By the nature of how semgrep works, some of our rules (like obfuscation, shady-links, etc) would find multiple times the same offending line.
This might lead to report the location and code over and over again.
This PR aims to only append a finding if not already reported.
From this:
shady-links: found 951 source code matches
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
...
To this:
shady-links: found 3 source code matches
* This package contains an URL to a domain with a suspicious extension at package/lib/index.cjs:1
"use strict";var Kc=Object.create;var vn=Object.defineProperty;var Jc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeOf,Zc=Object.prototype.hasOwnProperty;var ee=(t,e)=>{for(var r in e)vn(t,r,{ge...}`).join(`
* This package contains an URL to a domain with a suspicious extension at package/lib/index.global.js:14
`),r=!1,a=!1,i;n.on("response",s=>{let{headers:o}=s;r=o["transfer-encoding"]==="chunked"&&!o["content-length"]}),n.on("socket",s=>{let o=()=>{if(r&&!a){let p=new Error("Premature close");p.code="ERR_STREAM_PREMATURE_CLOSE",e(p)}},c=p=>{a=(v...d Message:
* This package contains an URL to a domain with a suspicious extension at package/lib/index.js:1
var Ys=Object.defineProperty;var oe=(t,e)=>{for(var r in e)Ys(t,r,{get:e[r],enumerable:!0})};import{BigNumber as pp}from"bignumber.js";var bi={};oe(bi,{chains:()=>qe,envs:()=>it,schemas:()=>Ga});var ai={"1":{chainId:"1",explorer:"https://et...}`).join(`
By the nature of how semgrep works, some of our rules (like obfuscation, shady-links, etc) would find multiple times the same offending line. This might lead to report the location and code over and over again. This PR aims to only append a finding if not already reported.
From this:
To this: