Unable to use Manual Pipeline Mitigation file to mitigate flaws with 'UNKNOWN' source

[Daverism]

The pipeline scanner is detecting flaws in a dependent library and flagging them up in the Pipeline scanner results with file "UNKNOWN" and line 1.

example:

      "files": {
        "source_file": {
          "file": "UNKNOWN",
          "line": 1,
          "function_name": "[redacted]",
          "qualified_function_name": "[redacted],
          "function_prototype": "[redacted]",
          "scope": "[redacted]"
        }

When multiple instances of the same flaw are detected in different dependent packages with the same flaw ID and file (UNKNOWN) and line (1) only one instance of the flaw is removed via the manual mitigations file matching leaving unmitigated flaws that are causing the pipelines to fail.

[tjarrettveracode]

Thanks for flagging this, @Daverism . This occurs when performing a scan on bytecode that is missing debug symbols, which doesn't allow us to recover the source file information. We may be able to improve our matching algorithms to handle this situation better. I'll take a look at this with our engineering team.