False positive quality/security checks due to old reports in the base commit
In the MR widget, we compare the HEAD and the base for the specific branch. This can create weird results, since the report for the base commit is not kept up to date, and so the diff depends on both code and time checks were run on the base.
- a commit is done, security report created (SR1)
- a new branch and related MR are created
- a new vuln is discovered (not related to code changed in the MR) and tools are updated to spot it
- a new commit is done in the MR, security report created (SR2)
At this point, SR1 and SR2 differs because of the new vulnerability, even if it is present also in code related to SR1. Since the SR1 is not kept updated, the MR widget shows the new vulnerability as related to the MR.
This is true for all the checks that are run with this flow, so Code Quality, SAST, Dependency Scanning, Container Scanning, and DAST.