Make secondary identifier matching if there is no signatures match and no uuid match
The following quotation has been extracted from #322384 (comment 582225105)
We need to make this change because of the following reason.
Suppose, there is a
semgrep
finding in a project's master branch pipeline. Now, we are going to change the primary identifier of semgrep to bandit identifier. Now, after triggering a pipeline in the new MR, we will notice that the samesemgrep
finding has been attributed asfixed
andadded
. In order to resolve this issue, we need to use secondary identifier matching
We need to perform the matching in StoreReportService
in order to do the actual remapping during persisting different finding. Following is an except from this comment.
Most of the solution seems focused on
VulnerabilityReportsComparer
but that service is only used for displaying the diff within the UI, not for the actual remapping that must be done withinStoreReportService
. We should be sure to update that worker in order to persist different findings rather than only show the diff within the UI.
Summary
We need to find a solution using secondary matching in StoreReportService
rather than VulnerabilityReportsComparer
. This will help us to eliminate the burden of matching in displaying diff in UI. In this comment, we talked about performance issues as well. During implementation, we need to monitor how this will hamper the performance.