How to add multiple findings to a Risk Acceptance in the Open Source version?

[vini-ppro]

Dear all, we are using the open source version of DefectDojo.

In our workflow we should be able to risk-accept findings, however Simple Risk Acceptances are not an option for us.

For a group of findings, we should be able to create a Risk Acceptance, with documentation about that acceptance and one expiration date.

How can I bulk select a group of findings and add all of them to a certain risk acceptance? Via the Bulk Edit button, I can only use Simple Risk Acceptances. The instructions found on the documentation only seem applicable for the PRO version. How can I achieve the same with the OpenSource version?

[valentijnscholten]

If you risk accept 1 finding there is a multiselect box where all findings in the same engagement are shown. Multiple findings can be selected to add to the same Risk Acceptance.

[vini-ppro]

Thanks @valentijnscholten - but what about including findings from different engagements under the same risk acceptance?

For example, if my company decides to accept the risk for CVE-2025-12345 across all products, can I have all findings (belonging to different products and therefore different engagements) added to the same risk acceptance, or would I have to click finding by finding?

[valentijnscholten]

The Risk Acceptance is currently scoped to an engagement.

[vini-ppro]

So accepting a risk across multiple products via a Risk Acceptance is still not supported, since risk acceptances are scoped to engagements.

At least in our company this is a common use-case. For example if a CVE affects tomcat and we don't use tomcat anywhere, we would rather risk-accept that finding across all products.

I wonder if others have similar use cases and if they have implemented workarounds.