Set unique_id_from_tool from matrix field in Dependency Track parser

[samiat4911]

Description
The Dependency Track parser currently sets vuln_id_from_tool but never sets unique_id_from_tool. Users who configure the unique_id_from_tool_or_hash_code deduplication algorithm experience duplicate findings on reimport because the field is empty.

Approach: This PR maps the Dependency Track FPF finding's matrix field (a stable composite of project_uuid:component_uuid:vulnerability_uuid) to the unique_id_from_tool field on the Finding model. The default deduplication algorithm (hash_code) is unchanged, ensuring existing deployments are not negatively affected.

Impact: Enables accurate cross-scan deduplication for Dependency Track imports, improving data integrity and scalability for organisations managing large vulnerability datasets.

Test results

• Extended tests/unittests/tools/test_dependency_track_parser.py with unique_id_from_tool assertions across 4 existing test cases (test_has_one_finding, test_v3_8_0, test_findings_with_alias, test_findings_with_cvssV3_score).
• Validated that all existing fixture files contain the matrix field and pass the new assertions.
• Ruff linting passes cleanly across modified files.

Visual Evidence (Parser Changes):

# dojo/tools/dependency_track/parser.py 
# (Showing lines 230-236)
            component_version=component_version,
            file_path=file_path,
            vuln_id_from_tool=vuln_id_from_tool,
            unique_id_from_tool=dependency_track_finding.get("matrix"), # <- ADDED THIS LINE
            static_finding=True,
            dynamic_finding=False)

Visual Evidence (Test Changes):

# unittests/tools/test_dependency_track_parser.py
# (Showing lines 54-61)
            parser = DependencyTrackParser()
            findings = parser.get_findings(testfile, Test())
            self.assertEqual(1, len(findings))
            self.assertEqual( # <- ADDED THIS LINE AND BELOW
                "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46",
                findings[0].unique_id_from_tool,
            )

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.13 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[Maffooch]

This appears to be a different approach to #14346

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[valentijnscholten]

@samiat4911 Didn't realize the matrix field was a / the stable identifier. In practice using the uuid will achieve the same unless someone changes the internal ids of database records in DT. But if matrix is created as a special unique id we might better use that to align with the intentions of DT?

[valentijnscholten]

I did some checking in my instance of Dependency Track and turns out the uuid used in #14346 is not unique across components. So must use the matrix field. Since #14346 is going to be in 2.56.0 we must get this PR in 2.56.0 as well.
That's why I took the liberty to resolve conflicts and update the code to what I think should be merged in 2.56.0

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[valentijnscholten]

FYI @AndreVirtimo

[mtesauro]

Approved

[samiat4911]

Thanks for the quick review and for taking care of those merge conflicts, @valentijnscholten Glad the matrix field ended up doing the trick. Appreciate you getting this into 2.56.0! ):