Tags missing during import of certain parsers including Trivy Operator Scan

[baczus]

Bug description
Tags are not applied to vulnerabilities when using the Import Scan Results option from the Engagement view for the "Trivy Operator Scan" type.

Interestingly, tags are added successfully if I first create an empty test and then use the Re-upload Scan option from the test details view.

This feature worked as expected in version 2.52.0.

Steps to reproduce
Steps to reproduce the behavior:

1. Go to an Engagement.
2. Click on Import Scan Results.
3. Select Trivy Operator Scan as the scan type.
4. Verify the imported vulnerabilities.
5. Observe that the vulnerabilities do not have tags.

Expected behavior
Vulnerabilities should have tags applied automatically: os-pkgs (from the class field) and test (from the namespace field).

Deployment method (select with an X)

• Docker Compose
• Kubernetes
• GoDojo

Environment information

• DefectDojo version: 2.54.1

Sample scan files
test.json

Screenshots
Import Scan results -> No tags

Reupload scan -> Tags exists

Additional context
I also reproduced this issue on a vanilla DefectDojo instance (2.54.1) using Docker Compose.

[valentijnscholten]

Thanks for reporting, the linked PR fixes this for the Trivy Operator scan and other parsers with the same problem.

[baczus]

Thanks for the quick fix. I'd like to add that I am also observing missing tags when importing Trivy Operator test using API via the trivy-dojo-report-operator.

If I'm not mistaken, this operator uses the /api/v2/reimport-scan/ endpoint. Since in the original issue I mentioned only about UI, I wanted to verify if the proposed fix addresses the API behavior as well.

[valentijnscholten]

It will