[WIP][IAST][JAVA] Vulnerability hashing and deduplication V0

[jandro996]

What Does This Do

• Add the hash property to vulnerability model, this will be used to determine if two vulnerabilities are equals
• Implement new component DeduplicationController that manage duplicated vulnerabilities report

Motivation

Because we discover vulnerabilities by analysing the requests and different requests can lead to vulnerabilities with same type in the same file and line, we need mechanisms to not be reporting vulnerabilities persistently referencing same code issue. To achieve this we need two things:

• Be able to identify when two vulnerabilities are equals :arrow_right: Vulerability.hash
• A component that tells us if the vulnerability found can be reported or not :arrow_right: DeduplicationController

Additional Notes

For this first version:

• We are going to define that whenever a vulnerability has same type and occurs in the same file and line, they will be considered equals regardless of the rest of the parameters. This is the reason to add a hash field composed with type, file and line to the vulnerability model.

• DeduplicationController will have two working modes:

  • ONE_TIME (Default): Vulnerabilities with same hash can be reported one time per run time. It is necessary to maintain a cache with already reported vulnerabilities hashes that can cause performance issues if not limited, for this reasons once 1000 vulnerabilities have been reported the cache will be reset.
  • NO_DEDUPLICATION: this working mode is demo oriented and allows to report duplicate vulnerabilities