Upgrading to DefectDojo Version 3.0.200
Xygeni parser: deduplication keys corrected to uniqueHash
This corrects the Xygeni deduplication keys introduced in 3.0.100. That release keyed SAST and Secrets findings on Xygeni’s issueId, which encodes the file path and line but not the code. As a result two distinct findings on the same line (same detector, different code) collapsed into one, because they share an issueId even though their uniqueHash differs.
uniqueHash is Xygeni’s location-independent identity for a finding: for SAST it hashes the detector and the normalized code (the line is deliberately excluded), and for Secrets it hashes the secret value, type, detector, file and key. Keying on it keeps genuinely distinct findings apart and keeps a finding’s identity stable when code shifts to a different line.
The deduplication keys are now:
| Scan type | unique_id_from_tool (dedup key) | vuln_id_from_tool (grouping only) |
|---|---|---|
| SAST | uniqueHash | detector |
| SCA | uniqueHash | userId (CVE / GHSA / OSV) |
| Secrets | uniqueHash | detector |
All three scan types now use the unique_id_from_tool deduplication algorithm. SCA was switched from unique_id_from_tool_or_hash_code; its unique_id_from_tool value is unchanged, so SCA findings are not affected.
Repeated secrets in the same file
The same secret value can be leaked on several lines of one file. Because uniqueHash excludes the line, all those occurrences share one identity, so the parser now aggregates them into a single finding and lists every line where the secret appears in the description. This is more stable than emitting one finding per line, which would reopen findings whenever the lines shifted.
Required actions
- No action required for new imports.
- Reimport behavior: on the first reimport of an existing Xygeni SAST or Secrets test after upgrading, the previously-imported findings carry the old
issueId-basedunique_id_from_tooland will not match the newuniqueHash-based ids. Those findings are closed as no longer present and a fresh set is created with the corrected ids. This is a one-time effect; subsequent reimports match normally. SCA tests are not affected.
This is intentionally a one-time hit rather than a versioned (V2) parser. The Xygeni unique_id_from_tool mapping is now considered final; any future change to finding identity will be delivered as a new parser version.
For more information, check the Release Notes.