Scan added webhook gets send before deduplication has occured #13777
Description
Bug description
The flow of reimporting is as follows, however the processing of findings takes place asynchronous whereas the sending out of notifications takes places synchronously, resulting is the scan_added webhook to contain incorrect information about the new, mitigated, reactivated and untouched findings.
From
:The full step process of taking a scan report, and converting it to
findings in the database. This entails the the following actions:
- Verify the API scan configuration (if supplied)
- Parser the findings
- Process the findings
- Update the timestamps on the test
- Update/Create import history objects
- Send out notifications
- Update the test progress
Steps to reproduce
Set up a webhook and import the same (large) vulnerability report twice, observe the scan_added webhook to contain incorrect information.
curl -X POST "http://defectdojo.dev.rootline.com/api/v2/reimport-scan/" \
-H "Authorization: Token ..." \
-F "[email protected]" \
-F "scan_type=Trivy Operator Scan" \
-F "product_type_name=Test Product Type" \
-F "product_name=Test Product" \
-F "engagement_name=Test Engagement" \
-F "test_title=Test Test" \
-F "auto_create_context=true" \
-F "close_old_findings=true"
Expected behavior
The scan_added webhook should be send after deduplication has taken place.
Deployment method (select with an X)
- Docker Compose
- Kubernetes
- GoDojo
Environment information
- Helm version 1.7
- DefectDojo version 2.51.2
Logs
Use docker compose logs (or similar, depending on your deployment method) to get the logs and add the relevant sections here showing the error occurring (if applicable).
Sample scan files
If applicable, add sample scan files to help reproduce your problem.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context (optional)
Slack thread https://owasp.slack.com/archives/C2P5BA8MN/p1764075409115599
Already working on a pull request to schedule the webhook asynchronous.