It is observed that we are getting duplicate vulnerabilities based on the change in line number. For example, lets assume we have file.java and SAST analyzer found an issue in line:10. In the next execution suppose the code in line:10 moved to line:20. In this case, the SAST tool will be creating the same vulnerability based on line:20 and the old one will be updated as remediated. To conclude, as a result, we will be getting same issues twice, where one is updated as remediated. Due to this behavior, the analysis of the issues are getting time consuming and is there any solution to avoid such situations?
In GitLab 14.2 we Improved vulnerability tracking for GoSec, Semgrep, and Brakeman analyzers (feature epic).
What SAST Analyzer are you using? Your example mentioned Java, so I assume SpotBugs. If that’s the case, this is a known issue.
There’s some required work that we need to undertake until we can transition other analyzers to Semgrep. We’re hoping this happens in the first half of 2022, but this estimate is not certain.
For reference, you can track the semgrep work here: Semgrep analyzers for SAST (&5245) · Epics · GitLab.org · GitLab.
Thank You for the quick response.
So far I have observed this issue in phpcs-security-audit v2, Find Security Bugs and ESLint.