Unstable vulnerability ordering on security reports

Summary

Our test projects within security-products/tests occasionally need their fixtures (qa/expect/gl-sast-report.json) updated to reflect changes in the reports, usually due to new advisories in external DBs. There are however some false-negatives when report diffing fails due to ordering issues. While the sast analyzer should consistently be sorting reports there is an issue to be investigated.

Previous occurrences of report changes:

• gitlab-org/security-products/tests/sast@1994c45b
• https://gitlab.com/gitlab-org/security-products/tests/sast/issues/3

Previous discussion on ordering:

• gitlab-org/security-products/ci-templates!12 (comment 131664689)

Example Project

Broken pipeline due to report changes: https://gitlab.com/gitlab-org/security-products/tests/js-yarn/pipelines/43743205

What is the current bug behavior?

Test projects occasionally generate reports with a different vulnerability order than fixtures, but no changes in set of identified vulnerabilities.

What is the expected correct behavior?

• Reports should have a consistent order of vulnerabilities.
• Test projects should only fail on differences between vulnerabilities within reports, not differences in report order.

Possible fixes

Review common lib sorting/deduping logic to ensure order is consistent across reports.

If it's not possible to guarantee a consistent order, our pipeline diffing should sort reports itself, but this is not ideal.