Snyk SCA vulnerability across several repos flagged as duplicate

[AlBellom]

We are running snyk test out of a pipeline against few repos. Snyk identifies a specific vulnerability in few repos. DefectDojo thinks they are duplicates and flags them all as such, except for one, as I have Deduplicate findings checked. If I uncheck Deduplicate findings, when I run the pipeline again and Snyk finds the same vulnerability, then DefectDojo creates a duplicate, which is highly undesirable.

It is normal to have the same SCA vulnerabilities across repos and we need to let developers know all repos affected. Hopefully I am missing something about the way DefectDojo works. Regardless, any help or pointers are greatly appreciated. Thanks.

[mtesauro]

Are you importing or using re-import? details here

If using re-import, is the scope of what your scanning the same? Or are you scanning repo 1 and importing, then scanning repo 2 and re-importing, then scanning repo 3 and re-importing? For re-imports, it's important that from scan to scan the thing being scanned (aka the scope) is the same.

Are you dedup'ing at the product or engagement level? details here

Have you adjusted the hash algorithm used for dedup'ing Snyk SCA scans? The default is this. Details on how the algorithm works is here

[AlBellom]

First off, I do all the imports using the DD APIs, not manually. To answer your questions:

1. I use the re-import API.
2. The scope is the same.
3. I tried dedup'ing both at the product and engagement level, same result.
4. I didn't adjust the hash algo.

I got it to work somehow by deleting the test it was giving me issues and rerun it. I don't know why that fixed it but it did. I'll keep in mind your suggestions and watch out for this issue to reoccur. Thank you.