fix(sbom): exclude duplicate vulnerabilities

[DmitriyLewen]

Description

We aggregated pip/gem/npm/jar/conda packages. Therefore, there are cases when Result contains the same vulnerabilities for the same packages but with different file paths. We show duplicates in vulnerabilities[].affects[] for these cases. But vulnerabilities[].affects[] should be uniq. To avoid this we don't need to include vulns with same CVE for same pkgID.

Example:

➜  tree

.
├── bar
│   └── jackson-databind-2.13.4.jar
├── foo
│   ├── bar
│   └── jackson-databind-2.13.4.jar

Before:

➜  trivy -q rootfs -f cyclonedx --scanners vuln . | jq '.vulnerabilities[0].affects'
[
  {
    "ref": "7d55fb4f-cd6d-426a-9103-9e3b0e784f16",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  },
  {
    "ref": "7d55fb4f-cd6d-426a-9103-9e3b0e784f16",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  },
  {
    "ref": "b8a8670f-c668-46cb-b8a4-2160040f77dd",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  },
  {
    "ref": "b8a8670f-c668-46cb-b8a4-2160040f77dd",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  }
]

after:

➜  ./trivy -q rootfs -f cyclonedx --scanners vuln . | jq '.vulnerabilities[0].affects'
[
  {
    "ref": "5ced2014-adb3-4bae-a81d-64a767c5de81",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  },
  {
    "ref": "6ca42da4-583f-42a3-b689-18a5b54dcfc3",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  }
]

Related issues

• Close #5796

Checklist

• [x] I've read the guidelines for contributing to this repository.
• [x] I've followed the conventions in the PR title.
• [x] I've added tests that prove my fix is effective or that my feature works.
• [ ] I've updated the documentation with the relevant information (if needed).
• [ ] I've added usage information (if the PR introduces new options)
• [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

@DmitriyLewen I had an idea to use UID but I was lazy and didn't implement it 😄 I've finally created https://github.com/aquasecurity/trivy/pull/7042, can you please see if this can fix the bug?

[DmitriyLewen]

can you please see if this can fix the bug?

I can confirm that your PR is fixing this bug :+1:

[DmitriyLewen]

Closed in favor of https://github.com/aquasecurity/trivy/pull/7042