Skip to content

docs: Pro set-based deduplication hash code fields (WIP)#15154

Draft
valentijnscholten wants to merge 1 commit into
feat/cwe-vuln-id-consolidationfrom
feat/dedupe-set-match-docs
Draft

docs: Pro set-based deduplication hash code fields (WIP)#15154
valentijnscholten wants to merge 1 commit into
feat/cwe-vuln-id-consolidationfrom
feat/dedupe-set-match-docs

Conversation

@valentijnscholten

@valentijnscholten valentijnscholten commented Jul 4, 2026

Copy link
Copy Markdown
Member

🔗 PR stack — CWE / vulnerability-ID consolidation (OSS)

dev
└─ #15145  feat: autodetected vulnerability-ID type + uniqueness constraint
   └─ #15143  feat: multiple CWEs per finding
      ├─ #15154  docs: Pro set-based dedup hash-code fields
      └─ #15155  feat: pluggable false-positive-history candidate filter

Merge bottom-up: #15145#15143 → (#15154, #15155). 👉 This PR: #15154


Stacked docs PR — do not merge before its base.

Documentation for the DefectDojo Pro set-match deduplication fields (Pro Tuner). Adds a "Set-based Hash Code Fields" section to the Pro deduplication tuning page covering the vulnerability-ID and CWE set matchers (vulnerability_ids exact, vulnerability_ids_partial/_subset, cwes_partial/_subset), their empty-set behavior, and the configuration rules.

Stack (merge bottom-up)

  1. feat(finding): copy finding fix + autodetected vulnerability id type + uniqueness constraint #15145feat/vulnerability-id-type (autodetected vulnerability ID type + uniqueness) → dev
  2. feat(finding): multiple CWEs per finding #15143feat/cwe-vuln-id-consolidation (multiple CWEs per finding) → stacked on feat(finding): copy finding fix + autodetected vulnerability id type + uniqueness constraint #15145
  3. this PR — docs → stacked on feat(finding): multiple CWEs per finding #15143 (base: feat/cwe-vuln-id-consolidation)

The CWE matchers documented here rely on the Finding_CWE model from #15143, so this PR is based on that branch. It accompanies the DefectDojo Pro feat/dedupe-set-match-tokens PR (dojo-pro #1749), which implements the fields.

…+ CWE matchers)

Document the Pro Tuner set-match hash-code fields: vulnerability_ids (exact),
vulnerability_ids_partial/_subset, and cwes_partial/_subset — what each matches, how
_partial/_subset are compared per pair rather than hashed, the empty-set behavior
(abstain when another hashed field gates the pair; no match when the matcher is the
sole field), and the config rules (a vulnerability IDs field may stand alone; CWE
fields may not be the only criteria).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant