Skip the primary identifier when sorting the identifiers
What does this MR do?
In Sort vulnerability links and identifiers (!116 - merged) we introduced sorting of the identifiers so we can provide deterministic report output. The problem is that identifiers are also used for vulnerability deduplication (see this thread). The primary_identifier is important for vulnerabilities deduplication as it's one of the keys used to compare reported vulnerabilities.
The primary_identifier is set to be the first identifier in the identifiers list, so by sorting the identifiers, we are breaking the ability of the analyzers to set the primary identifier based on their order. This leads to kind of duplicate findings (old findings are resolved and new, identical ones are reported).
To fix this issue, I changed the sorting snippet so it will just skip the first identifier, so that we keep the primary identifier while sorting the others, and provide deterministic report output.
What are the relevant issue numbers?
- GitLab Semgrep and Spotbugs analyzers are causi... (gitlab-org/gitlab#573266 - closed) • Adam Cohen • 18.5
- https://gitlab.com/gitlab-com/request-for-help/-/issues/3457+s
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Ensure the report version matches the equivalent schema version -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer