Spotbugs java analyzer compareKey is not unique

Summary

The compareKey (cve) we use within our spotbugs analyzer is not unique enough as it uses a combination of the hash produced by the underlying spotbugs tool plus the vulnerability category. There are several cases where this is not unique enough and can result in deduping of non-duplicate vulnerabilities.

This can occur for multi-module java projects or any spotbugs projects with matching vulnerabilities

Steps to reproduce

Create a multi-module java project with 2 instances of the same vulnerability in sub-modules
Run spotbugs analyzer
Report should only include 1 instance as report was deduped due to matching CompareKey.

Example Project

See failure gitlab-org/security-products/tests/sast!14 (comment 156760112)

What is the expected correct behavior?

A report should contain 2 occurrences of vulnerabilities if they have 2 different locations within the codebase

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Possible fixes

Update spotbugs analyzer to include location path within CompareKey creation

Edited Apr 29, 2019 by Tanya Pazitny