Spotbugs java analyzer compareKey is not unique
Summary
The compareKey (cve
) we use within our spotbugs
analyzer is not unique enough as it uses a combination of the hash produced by the underlying spotbugs
tool plus the vulnerability category. There are several cases where this is not unique enough and can result in deduping of non-duplicate vulnerabilities.
This can occur for multi-module java projects or any spotbugs
projects with matching vulnerabilities
Steps to reproduce
- Create a multi-module java project with 2 instances of the same vulnerability in sub-modules
- Run
spotbugs
analyzer - Report should only include 1 instance as report was deduped due to matching
CompareKey
.
Example Project
See failure gitlab-org/security-products/tests/sast!14 (comment 156760112)
What is the expected correct behavior?
A report should contain 2 occurrences of vulnerabilities if they have 2 different locations within the codebase
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
Update spotbugs
analyzer to include location path within CompareKey
creation
Edited by Tanya Pazitny