GitHubPull Details section only shows a subset of vulnerabilities

[mark-strasser-nnl]

Using the bug_tracker: GitHubPull option with SAST scanner, this action generates a PR comment with an incorrect number of details.

There is no filtering based on severity or category.

It appears that only the first vulnerability in each file for a given type is shown. For example - only the first CSRF vulnerability in adminlogin.jsp is shown.

Actual behavior

The PR comment shows the following:

Cx-SAST Summary

• Total of 280 vulnerabilities
• 108 High
• 163 Medium
• 9 Low
• 0 Info

Cx-SAST Details

• 45 rows High
• 44 rows Medium
• 7 rows Low

How to reproduce

1. Fork https://github.com/CSPF-Founder/JavaVulnerableLab to a local repository.
2. Configure your actions to call this action with bug_tracker: GitHubPull when triggered by a PR / branch change
3. Create a PR
4. Let the action run and generate a PR comment.
5. Check the summary totals, vs the number in the details.

Expected behavior

The Cx-SAST Details shows the same number of rows as there are vulnerabilities. 108 rows for High vulnerabilities, 163 rows for Medium, et cetera.

Workaround

No workaround found yet except to fix vulnerabilities.