Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_2424_add_do_not_reactivate_flag

add DefectDojo "do not reactivate" flag, fixes issue 2424

Closes DependencyTrack#2424

Author: nscuro

docs/_docs/integrations/defectdojo.md

@@ -48,7 +48,7 @@ This feature is used to map projects in Dependency-Track to engagements in Defec
 | ---------------| --------------------------------- |
 | Group Name     | `integrations`                    |
 | Property Name  | `defectdojo.engagementId`         |
-| Property Value | The CI/CD engagement ID to upload findings to, noted in Step 3 |
+| Property Value | The CI/CD engagement ID to upload findings to, noted in Step 3 |s
 | Property Type  | `STRING`                          |
 
 #### Step 7: Add Per-project configuration for Reimport Enhancement (Optional)
@@ -64,7 +64,25 @@ The additional configuration property is defined as below:
 | Property Value | 'true'                            |
 | Property Type  | `BOOLEAN`                         |
 
-#### Step 8: Global configuration for Reimport Enhancement (Optional)
+#### Step 8: Add Per-project configuration for do_not_reactivate Enhancement (Optional)
+![Configure Project](/images/screenshots/defectdojo_do-not-reactivate.png)
+
+* Dependency-Track v4.8.0 or higher
+* Only work in combination with reimport
+* Enabling this flag will mean that DefectDojo is considered the source of truth and findings closed in DefectDojo are not re-opened.
+* WARNING! This comes with the downside that a potentially patched vulnerability that is re-introduced by, for example a library downgrade, is reactivated
+
+As mentioned in the DefectDojo documentation this feature 'Will keep existing findings closed, without reactivating them.' Usually DefectDojo considers the scanners report as the source of truth, this leads DefectDojo to re-open findings that might have been closed in DefectDojo if it shows up in a scan.
+
+
+| Attribute      | Value                             |
+| ---------------| --------------------------------- |
+| Group Name     | `integrations`                    |
+| Property Name  | `defectdojo.doNotReactivate`             |
+| Property Value | 'true'                            |
+| Property Type  | `BOOLEAN`                         |
+
+#### Step 9: Global configuration for Reimport Enhancement (Optional)
 * Dependency-Track v4.6.0 or higher
 ![Configure Project](/images/screenshots/defectdojo_global_reimport.png)
 Alternatively, you can turn on the above reimport feature for all projects in one click, by checking on 'Enable reimport' box as shown in the screenshot above.

docs/images/screenshots/defectdojo_do-not-reactivate.png

@@ -163,7 +163,7 @@ public ArrayList<String> jsonToList(final JSONArray jsonArray) {
      * A Reimport will reuse (overwrite) the existing test, instead of create a new test.
      * The Successfully reimport will also  increase the reimport counter by 1.
      */
-    public void reimportDependencyTrackFindings(final String token, final String engagementId, final InputStream findingsJson, final String testId) {
+    public void reimportDependencyTrackFindings(final String token, final String engagementId, final InputStream findingsJson, final String testId, final Boolean doNotReactivate) {
         LOGGER.debug("Re-reimport Dependency-Track findings to DefectDojo per Engagement");
         HttpPost request = new HttpPost(baseURL + "/api/v2/reimport-scan/");
         request.addHeader("accept", "application/json");
@@ -178,6 +178,7 @@ public void reimportDependencyTrackFindings(final String token, final String eng
                 .addPart("minimum_severity", new StringBody("Info", ContentType.MULTIPART_FORM_DATA))
                 .addPart("close_old_findings", new StringBody("true", ContentType.MULTIPART_FORM_DATA))
                 .addPart("push_to_jira", new StringBody("push_to_jira", ContentType.MULTIPART_FORM_DATA))
+                .addPart("do_not_reactivate", new StringBody(doNotReactivate.toString(), ContentType.MULTIPART_FORM_DATA))
                 .addPart("test", new StringBody(testId, ContentType.MULTIPART_FORM_DATA))
                 .addPart("scan_date", new StringBody(DATE_FORMAT.format(new Date()), ContentType.MULTIPART_FORM_DATA))
                 .build();

