Semgrep-based SAST reports does not report all findings

Summary

When using GitLab SAST in some cases, not all findings are reported.

Steps to reproduce

Add the sample below as a file test.cpp to a GitLab project with SAST enabled.

#include <iostream>
#include <cstring>

int test() {
    char x[20];
    char y[20];
    int i = 10;

    // test
    memcpy(x, y, i); // detected
    memcpy(y, "2100{", 2); // detected
    //memcpy(x, "2100{", 2);
    //memcpy(y, "2100{", 2);
    memcpy(x, "2100{", 2); // not detected
    memcpy(y, "2100{", 2); // not detected
    memcpy(y, "2100{", 2); // detected
    if (true) {
        memcpy(y, "2100{", 2); // detected
    }
    memcpy(y, "2100{", 2); // not detected
    memcpy(y, "2100{", 2); // detected
    return 0;
}

In the file above, the status of the finding as they are displayed in the vulnerability report and the pipeline security tab is indicated in the comments. All instances of memcpy should be displayed.

However when downloading the gl-sast-report.json from the security tab, it actually includes all the findings.

Documents jq ".vulnerabilities[].location" gl-sast-report.json
{
  "file": "test.cpp",
  "start_line": 10
}
{
  "file": "test.cpp",
  "start_line": 11
}
{
  "file": "test.cpp",
  "start_line": 14
}
{
  "file": "test.cpp",
  "start_line": 15
}
{
  "file": "test.cpp",
  "start_line": 16
}
{
  "file": "test.cpp",
  "start_line": 18
}
{
  "file": "test.cpp",
  "start_line": 20
}
{
  "file": "test.cpp",
  "start_line": 21
}

Issue 1: Hash clash for different lines scope_offset_compressed algorithm

tracking-calculator: #470168 (closed)

Issue 2: Potentially comparing hashes produced by different algorithms?!

backend report ingestion: #470170 (closed)