Deduplication improvements between different development environments / branches

[fhoeborn]

Is your feature request related to a problem? Please describe We often run into some issues on how to handle deduplication when we run scans against multiple branches (or environments) of the same product, e.g. three branches, main, someFeatureA, securityFixB.

Scenario A: Let’s say we introduce a new finding in the someFeatureA branch, that we classify as false positive / add a risk acceptance to or add notes.

Scenario B: In securityFixB we fix a finding that still exists in someFeatureA and main.

For scenario A we could deduplicate between all those branches and wouldn’t have to do the risk acceptance / false positive marking / notes multiple times. But for scenario B this would give us trouble as securityFixB would close down the finding (as it no longer occurs (if we use the “close old findings” feature)), which would be correct, but another scan of the other branches would reopen that finding.

Describe the solution you'd like Our goal would be to only do manual entries like notes / risk acceptances / etc. once. We thought about solutions like a "main" / "base" engagement that additional engagements are deduplicating against but not between each other - though to be honest, I am not sure if this is the right solution.