src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoClient.java

@@ -44,6 +44,8 @@ public class DefectDojoUploader extends AbstractIntegrationPoint implements Proj
     private static final Logger LOGGER = Logger.getLogger(DefectDojoUploader.class);
     private static final String ENGAGEMENTID_PROPERTY = "defectdojo.engagementId";
     private static final String REIMPORT_PROPERTY = "defectdojo.reimport";
+    private static final String DO_NOT_REACTIVATE_PROPERTY = "defectdojo.doNotReactivate";
+
 
     public boolean isReimportConfigured(final Project project) {
         final ProjectProperty reimport = qm.getProjectProperty(project, DEFECTDOJO_ENABLED.getGroupName(), REIMPORT_PROPERTY);
@@ -54,6 +56,15 @@ public boolean isReimportConfigured(final Project project) {
         }
     }
 
+    public boolean isDoNotReactivateConfigured(final Project project) {
+        final ProjectProperty reactivate = qm.getProjectProperty(project, DEFECTDOJO_ENABLED.getGroupName(), DO_NOT_REACTIVATE_PROPERTY);
+        if (reactivate != null) {
+            return Boolean.parseBoolean(reactivate.getPropertyValue());
+        } else {
+            return false;
+        }
+    }
+
     @Override
     public String name() {
         return "DefectDojo";
@@ -97,7 +108,7 @@ public void upload(final Project project, final InputStream payload) {
                 if (testId.equals("")) {
                     client.uploadDependencyTrackFindings(apiKey.getPropertyValue(), engagementId.getPropertyValue(), payload);
                 } else {
-                    client.reimportDependencyTrackFindings(apiKey.getPropertyValue(), engagementId.getPropertyValue(), payload, testId);
+                    client.reimportDependencyTrackFindings(apiKey.getPropertyValue(), engagementId.getPropertyValue(), payload, testId, isDoNotReactivateConfigured(project));
                 }
             } else {
                 client.uploadDependencyTrackFindings(apiKey.getPropertyValue(), engagementId.getPropertyValue(), payload);

src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoUploader.java

@@ -85,7 +85,7 @@ public void testReimportFindingsPositiveCase() throws Exception {
                         withBody(WireMock.equalTo(engagementId))).willReturn(WireMock.aResponse().withStatus(201).withHeader(HttpHeaders.CONTENT_TYPE, "application/json")));
         DefectDojoUploader uploader = new DefectDojoUploader();
         DefectDojoClient client = new DefectDojoClient(uploader, new URL(wireMockRule.baseUrl() + "/defectdojo"));
-        client.reimportDependencyTrackFindings(token, engagementId, new NullInputStream(0), testId);
+        client.reimportDependencyTrackFindings(token, engagementId, new NullInputStream(0), testId, false);
         WireMock.verify(WireMock.postRequestedFor(WireMock.urlPathEqualTo("/defectdojo/api/v2/reimport-scan/"))
                 .withAnyRequestBodyPart(WireMock.aMultipart().withName("engagement").
                         withBody(WireMock.equalTo(engagementId)
@@ -103,7 +103,7 @@ public void testReimportFindingsNegativeCase() throws Exception {
                         withBody(WireMock.equalTo(""))).willReturn(WireMock.aResponse().withStatus(400).withHeader(HttpHeaders.CONTENT_TYPE, "application/json")));
         DefectDojoUploader uploader = new DefectDojoUploader();
         DefectDojoClient client = new DefectDojoClient(uploader, new URL(wireMockRule.baseUrl() + "/defectdojo"));
-        client.reimportDependencyTrackFindings(token, engagementId, new NullInputStream(16), testId);
+        client.reimportDependencyTrackFindings(token, engagementId, new NullInputStream(16), testId, false);
         WireMock.verify(WireMock.postRequestedFor(WireMock.urlPathEqualTo("/defectdojo/api/v2/reimport-scan/"))
                 .withAnyRequestBodyPart(WireMock.aMultipart().withName("engagement").
                         withBody(WireMock.equalTo(engagementId)