the ID of the existing Test is. When the request has close_old_findings=True I think the general intention is for the old findings inside the (new) Test to be closed. Not all findings outside the Test.

On the other hand maybe there people actually expecting/using the behaviour described above?

One way to solve this is by removing ambiguity and add a close_old_findings_test_scope parameter.

[AndreVirtimo]

One way to solve this is by removing ambiguity and add a close_old_findings_test_scope parameter.

No. I don't think this is a solution. My understanding is, that close_old_findings closes all findings within the test and their duplicates.
An empty/new test can not have any duplicates.

This issue sounds like #14353 but that's about an explicity initial Import which is expected behaviour.

Why should an initial import close all findings (with the same type) within the deduplication scope? There is no data to match the empty list to findings outside the test, when the test itself is empty. You. need a findings within the test which is a duplicate of another to close them.

[valentijnscholten]

This issue sounds like #14353 but that's about an explicity initial Import which is expected behaviour.

Why should an initial import close all findings (with the same type) within the deduplication scope? There is no data to match the empty list to findings outside the test, when the test itself is empty. You. need a findings within the test which is a duplicate of another to close them.

Please continue in the other issue so we don't mix things together.

[valentijnscholten]

Reimport close_old_findings behaviour fixed in 2.56.0