How to handle different versions/environments of a product

[GeofoxCoding]

Hello,

I've been reading many documentation and best practice articles for now about how to generally use DefectDojo in a common DevSecOps scenario.

But most of the blog entries and videos don't cover the real world requirements of modern software development life-cycles.

To be more precise, I haven't found a good way to manage different versions of the same product in different stages.

I have a continuous CI/CD engagement for my product (may consist of multiple services).
Inside the engagement I create tests for security scanner A, security scanner B and so on.
From my pipeline I will regularly push new results from each scanner as re-import to the specific test.
Good so far!
But in a running project I often have a setup like the following:
In production I have version 1.2.1-someBuildId
In test/pre-prod I have version 1.3.0-someBuildId
In development I have version 1.3.1-someBuildId

From test/pre-prod I want to risk-accept findings and they should be risk-accepted in prod and dev as well.
In my test risk-acceptance doesn't respect same findings even in different tests of one engagement not to mention different engagements.

But also if I update the status of a finding to mitigated for example in development version 1.3.1, it might not automatically be mitigated for test and prod enviroment which are running lower versions.

In general what are your experiences in handling different stages of the devops life-cycle of one product in DefectDojo?

Once we found a good solution, we would also like to share this as an example workflow to the documentation.

Kind regards
Richard