Dismissing one vulnerability detected by semgrep-sast dismisses all semgrep-detected vulnerabilites

Summary

For vulnerabilities detected via semgrep-sast, dismissing one semgrep-detected vulnerability in the UI dismisses all vulnerabilities with "Scanner provider" of Semgrep.

Steps to reproduce & example project

1. Import https://gitlab.com/greg/sast to a new project
2. Trigger a pipeline
3. View Pipeline > Security tab
4. Dismiss one vulnerability detected by "Scanner provider" Semgrep (eg. Deserialization of Untrusted Data (Critical severity))
5. Refresh the page, toggle "Hide dismissed" off
6. Verify that all vulerabilities detected by Semgrep were dismissed after dismissing one

What is the current bug behavior?

Dismissing one Semgrep detected vulnerability dismisses all Semgrep detected vulnerabilities.

Initially reported and discovered via Ultimate SaaS Customer support ticket (internal)

What is the expected correct behavior?

Dismissing one vulnerability detected by Semgrep in the UI only dismisses that specific vulnerability, not all the Semgrep-detected vulnerabilities.

Relevant logs and/or screenshots

Output of checks/GitLab environment info

This bug happens on GitLab.com

Possible fixes

It seems likely this is caused by the gl-sast-report.json generated by semgrep-sast not having any cve data for detected vulnerabilities. (gl-sast-report.json)

For scanners that have cve set for detected vulnerabilities, this bug does not seem to occur.

FYI @thiagocsf and @twoodham as this issue seems like a comboination of Static Analysis (reports) and Threat Insights (vulerability management UI)