Link Findings to source code

Certain tools (particularly SAST tools) will include the associated file name and line number in vulnerability data. If the repository of the source code is specified in the Engagement, DefectDojo will present the filepath as a link and the user can navigate directly to the location of the vulnerability.

Setting the repository in the Engagement and Test

Engagement

While editing the Engagement, users can set the URL of the specific SCM repo.

For an Interactive Engagement, it needs to be a URL that specifies the branch:

for GitHub - like https://github.com/DefectDojo/django-DefectDojo/tree/dev
for GitLab - like https://gitlab.com/gitlab-org/gitlab/-/tree/master
for public BitBucket - like (like git clone url)
for standalone/onpremise BitBucket https://bb.example.com/scm/some-project/some-repo.git or https://bb.example.com/scm/some-user-name/some-repo.git for user public repo (like git clone url)

For CI/CD Engagements, the commit hash, branch/tag and code line can vary, so you only need to include the URL of the repository.

for GitHub - like https://github.com/DefectDojo/django-DefectDojo
for GitLab - like https://gitlab.com/gitlab-org/gitlab
for public BitBucket, Gitea and Codeberg - like https://bitbucket.org/some-user/some-project.git (like git clone url)
for standalone/onpremise BitBucket https://bb.example.com/scm/some-project.git or https://bb.example.com/scm/some-user-name/some-repo.git for user public repo (like git clone url)

In a CI/CD Engagement, you can specify a commit hash or branch/tag in the Edit Engagement form, which will be appended to any links rendered by DefectDojo. If these are not set, the SCM URL will need to contain a complete link which includes the code branch.

SCM navigation URL is composed from Repo URL using SCM Type. A specific SCM type can be set in Product custom field “scm-type”. If no “scm-type” is set and the URL contains “https://github.com”, a “github” SCM type is assumed.

Product custom fields:

Product custom fields