test(qualys): add unit test for same QID different ports deduplication fix

Tejas Saubhage · Tejas Saubhage · commit a4e56986e1ee · 2026-03-20T13:35:50.000-04:00
- Add test XML with same QID on ports 80, 443, 8080 - Add test verifying each port gets its own endpoint - Add 2.57.x release notes mentioning the fix Addresses review feedback from @Maffooch on PR #14528
diff --git a/docs/content/releases/os_upgrading/2.57.md b/docs/content/releases/os_upgrading/2.57.md
@@ -0,0 +1,16 @@
+---
+title: "Upgrading to DefectDojo Version 2.57.x"
+toc_hide: true
+weight: -20570
+description: No special instructions.
+---
+
+## Upgrading to DefectDojo Version 2.57.x
+
+There are no special upgrade instructions for this release.
+
+## Release Notes
+
+### Bug Fixes
+
+- **Qualys Parser**: Fixed an issue where findings with the same QID but different ports were being collapsed into a single finding. Each QID+port combination now correctly gets its own endpoint, preserving port-level granularity without affecting finding titles or deduplication. ([#13682](https://github.com/DefectDojo/django-DefectDojo/issues/13682))
diff --git a/unittests/scans/qualys/qualys_same_qid_different_ports.xml b/unittests/scans/qualys/qualys_same_qid_different_ports.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ASSET_DATA_REPORT>
+  <HEADER>
+    <COMPANY><![CDATA[Test Company]]></COMPANY>
+    <REPORT_FILTERS>
+      <COMBINED_IP_LIST>
+        <RANGE>
+          <START>192.168.1.1</START>
+          <END>192.168.1.1</END>
+        </RANGE>
+      </COMBINED_IP_LIST>
+    </REPORT_FILTERS>
+  </HEADER>
+  <GLOSSARY>
+    <VULN_DETAILS_LIST>
+      <VULN_DETAILS id="qid_12345">
+        <QID id="qid_12345">12345</QID>
+        <TITLE><![CDATA[Test Vulnerability]]></TITLE>
+        <SEVERITY>3</SEVERITY>
+        <CATEGORY><![CDATA[Test]]></CATEGORY>
+        <LAST_UPDATE>2024-01-01T00:00:00Z</LAST_UPDATE>
+        <DIAGNOSIS><![CDATA[Test diagnosis]]></DIAGNOSIS>
+        <SOLUTION><![CDATA[Test solution]]></SOLUTION>
+      </VULN_DETAILS>
+    </VULN_DETAILS_LIST>
+  </GLOSSARY>
+  <HOST_LIST>
+    <HOST>
+      <IP>192.168.1.1</IP>
+      <TRACKING_METHOD>IP</TRACKING_METHOD>
+      <DNS><![CDATA[testhost.example.com]]></DNS>
+      <OS><![CDATA[Linux]]></OS>
+      <LAST_SCAN_DATETIME>2024-01-01T00:00:00Z</LAST_SCAN_DATETIME>
+      <VULN_INFO_LIST>
+        <VULN_INFO>
+          <QID id="qid_12345">12345</QID>
+          <TYPE>Practice</TYPE>
+          <PORT>80</PORT>
+          <SSL>false</SSL>
+          <RESULT format="table"><![CDATA[Test result on port 80]]></RESULT>
+          <FIRST_FOUND>2024-01-01T00:00:00Z</FIRST_FOUND>
+          <LAST_FOUND>2024-01-01T00:00:00Z</LAST_FOUND>
+          <TIMES_FOUND>1</TIMES_FOUND>
+        </VULN_INFO>
+        <VULN_INFO>
+          <QID id="qid_12345">12345</QID>
+          <TYPE>Practice</TYPE>
+          <PORT>443</PORT>
+          <SSL>true</SSL>
+          <RESULT format="table"><![CDATA[Test result on port 443]]></RESULT>
+          <FIRST_FOUND>2024-01-01T00:00:00Z</FIRST_FOUND>
+          <LAST_FOUND>2024-01-01T00:00:00Z</LAST_FOUND>
+          <TIMES_FOUND>1</TIMES_FOUND>
+        </VULN_INFO>
+        <VULN_INFO>
+          <QID id="qid_12345">12345</QID>
+          <TYPE>Practice</TYPE>
+          <PORT>8080</PORT>
+          <SSL>false</SSL>
+          <RESULT format="table"><![CDATA[Test result on port 8080]]></RESULT>
+          <FIRST_FOUND>2024-01-01T00:00:00Z</FIRST_FOUND>
+          <LAST_FOUND>2024-01-01T00:00:00Z</LAST_FOUND>
+          <TIMES_FOUND>1</TIMES_FOUND>
+        </VULN_INFO>
+      </VULN_INFO_LIST>
+    </HOST>
+  </HOST_LIST>
+</ASSET_DATA_REPORT>
diff --git a/unittests/tools/test_qualys_parser.py b/unittests/tools/test_qualys_parser.py
@@ -239,3 +239,29 @@ def test_get_severity(self):
             }
 
             self.assertEqual(expected_counts, counts)
+
+    def test_parse_file_same_qid_different_ports_has_separate_endpoints(self):
+        """Test that findings with same QID but different ports get separate endpoints.
+        Regression test for https://github.com/DefectDojo/django-DefectDojo/issues/13682
+        """
+        with (
+            get_unit_tests_scans_path("qualys") / "qualys_same_qid_different_ports.xml").open(encoding="utf-8",
+        ) as testfile:
+            parser = QualysParser()
+            findings = parser.get_findings(testfile, Test())
+            self.validate_locations(findings)
+            # Same QID on 3 different ports should produce 3 separate findings
+            self.assertEqual(3, len(findings))
+            # All findings should have the same title (QID unchanged)
+            for finding in findings:
+                self.assertEqual(finding.title, "QID-12345 | Test Vulnerability")
+            # Each finding should have a different port on its endpoint
+            ports = set()
+            for finding in findings:
+                locations = self.get_unsaved_locations(finding)
+                self.assertEqual(1, len(locations))
+                self.assertEqual(locations[0].host, "testhost.example.com")
+                ports.add(locations[0].port)
+            # All 3 ports should be present
+            self.assertEqual({80, 443, 8080}, ports)
+
