Store fingerprint from bearer in unique_id_from_tool (#12346)

wolframite · valentijnscholten · web-flow · commit 24ac4379d0aa · 2025-05-22T21:42:21.000-05:00
* Store fingerprint from bearer in unique_id_from_tool

* Update dojo/tools/bearer_cli/parser.py

* Updated bearer unit test to assert on the fingerprint being set into unique_id_from_tool

---------

Co-authored-by: valentijnscholten &lt;valentijnscholten@gmail.com&gt;
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -1584,6 +1584,7 @@ def saml2_attrib_map_format(din):
     "MobSF Scorecard Scan": DEDUPE_ALGO_HASH_CODE,
     "OSV Scan": DEDUPE_ALGO_HASH_CODE,
     "Nosey Parker Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
+    # The bearer fingerprint is not unique across multiple scans, so it shouldn't be used for deduplication (https://github.com/DefectDojo/django-DefectDojo/pull/12346#issuecomment-2841561634)
     "Bearer CLI": DEDUPE_ALGO_HASH_CODE,
     "Wiz Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
     "Deepfence Threatmapper Report": DEDUPE_ALGO_HASH_CODE,
diff --git a/dojo/tools/bearer_cli/parser.py b/dojo/tools/bearer_cli/parser.py
@@ -46,6 +46,8 @@ def get_findings(self, file, test):
                     sast_source_line=bearerfinding["source"]["start"],
                     sast_source_file_path=bearerfinding["filename"],
                     vuln_id_from_tool=bearerfinding["id"],
+                    # the fingerprint is not constant over time, but because it's not used for dedupe it's safe and useful to set it
+                    unique_id_from_tool=bearerfinding["fingerprint"],
                 )
 
                 items.append(finding)
diff --git a/unittests/tools/test_bearer_cli_parser.py b/unittests/tools/test_bearer_cli_parser.py
@@ -20,6 +20,7 @@ def test_bearer_parser_with_one_vuln_has_one_findings(self):
         self.assertEqual("https://docs.bearer.com/reference/rules/javascript_lang_dangerous_insert_html", findings[0].references)
         self.assertEqual("js/adminer/editing.js", findings[0].file_path)
         self.assertEqual(581, findings[0].line)
+        self.assertEqual("804174abc284c6bc747d886b3e9ba757_0", findings[0].unique_id_from_tool)
 
     def test_bearer_parser_with_many_vuln_has_many_findings(self):
         testfile = (get_unit_tests_scans_path("bearer_cli") / "bearer_cli_many_vul.json").open(encoding="utf-8")

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ def get_findings(self, file, test):`
`46`	`46`	`sast_source_line=bearerfinding["source"]["start"],`
`47`	`47`	`sast_source_file_path=bearerfinding["filename"],`
`48`	`48`	`vuln_id_from_tool=bearerfinding["id"],`
	`49`	`+ # the fingerprint is not constant over time, but because it's not used for dedupe it's safe and useful to set it`
	`50`	`+ unique_id_from_tool=bearerfinding["fingerprint"],`
`49`	`51`	`)`
`50`	`52`
`51`	`53`	`items.append(finding)`