feedback: Bot detects items found in rebases irrelevant to the MR

Problem

At the moment the bot is triggering for MRs that require a rebase(?) of a version of the master branch that includes a vulnerability introducing change.

Context

The bot triggered on a MR with the following message:

The findings below have been detected based on the AppSec custom SAST rules. For more information about this bot and what to do with this comment head over to the README. The following lines of code possibly need attention:

• app/assets/javascripts/vue_shared/components/source_viewer/plugins/wrap_child_nodes.js line 15: Verify if generateClassName(scope) (coming from parameter scope) is user-controlled and needs to be escaped before being used in a template string to avoid XSS.
• app/assets/javascripts/vue_shared/components/source_viewer/plugins/wrap_child_nodes.js line 15: Verify if generateCloseTag(includeClose) (coming from parameter includeClose) is user-controlled and needs to be escaped before being used in a template string to avoid XSS.

The screenshot below shows a comparison between a MR based on an old branch that is compared to master.

• The heuristic is valid in that wrap_child_nodes indeed was modified to include an unsafe change (nuance: it was always unsafe, someone just touched it which caused the bot to trigger).

The thing is that this specific MR, didn't touch that file.

issue that included this flaw: gitlab-org/gitlab!122921 (comment 1422630996)