Sort DS analysers according to scanner id
What does this MR do?
Common library merges reports from different analysers and removes duplicate vulnerabilities by looking common identifiers. So if bundler-audit reported some vulnerability with identifier x,y and gemnasium reported vulnerability with identifier z,y it will remove the vulnerability that gemnasium reported because it is considered as duplicate.
Now that we are abandoning DIND merging and removing functionality is up to rails backend and its done by Security::MergeReportsService . Security::MergeReportsService
removes duplicates by looking location_fingerprint
and identifier
.
With Dind we ran analysers in certain order so order of DS_DEFAULT_ANALYZERS is important because if we ran gemnasium before bundler audit since our deduplication logic removes vulnerabilities with common identifiers vulnerabilities that are reported by bundler audit will be considered as duplicates and they will be removed. Let me provide you an example to clarify why order is important,
So depending on which analyzer is ran, other one will be considered duplicate and not reported (same behaviour with both DIND and NO-DIND). Problem is, depending on which vulnerability we pick primary_identifier
changes. primary_identifier
is used to compare occurrences in mr widget and security dashboard so behaviour of those will change. Thats why in DIND mode if we change order of analysers in DS_DEFAULT_ANALYZERS users will see "different" vulnerabilities being reported.
We were able to preserve order that analysers ran in DIND mode with DS_DEFAULT_ANALYZERS but once we switch NO-DIND mode we won't have control over which analyser finishes first.
This MR makes sure we process DS reports in same order as orchestrator layer that we are going to deprecate. This is not ideal solution. We are discussion ideal solutions here