[BUG] `test --diff` classifies known findings as new

[Dubhar]

Given we have a source branch (main) and a feature branch (feature-1).
feature-1 is based upon main.
On main there is a not yet remediated finding: dependencyA uses unapproved license AGPL.

In that scenario running fossa test --diff only fails when feature-1 introduces new findings.
However an update of dependencyA on feature-1 also causes fossa test --diff to fail.
Despite being the same dependency with the same license, just another version.

To Reproduce

1. create a source branch
2. create a license compliance violation
3. run fossa analyze for source branch
4. create a new branch from source branch
5. update the dependency that causes the violation
6. run fossa analyze for the new branch
7. run fossa test --diff for the revisions of the branches

Expected behavior
Even if the finding is not remediated on source branch yet, a "diff" command should not find a difference if source of non-compliance is the same for both diffed versions. Same dependency, same license, same violation.

Additional context
I admit it's more of an edge case, as findings on main or production branches should always be remediated asap. But in our case the command broke the CI/CD pipeline effectively preventing us from rolling out hotfix updates within the timeframe requested by a customer.

[github-actions]

Thank you @Dubhar for creating this issue. If this is in regards to a defect, product question or feature request: you should use our support portal at https://support.fossa.com to file a request, as you would receive more immediate support.

[ryanlink]

@Dubhar thanks for reporting this. We've got a ticket in the backlog to address it now but it may take some time to get to. Do you have a sufficient workaround?

[Dubhar]

Not really, right now we temporarily mark our fossa test pipeline job as optional for merging MRs that update dependencies and use a stricter review for those. Happens not that often tbh.

Thanks for adding it to the backlog!