Home Technical Support SCA Output Formats, Filtering High‑Severity Issues, and Retrieving DefectDojo IDs

SCA Output Formats, Filtering High‑Severity Issues, and Retrieving DefectDojo IDs

Last updated on Jan 07, 2026

SCA Output Formats, Filtering High‑Severity Issues, and Retrieving DefectDojo IDs

Learn how to save SCA results as JSON, filter high‑severity findings in RetireJS, and locate key identifiers (project, engagement, and lead IDs) in the DefectDojo portal.

Introduction

Software Component Analysis (SCA) tools such as and RetireJS are essential for identifying vulnerable open‑source libraries in modern applications. While these tools generate rich JSON reports, learners often wonder how to:

  1. Persist the JSON output to a file.

  2. Isolate high‑severity findings from a RetireJS report.

  3. Locate the project, engagement, and lead identifiers required for DefectDojo API calls or manual uploads.

This article walks you through each of these tasks step‑by‑step, providing command‑line examples, JSON‑query snippets, and navigation tips for the DefectDojo web UI. By the end of the guide you’ll be able to automate report handling, focus on the most critical vulnerabilities, and correctly reference DefectDojo IDs in your DevSecOps pipelines.

1. Identifying High‑Severity Issues in RetireJS Output

RetireJS produces a JSON structure where each component may contain multiple vulnerabilities, each with a severity field (low, medium, high). Filtering can be done with jq, a lightweight and powerful JSON processor.

1.1 Example RetireJS JSON (Simplified)

{
  "data": [
    {
      "results": [
        {
          "component": "jquery",
          "version": "3.3.1",
          "vulnerabilities": [
            { "severity": "high", "info": "CVE‑2020‑11022" },
            { "severity": "low",  "info": "CVE‑2019‑5436" }
          ]
        }
      ]
    }
  ]
}

1.2 Command to List High‑Severity Findings

cat retire_output.json |
jq -r '
  .data[].results[]
  | select(.vulnerabilities[].severity == "high")
  | "\(.component) \(.version) – \(.vulnerabilities[] | select(.severity=="high") | .info)"
'

Explanation

  • -r outputs raw strings (no quotes).

  • The select filter keeps only results where any vulnerability has severity == "high".

  • The final string concatenates the component name, version, and CVE identifier.

1.3 Command to List Low‑Severity Findings (For Comparison)

cat retire_output.json |
jq -r '
  .data[].results[]
  | select(.vulnerabilities[].severity == "low")
  | "\(.component) \(.version) – \(.vulnerabilities[] | select(.severity=="low") | .info)"
'

You can replace "low" with "medium" or "high" to target a different severity level.

1.4 Saving the Filtered Results

# Save high‑severity list to a file
cat retire_output.json | jq -r '...' > high_severity_issues.txt

2. Finding Project, Engagement, and Lead IDs in DefectDojo

DefectDojo uses numeric IDs to uniquely identify Products (projects), Engagements, and Leads (users). These IDs are required when you import scan results via the API or when you need to reference a specific engagement in lab instructions.

2.1 Navigating the UI

  1. Log in to the DefectDojo portal.

  2. From the left navigation pane, select Products → View Products.

  3. Click the product you are working with. The Product ID appears in the browser’s address bar, e.g.:

    https://defectdojo.example.com/product/42/

    Here, 42 is the product (project) ID.

  4. Inside the product view, click Engagements → View Engagements.

  5. Choose the desired engagement. Its URL will look like:

    https://defectdojo.example.com/engagement/108/

    108 is the engagement ID.

  6. To locate the lead (user) ID, open People → Users and click the user’s name. The URL will contain /user/<id>/.

    https://defectdojo.example.com/user/7/

    7 is the lead’s ID.

2.2 Using the IDs in API Calls

curl -X POST "https://defectdojo.example.com/api/v2/import-scan/" \
     -H "Authorization: Token <YOUR_API_TOKEN>" \
     -F "engagement=108" \
     -F "lead=7" \
     -F "file=@retire_report.json"

Replace the numeric values with the IDs you retrieved from the UI.

2.3 Common Pitfall: “Issues Not Marked as False Positive”

If you modify a JSON report (e.g., delete three issues) and re‑upload it, DefectDojo may still show the original findings because:

  • The original findings are stored as separate objects; deleting them from the uploaded file does not automatically mark them as false positives.

  • You must either re‑import with the scan_type set to reimport (which overwrites existing findings) or manually mark the unwanted findings as False Positive in the UI.

Quick fix:

curl -X POST "https://defectdojo.example.com/api/v2/import-scan/" \
     -H "Authorization: Token <TOKEN>" \
     -F "engagement=108" \
     -F "lead=7" \
     -F "file=@modified_report.json" \
     -F "scan_type=Reimport Scan"

Common Questions & Tips

Question Quick Answer
How do I filter both high and medium severity at once? Use a regex or multiple conditions: `select(.vulnerabilities[].severity
Where do I find the API token for DefectDojo? In the UI: User → API Tokens → Generate New Token. Store it securely.
What if the URL does not show an ID? Ensure you are on the detail page (e.g., “View Engagement”) rather than a list view.
Is there a way to automate ID retrieval? Yes – use DefectDojo’s REST API: GET /api/v2/products/ returns product IDs in JSON.

Conclusion

By mastering simple shell redirection, jq filtering, and DefectDojo navigation, you can streamline the entire SCA reporting workflow:

  • Extract high‑severity vulnerabilities from RetireJS output for focused remediation.

  • Identify the exact project, engagement, and lead IDs required for DefectDojo imports and API interactions.

These skills not only help you complete lab assignments efficiently but also lay the groundwork for automating SCA processes in real‑world DevSecOps pipelines. Happy scanning!