Per Appendix B (normative) of SARIF 2.1.0, Use of fingerprints by result management systems, absolute line numbers SHOULD NOT be used for fingerprinting. The codeclimate command does exactly this, which can lead to a lot of fix+new finding false positives in the GitLab UI. Please use data for fingerprinting that doesn’t change as a consequence of unrelated changes to the extent possible. For example, you could use logicalLocations if available, which should be stable (although that would mask multiple findings within the same method). Or you could use the content of the line if available (this needs access to the files themselves, though, as SARIF doesn’t include the file content).
Per Appendix B (normative) of SARIF 2.1.0, Use of fingerprints by result management systems, absolute line numbers SHOULD NOT be used for fingerprinting. The
codeclimatecommand does exactly this, which can lead to a lot of fix+new finding false positives in the GitLab UI. Please use data for fingerprinting that doesn’t change as a consequence of unrelated changes to the extent possible. For example, you could uselogicalLocationsif available, which should be stable (although that would mask multiple findings within the same method). Or you could use the content of the line if available (this needs access to the files themselves, though, as SARIF doesn’t include the file content).