Add DefectDojo auto create context

[mjwrona]

Description

Adds usage of DefectDojos auto_create_context import api flag so that users don't have to build their own glue code to use this integration at scale.

Global Configuration
Introduces 4 new global settings

Property Name	Default Value	Description
defectdojo.autocreate.enabled	false	Enable/disable auto context creation
defectdojo.autocreate.engagementName	dependencytrack	Default engagement name for all projects
defectdojo.autocreate.productTypeName	Dependency Track	Default product type name for all projects
defectdojo.autocreate.deduplicationOnEngagement	false	Enable deduplication at engagement level instead of product level

Project Properties
Introduces 4 new project properties that allow to override product name, the global deduplicationOnEngagement, engagement and product type name

Attribute	Value
Group Name	integrations
Property Name	defectdojo.autocreate.productName
Property Value	Custom product name (defaults to project name if not set)
Property Type	STRING

Attribute	Value
Group Name	integrations
Property Name	defectdojo.autocreate.engagementName
Property Value	Custom engagement name (defaults to global config if not set)
Property Type	STRING

Attribute	Value
Group Name	integrations
Property Name	defectdojo.autocreate.productTypeName
Property Value	Custom product type name (defaults to global config if not set)
Property Type	STRING

Attribute	Value
Group Name	integrations
Property Name	defectdojo.autocreate.deduplicationOnEngagement
Property Value	true or false (defaults to global config if not set)
Property Type	BOOLEAN

UI Change:

Addressed Issue

Closes #1323

Additional Details

See https://docs.defectdojo.com/automation/api/api-v2-docs/#import

Checklist

• I have read and understand the contributing guidelines
  - [ ] This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
  - [ ] This PR introduces changes to the database model, and I have added corresponding update logic
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[owasp-dt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mjwrona]

Frontend PR: DependencyTrack/frontend#1480

[valentijnscholten]

Great to see this added as it makes the Defect Dojo integration easier and better. There are some more parameters that can be provided with auto_create_context. The following two might be interesting to add:

• test_title
• deduplication_on_engagement

Do you think this PR would a good opportunity to add these two?

[mjwrona]

Sure I just need a bit more context about those settings.
Would you expect that as global config, project property or both?
What should be the default for those settings to not introduce a breaking change?

[valentijnscholten]

The test_title should be optional and not sent by default. In that case Defect Dojo will use the name of the parser as title for the test which is "Dependency Track Finding Packaging Format (FPF) Export". By providing a test_title value you can choose a more useful value that provides some context, for example the name + version of the project in Depdendency Track. That might even be a good new default, but would break for users using the reimport option.

The deduplication_on_engagement value should be empty/left out by default. The default value is False in Defect Dojo. By providing True from Dependency Track it will instruct Defect Dojo to use a narrow deduplication scope. It goes too far to explain all the intricacies around that here. But allowing users to set it to True if needed is helpful.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ -0.04% (target: -1.00%)	✅ 76.84% (target: 70.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (41380dd)	24772	20110	81.18%
Head commit (d5f427c)	24851 (+79)	20165 (+55)	81.14% (-0.04%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#5971)	95	73	76.84%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[mjwrona]

@valentijnscholten I added the deduplication_on_engagement flag to global and project config.
For test_title - this is already configurable on project level using defectdojo.testTitle. The switch to a dynamic value like name + version does not only target auto create context but the full integration so i wouldn't implement that in this PR.

@nscuro what are your thoughts on that?

[AndreVirtimo]

Thank you for this PR. This has been on my wishlist for a long time.

I propose using only the reimport-scan API. There is no need to use the import-scan API. As far as I know**,** the reimport-scan API is the best option for tool integration and CI/CD pipelines.

This would reduce the complexity of the DD integration.

The reimport-scan API offers additional options. Maybe a more generic mapping between project properties and API options would provide more flexibility. All properties with the prefix defectdojo.reimport. could be mapped. So defectdojo.autocreate.productName would be defectdojo.reimport.product_name. Then I could also use options like defectdojo.reimport.push_to_jira.