[Bug] close_old_findings with reimport closes findings for all services instead of matching service only

[iamhalje]

We are using trivy-dojo-report-operator, which integrates with trivy-operator as a source of vulnerabilities and imports them into DefectDojo via the API. The issue occurs when the close_old_findings parameter is enabled.

According to the documentation:
If service has been set, only the findings for this service will be closed.

However, in practice, instead of closing only findings that match the same service value, every new result closes all other findings, regardless of their service values.

Expected Behavior

When reimporting engagement results with the close_old_findings parameter enabled, only findings with the exact same service can be closed.

Deployment Method (select with an X):

• Docker Compose
• Kubernetes
• GoDojo

Environment Information:

• DefectDojo Version: 2.40.1

It’s clear that there were initially 48 vulnerabilities, but each reimport ended up closing all previous findings. The next reimport closed the last set, and so on. Do you see this as an issue?

The core problem lies in situations where we have a large number of distinct vulnerabilities within a single engagement or product. This behavior creates a broader issue, but the logic tied to the service value is supposed to address it. As a separate parameter, it should ensure that only findings for which no new results have been received (with the same service value) are closed.

This discrepancy is the root of the problem.

As a result, there are no vulnerabilities left at all because a test result was imported where no vulnerabilities were present. It seems that this process closed everything, likely without even considering the service names. This behavior significantly impacts the accuracy and reliability of vulnerability tracking within the engagement/product.

[iamhalje]

Slack