diff --git a/core/build.gradle.kts b/core/build.gradle.kts
index 513ac9f2..16288b90 100644
--- a/core/build.gradle.kts
+++ b/core/build.gradle.kts
@@ -72,6 +72,10 @@ tasks.withType<Test> {
     }
 }
 
+tasks.withType<JavaCompile> {
+    sourceCompatibility = JavaVersion.VERSION_17.toString()
+}
+
 val projectAnalyzerJar = tasks.register<ShadowJar>("projectAnalyzerJar") {
     jarWithDependencies("opentaint-project-analyzer", "org.opentaint.jvm.sast.runner.ProjectAnalyzerRunner")
 }
diff --git a/core/src/main/kotlin/org/opentaint/jvm/sast/sarif/SarifGenerator.kt b/core/src/main/kotlin/org/opentaint/jvm/sast/sarif/SarifGenerator.kt
index 33f98fdc..d4dd365b 100644
--- a/core/src/main/kotlin/org/opentaint/jvm/sast/sarif/SarifGenerator.kt
+++ b/core/src/main/kotlin/org/opentaint/jvm/sast/sarif/SarifGenerator.kt
@@ -33,6 +33,7 @@ import org.opentaint.semgrep.pattern.RuleMetadata
 import java.io.OutputStream
 import java.nio.file.Path
 import java.security.MessageDigest
+import java.util.Arrays
 import kotlin.io.encoding.Base64
 import kotlin.io.encoding.ExperimentalEncodingApi
 import kotlin.io.path.absolutePathString
@@ -169,21 +170,30 @@ class SarifGenerator(
         val digest = MessageDigest.getInstance("SHA-256")
         digest.update(ruleId.toByteArray())
         digest.addLocationFingerprint(vulnerabilityLocation)
-        traces?.forEach { trace ->
-            when (kind) {
-                FingerprintKind.FULL_TRACE -> {
-                    trace.forEach { digest.addLocationFingerprint(it) }
-                }
-
-                FingerprintKind.SOURCE_SINK -> {
-                    trace.firstOrNull()?.let { digest.addLocationFingerprint(it) }
-                }
-            }
-        }
+
+        traces
+            ?.map { computeTraceFingerprint(it, kind) }
+            ?.sortedWith(Arrays::compare)
+            ?.forEach(digest::update)
+
         val digestData = digest.digest()
         return Base64.encode(digestData)
     }
 
+    private fun computeTraceFingerprint(
+        trace: List<IntermediateLocation>,
+        kind: FingerprintKind,
+    ): ByteArray {
+        val digest = MessageDigest.getInstance("SHA-256")
+
+        when (kind) {
+            FingerprintKind.SOURCE_SINK -> trace.firstOrNull()?.let { digest.addLocationFingerprint(it) }
+            FingerprintKind.FULL_TRACE -> trace.forEach { digest.addLocationFingerprint(it) }
+        }
+
+        return digest.digest()
+    }
+
     private fun MessageDigest.addLocationFingerprint(loc: IntermediateLocation) {
         val instLoc = loc.inst.location as? JIRInstLocation ?: return
         update(instLoc.method.enclosingClass.name.toByteArray())