fix: deduplicate SARIF rules by problem ID in UFM output

Author: danskmt

internal/presenters/funcs.go

@@ -386,10 +386,27 @@ func getDefaultTemplateFuncMap(config configuration.Configuration, ri runtimeinf
 	defaultMap["getTargetId"] = func(path string) (string, error) {
 		return target.GetTargetId(path, target.AutoDetectedTargetId, target.WithConfiguredRepository(config))
 	}
+	defaultMap["deduplicateIssuesByProblemID"] = deduplicateIssuesByProblemID
 
 	return defaultMap
 }
 
+func deduplicateIssuesByProblemID(issues []testapi.Issue) []testapi.Issue {
+	seen := make(map[string]bool)
+	result := make([]testapi.Issue, 0, len(issues))
+	for _, issue := range issues {
+		id := issue.GetProblemID()
+		if id == "" {
+			id = issue.GetID()
+		}
+		if !seen[id] {
+			seen[id] = true
+			result = append(result, issue)
+		}
+	}
+	return result
+}
+
 func convertTypeToIssueName(findingType testapi.FindingType) string {
 	// Map backend finding types to human-friendly issue group names
 	switch findingType {

internal/presenters/presenter_ufm_test.go

@@ -131,7 +131,8 @@ func sortByID(arr []interface{}) {
 	})
 }
 
-// sortByRuleID sorts an array of results by their "ruleId" field
+// sortByRuleID sorts an array of results by their "ruleId" field,
+// with artifact URI as a tiebreaker for stable ordering.
 func sortByRuleID(arr []interface{}) {
 	sort.Slice(arr, func(i, j int) bool {
 		iMap, iOk := arr[i].(map[string]interface{})
@@ -141,10 +142,39 @@ func sortByRuleID(arr []interface{}) {
 		}
 		iID, _ := iMap["ruleId"].(string) //nolint:errcheck // test helper, ok to ignore
 		jID, _ := jMap["ruleId"].(string) //nolint:errcheck // test helper, ok to ignore
-		return iID < jID
+		if iID != jID {
+			return iID < jID
+		}
+		// Multiple results can share the same ruleId (e.g. duplicate secrets findings),
+		// so we use artifact URI as a tiebreaker to avoid flaky ordering from Go map iteration.
+		return extractArtifactURI(iMap) < extractArtifactURI(jMap)
 	})
 }
 
+func extractArtifactURI(result map[string]interface{}) string {
+	locations, ok := result["locations"].([]interface{})
+	if !ok || len(locations) == 0 {
+		return ""
+	}
+	loc, ok := locations[0].(map[string]interface{})
+	if !ok {
+		return ""
+	}
+	physLoc, ok := loc["physicalLocation"].(map[string]interface{})
+	if !ok {
+		return ""
+	}
+	artLoc, ok := physLoc["artifactLocation"].(map[string]interface{})
+	if !ok {
+		return ""
+	}
+	uri, ok := artLoc["uri"].(string)
+	if !ok {
+		return ""
+	}
+	return uri
+}
+
 // normalizeHelpContent removes help.markdown content to avoid comparing test data descriptions
 func normalizeHelpContent(run map[string]interface{}) {
 	normalizeRuleHelp(run)

internal/presenters/templates/ufm.sarif.tmpl

@@ -17,7 +17,9 @@
 						"version" : "{{- getRuntimeInfo "version" }}",
 						"informationUri" : "https://docs.snyk.io/",
 						"rules" : [
-							{{- range $index, $issue := $issues }}
+							{{- $uniqueRules := deduplicateIssuesByProblemID $issues }}
+							{{- $rulesSize := sub (len $uniqueRules) 1 }}
+							{{- range $index, $issue := $uniqueRules }}
 							{{- $tags := buildRuleTags $issue }}
 							{{- $cvssScore := getRuleCVSSScore $issue }}
 							{{- $problemID := $issue.GetProblemID }}
@@ -46,7 +48,7 @@
 									"cvssv3_baseScore": {{ $cvssScore }},
 									"security-severity": {{ getQuotedString (printf "%.1f" $cvssScore) }}{{end}}
 								}
-							}{{if lt $index $issuesSize}},{{end}}
+							}{{if lt $index $rulesSize}},{{end}}
 							{{- end }}
 						]
 						{{- $dependencyCount := index $metadata "dependency-count" }}

internal/presenters/testdata/ufm/secrets.human.readable

@@ -1,12 +1,17 @@
 Testing  () ...
 
