Description
Describe the bug
After addressing vulnerabilities in a previous analysis' report, some vulnerability issues within SonarQube are having their descriptions updated with the descriptions of other vulnerabilities that are present in the report. In some cases, issues that had been manually marked with a resolution had the resolution removed, making them appear as if they had never been resolved. Comments, tags, and other features that are managed directly by SonarQube remain the same, only the description and severity are changed to that of another issue.
To Reproduce
- Perform an analysis on a project that results in vulnerabilities.
- Resolve at least one of these vulnerabilities in code.
- Perform a second analysis.
- Some issues will have had their descriptions swapped, and/or their resolved status changed.
Current behavior
SonarQube vulnerability issue descriptions and severities are being mixed up on subsequent analyses.
Expected behavior
Each issue's description and severity should remain the same once the issue has been created.
Screenshots
I used comments to track the issues, by commenting the CVE that the issue was for after the first analysis. After the second analysis, it had changed from the one in the comment to the one in the description.
Versions (please complete the following information):
- dependency-check: 6.5.1
- sonarqube: 9.5.0.56709
- dependency-check-sonar-plugin: 3.0.1
Additional context
This appears to be similar to #55.