MR widget for comparing security reports uses wrong location data

Summary

Container Scanning shows the same issues as new and fixed, but they are all exposed to the same CVE. This happens because the comparison of Occurrence#location in the active record model is using the full object instead of a subset of it depending on the report type.

image

Steps to reproduce

Enable CS (container scanning) and create MR you will see a comparison of vulnerabilities isn't correct.

https://gitlab.com/fjdiaz/simply-simple-notes/merge_requests/4

Example Project

https://gitlab.com/fjdiaz/simply-simple-notes/

What is the current bug behavior?

(check image above) We see the same vulnerabilities as new and fixed

What is the expected correct behavior?

(check image above) We shouldn't see the same vulnerabilities as new and fixed

Output of checks

This bug happens on GitLab.com

Possible fixes

Use location fingerprint instead of the full location object in occurrence model for comparison.

Edited by Olivier Gonzalez