-Open Secrets issues: 2
+Open Secrets issues: 3
 
  ✗ [HIGH] Generic API Key
    Finding ID: 99999999-8888-7777-6665-000000000000
    Info: Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.
    Path: config.env, line 3 to 44
 
+ ✗ [HIGH] Generic API Key
+   Finding ID: dddddddd-8888-7777-6665-000000000000
+   Info: Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.
+   Path: credentials.yml, line 7 to 7
+
  ! [PENDING IGNORE...] [CRITICAL] Generic Secret
    Finding ID: bbbbbbbb-bbbb-cccc-dddd-eeeeeeeeeeee
    Info: Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.
@@ -35,8 +40,8 @@
 │   Test type:         Secret Detection                   │
 │   Project path:                                         │
 │                                                         │
-│   Total secrets issues: 3                               │
+│   Total secrets issues: 4                               │
 │   Ignored: 1 [ 0 CRITICAL  1 HIGH  0 MEDIUM  0 LOW ]    │
-│   Open   : 2 [ 1 CRITICAL  1 HIGH  0 MEDIUM  0 LOW ]    │
+│   Open   : 3 [ 1 CRITICAL  2 HIGH  0 MEDIUM  0 LOW ]    │
 ╰─────────────────────────────────────────────────────────╯
 

internal/presenters/testdata/ufm/secrets.sarif.json

@@ -144,6 +144,28 @@
 							"kind": "external"
 						}
 					]
+				},
+				{
+					"ruleId": "generic-api-key",
+					"level": "error",
+					"message": {
+						"text": "This file contains a high severity Generic API Key vulnerability."
+					},
+					"locations": [
+						{
+							"physicalLocation": {
+								"artifactLocation": {
+									"uri": "credentials.yml"
+								},
+								"region": {
+									"startLine": 7,
+									"startColumn": 10,
+									"endLine": 7,
+									"endColumn": 52
+								}
+							}
+						}
+					]
 				}
 			],"automationDetails": {
 					"id": "Snyk/Secrets/0/2026-02-03T11:03:16Z"

internal/presenters/testdata/ufm/secrets.testresult.json

@@ -104,7 +104,8 @@
     "_problemRefs": {
       "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee": ["generic-api-key", "CWE-798"],
       "aaaaaaab-bbbb-cccc-dddd-eeeeeeeeeeee": ["generic-api-key-2", "CWE-798"],
-      "399f629d-d638-441c-82a0-379e327dc941": ["generic-secret", "CWE-798"]
+      "399f629d-d638-441c-82a0-379e327dc941": ["generic-secret", "CWE-798"],
+      "cccccccc-bbbb-cccc-dddd-eeeeeeeeeeee": ["generic-api-key", "CWE-798"]
     },
     "findings": [
       {
@@ -254,6 +255,36 @@
           }
         },
         "type": "findings"
+      },
+      {
+        "attributes": {
+          "cause_of_failure": false,
+          "description": "Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.",
+          "evidence": [],
+          "finding_type": "secret",
+          "key": "dddddddd-8888-7777-6665-000000000000",
+          "locations": [
+            {
+              "file_path": "credentials.yml",
+              "from_column": 10,
+              "from_line": 7,
+              "to_column": 52,
+              "to_line": 7,
+              "type": "source"
+            }
+          ],
+          "policy_modifications": [],
+          "problems": null,
+          "rating": {
+            "severity": "high"
+          },
+          "risk": {},
+          "title": "Generic API Key"
+        },
+        "id": "cccccccc-bbbb-cccc-dddd-eeeeeeeeeeee",
+        "links": {},
+        "relationships": {},
+        "type": "findings"
       }
     ]
   }