Upgrading to DefectDojo Version 3.0.100
Xygeni parser: repeated SAST/Secrets occurrences are now distinct findings
The Xygeni parser previously deduplicated away legitimate findings when the same secret value or code pattern appeared more than once in a single file, so only the first occurrence survived an import.
Xygeni reuses one uniqueHash across every occurrence of the same value in a file (it hashes the value, not the location) while giving each occurrence a distinct issueId that encodes the file path and line. The SAST and Secrets scan types deduplicate on unique_id_from_tool, which was set to uniqueHash, so occurrences after the first were treated as duplicates and hidden.
Starting in 3.0.100, for SAST and Secrets findings the parser keys unique_id_from_tool on the per-occurrence issueId (falling back to uniqueHash when issueId is absent) and keeps uniqueHash as vuln_id_from_tool. Each occurrence is now its own finding, and vuln_id_from_tool still groups occurrences of the same value. SCA findings are unchanged: there uniqueHash is unique per finding while issueId collides across packages, so uniqueHash remains the correct dedup key.
Required actions
- No action required for new imports. Repeated occurrences that were previously collapsed now appear as separate findings.
- Reimport behavior: on the first reimport of an existing Xygeni SAST or Secrets test after upgrading, the previously-imported findings carry the old
uniqueHash-basedunique_id_from_tooland will not match the newissueId-based ids. Those findings are closed as no longer present and a fresh set is created with the corrected ids. This is a one-time effect; subsequent reimports match normally. SCA tests are not affected.
For more information, check the Release Notes.