Github SAST Scan duplicate findings due to hashcode issue

[Logicmn]

Bug description
Github SAST Scan uses line as field its hashcode. These alerts in GitHub change lines often, causing duplicate findings to be created for the same alert when re-uploading a scan.

"Github SAST Scan": ["vuln_id_from_tool", "severity", "file_path", "line"]

Link to code.

Steps to reproduce
Steps to reproduce the behavior:

1. Import a test with findings using Github SAST Scan scan type
2. Change the line number on one of the findings
3. Re-upload the test/scan
4. Observe duplicate finding

Expected behavior
The line field should not factor into the hash code, and the alert should only be uploaded once.

[Logicmn]

I was trying to brainstorm a better determination of uniqueness for these findings, but I have been struggling because there is no unique alert ID provided from GitHub. If we simply remove line from the hashcode, I am not sure it will be unique enough. For example, in the case of two alerts in the same file, of the same severity, and the same vuln_id (e.g. codeql/js/ssrf), these would be merged into one finding in DefectDojo, if line was removed. But perhaps that would be OK? I'm curious what others think...

[manuel-sommer]

The same issue occurs within all kinds of sast scanners, e.g. bandit or rusty hog.

[Logicmn]

Makes sense, it's a tough problem to tackle. I can't speak for other scanners, but I have proposed a solution for Github SAST in the following draft PR: #13683

If we can solve this duplication issue, it would remove the headache of manually cleaning up dupes, and increase integrity of Github SAST Scan findings in DefectDojo.

[manuel-sommer]

What you can do is: closing the old findings (there is a setting in the api call when you import / reimport the file).

[Logicmn]

We already set close_old_findings to true, this does not solve the problem. When we create a Jira, it is linked to the original finding. When re-importing, the original finding with the linked Jira will be closed, and a new finding will be created. This causes confusion, and manually rectifying this can take time and effort.