Skip to content

Bugfix: make jfrog xray impact paths deterministic#15094

Open
paulOsinski wants to merge 2 commits into
DefectDojo:devfrom
paulOsinski:bugfix-jfrog-xray-impact-paths-deterministic
Open

Bugfix: make jfrog xray impact paths deterministic#15094
paulOsinski wants to merge 2 commits into
DefectDojo:devfrom
paulOsinski:bugfix-jfrog-xray-impact-paths-deterministic

Conversation

@paulOsinski

@paulOsinski paulOsinski commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

[sc-13285]

The OSS parser at dojo/tools/jfrog_xray_api_summary_artifact/parser.py picks impact_paths[0] from an unordered list returned by JFrog:

impact_paths = vulnerability.get("impact_path", [])
if len(impact_paths) > 0:
    impact_path = decode_impact_path(impact_paths[0])
...
file_path=impact_paths[0],
description=impact_path.name + ":" + impact_path.version + " -> " + vulnerability["description"],

When JFrog returns the same vulnerability's impact_path list in a different order, file_path and description shift between imports.

This can cause unexpected issues with deduplication because of drifting, unpredictable issue descriptions. This list should be ordered deterministically for consistency.

Fix
Sort impact_paths in the OSS parser so file_path and description are deterministic. Optionally list all paths in the description so developers see every location, not just one.

Change:
impact_paths = sorted(vulnerability.get("impact_path", [])) — every downstream use of impact_paths[0] (file_path, the decoded impact_path feeding unique_id, and the V3 LocationData) is now deterministic.
When more than one impact_path exists, description appends a Impact paths: list so developers see every location, not just one (which is a data model limitation)

@paulOsinski paulOsinski force-pushed the bugfix-jfrog-xray-impact-paths-deterministic branch from df67647 to 2de1751 Compare June 26, 2026 18:19
@github-actions github-actions Bot removed the docs label Jun 26, 2026
@valentijnscholten

Copy link
Copy Markdown
Member

Sounds like a good plan. It does mean that it might change the hash_code for many existsing findings occurring in reimports/imports leading to a one-time close/create frenzy.

@Maffooch Maffooch left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like a good plan. It does mean that it might change the hash_code for many existsing findings occurring in reimports/imports leading to a one-time close/create frenzy.

Agreed with Val - description is a default hash code setting for this perser. @paulOsinski can you pleas rebase to the dev branch and add some release notes letting folks know how to rerun their hash calculations?

@Maffooch Maffooch added this to the 3.1.0 milestone Jun 26, 2026
@valentijnscholten

Copy link
Copy Markdown
Member

recalculating the hash won't help as the descripton is not retroactively changed.

@paulOsinski paulOsinski changed the base branch from bugfix to dev June 29, 2026 14:09
@github-actions

Copy link
Copy Markdown
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions github-actions Bot added New Migration Adding a new migration file. Take care when merging. docs unittests integration_tests ui and removed conflicts-detected labels Jun 29, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions

Copy link
Copy Markdown
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@paulOsinski

Copy link
Copy Markdown
Contributor Author

@Maffooch did you see Val's comment? He's right, the description will change along with the hash code so it's not like recalculating will do anything. This will still create "net new" Findings but those are being created anyway by this parser.

@Maffooch

Copy link
Copy Markdown
Contributor

Okay, so I think that leaves us with two options

  1. Change this parser, and findings will have go through the closed/open loop
  2. Make a v2 of this parser
    It seems like findings are already doing the closed/open loop today, so option 1 may not be that bad

@valentijnscholten would you agree?

@valentijnscholten

Copy link
Copy Markdown
Member

I think this time we'll have to accept option 1.

@Maffooch Maffooch force-pushed the bugfix-jfrog-xray-impact-paths-deterministic branch from d3270af to 1bcd057 Compare July 2, 2026 16:08
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions github-actions Bot added conflicts-detected and removed New Migration Adding a new migration file. Take care when merging. docs unittests integration_tests ui labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

The JFrog Xray API Summary Artifact parser now sorts impact paths before
selecting the first one, so file_path, description, and unique_id_from_tool
(the deduplication key) stay stable across re-imports. Previously JFrog's
arbitrary impact_path ordering could change the dedup key between scans and
cause a single CVE to be re-imported as multiple separate findings. Document
the behavior change and cleanup guidance in the 3.1 upgrade notes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the docs label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants