Vulnerability Report commit weirdness

[puerco]

There seems to be some odd behavior in how the vulnerability report handles commits.

Let's use as an example this PR: https://github.com/stacklok/trusty-sdk-go/pull/23

Squashed View of Changes (but not quite)

First, I pushed a change pulling some dependencies, minder commented:

So in that one, the message says it is looking at ccc73643. The dependencies are being introduced in the previous commit. This tells me minder is looking at the squashed view of m change. Which is OK-ish, I guess but no ideal since it should be acting on the commit that introduced the change.

The as part of the review, I force pushed to last commit from ccc73643 to 4b3eded:

If minder was looking at the squashed view, I would have expected some reaction consistent with the squashed behavior producing the previous message. In this case it should have updated the commit of the message.

Now, since I didn't update go.mod with the push, it is probably ok not to trigger things again but it makes it inconsistent with a squashed-view analysis since the HEAD commit was modified.

No It's not Squashed, what is it?

Now, I noticed there was an update to one of the modules I was importing. So I force-pushed a change, this time introducing a different version of the new module:

At this point, Minder should be inspecting my change and giving me feedback. The end result is the same: No vulnerable dependencies but I need to know that Minder looked at it. As this last push changed both the PR HEAD and the commit changing go.mod, the PR comment should have been updated

How things need to work:

• Minder needs to decide if a) it is working on the squashed view from the HEAD of the PR or b) acting on the commit that is introducing a dependency change.

• And then, Minder needs to react to changes to the commit we are looking at. Minder needs to keep the commit hash up to date in the comment to let users know which revision Minder last looked at.