Trivy image scan reports and counts the same CVE for the same package multiple times

[LesSyner]

Description

Trivy sometimes reports the same CVE for te same package multiple times (in single scan) resulting in incorrect number of CVEs for image.

Desired Behavior

trivy should report the same CVE for the same package only once

Actual Behavior

trivy reports multiple CVEs when in fact it's single occurance. Here is an example:

{
  "id": "CVE-2023-44981",
  "source": {
    "name": "ghsa",
    "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
  },
  "ratings": [
    {
      "source": {
        "name": "bitnami"
      },
      "score": 9.1,
      "severity": "critical",
      "method": "CVSSv31",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    },
    {
      "source": {
        "name": "ghsa"
      },
      "score": 9.1,
      "severity": "critical",
      "method": "CVSSv31",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    },
    {
      "source": {
        "name": "nvd"
      },
      "score": 9.1,
      "severity": "critical",
      "method": "CVSSv31",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    },
    {
      "source": {
        "name": "redhat"
      },
      "score": 9.1,
      "severity": "critical",
      "method": "CVSSv31",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    }
  ],
  "cwes": [
    639
  ],
  "description": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like '[email protected]', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.\n\nUsers are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.\n\nAlternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.\n\nSee the documentation for more details on correct cluster administration.\n",
  "recommendation": "Upgrade org.apache.zookeeper:zookeeper to version 3.7.2, 3.8.3, 3.9.1",
  "advisories": [
    {
      "url": "https://avd.aquasec.com/nvd/cve-2023-44981"
    },
    {
      "url": "http://www.openwall.com/lists/oss-security/2023/10/11/4"
    },
    {
      "url": "https://access.redhat.com/security/cve/CVE-2023-44981"
    },
    {
      "url": "https://github.com/apache/zookeeper"
    },
    {
      "url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b"
    },
    {
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html"
    },
    {
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981"
    },
    {
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
    },
    {
      "url": "https://www.debian.org/security/2023/dsa-5544"
    }
  ],
  "published": "2023-10-11T12:15:00+00:00",
  "updated": "2023-11-01T07:15:00+00:00",
  "affects": [
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    },
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    },
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    },
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    },
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    }
  ]
},

Reproduction Steps

1. trivy image --ignore-unfixed confluentinc/cp-schema-registry:7.5.2 --scanners vuln --severity CRITICAL -f cyclonedx

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2023-12-15T10:36:47.504+0100	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-12-15T10:36:47.505+0100	DEBUG	Severities: ["CRITICAL"]
2023-12-15T10:36:47.506+0100	DEBUG	Ignore statuses	{"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-12-15T10:36:47.523+0100	DEBUG	cache dir:  /Users/test/Library/Caches/trivy
2023-12-15T10:36:47.523+0100	DEBUG	DB update was skipped because the local DB is the latest
2023-12-15T10:36:47.523+0100	DEBUG	DB Schema: 2, UpdatedAt: 2023-12-15 06:10:50.163004975 +0000 UTC, NextUpdate: 2023-12-15 12:10:50.163004594 +0000 UTC, DownloadedAt: 2023-12-15 09:18:37.448303 +0000 UTC
2023-12-15T10:36:47.524+0100	INFO	Vulnerability scanning is enabled
2023-12-15T10:36:47.524+0100	DEBUG	Vulnerability type:  [os library]
2023-12-15T10:36:47.524+0100	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2023-12-15T10:36:49.274+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-12-15T10:36:49.454+0100	DEBUG	Image ID: sha256:9c75bce947731d3ed3fba8e9f3d4646b2d15c3036f6d9062c5c4dd275a5045cc
2023-12-15T10:36:49.454+0100	DEBUG	Diff IDs: [sha256:1053d00b8e292c8a36bef630a0f4977b29da4e2fd60ac9425e0fcd1f7c1108d5 sha256:2784298e924345d0daf7eed5793662efbeb830bd3f83bc1bdf58dacf7a266477 sha256:e6074c53f57ac4a6c1163951950677943cf3608a3e79b400961eac20e44631d3 sha256:cf101d0177010a1169bd2c88481fa1086ee4eaf8f2433ccb431c657c3aa645e9 sha256:04394050f85b15adb4e989d29cbeaa2823aeec2928e1f17619a7fe83880ffcb7 sha256:f2f1f826c954809927a3684e569272533a951c885163b65efa2d021fb0d60759 sha256:9ab333f76a764635010e0f6872a40a21ce4f678a189689f2d6ec197d0880482f sha256:905c75c815e0a8cda612ef911e8a58eb3b34ed202f743cf847ced2850cd9bee7 sha256:d43f08d70ed9b8566f13578e2ab55a2697b7292dd1fccf107b28b007e877ca5a sha256:2b5c9ac251e65f3863a1c284b0b33bfc09deaf038f7d2a52997149b17daaf16e sha256:55d28c8a35a4f7d553aed857bba92f60f53bd38271d486166e6eb57e068e1871]
2023-12-15T10:36:49.454+0100	DEBUG	Base Layers: []
2023-12-15T10:36:49.575+0100	INFO	Detected OS: redhat
2023-12-15T10:36:49.575+0100	INFO	Detecting RHEL/CentOS vulnerabilities...
2023-12-15T10:36:49.575+0100	DEBUG	Red Hat: os version: 8
2023-12-15T10:36:49.575+0100	DEBUG	Red Hat: the number of packages: 188
2023-12-15T10:36:49.632+0100	INFO	Number of language-specific files: 2
2023-12-15T10:36:49.632+0100	INFO	Detecting python-pkg vulnerabilities...
2023-12-15T10:36:49.632+0100	DEBUG	Detecting library vulnerabilities, type: python-pkg, path: 
2023-12-15T10:36:49.635+0100	INFO	Detecting jar vulnerabilities...
2023-12-15T10:36:49.635+0100	DEBUG	Detecting library vulnerabilities, type: jar, path: 
2023-12-15T10:36:49.691+0100	DEBUG	Found an ignore file: .trivyignore

Operating System

macOS Sonoma 14.2

Version

Version: 0.48.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-15 06:10:50.163004975 +0000 UTC
  NextUpdate: 2023-12-15 12:10:50.163004594 +0000 UTC
  DownloadedAt: 2023-12-15 09:18:37.448303 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-12-15 00:45:03.307690097 +0000 UTC
  NextUpdate: 2023-12-18 00:45:03.307689947 +0000 UTC
  DownloadedAt: 2023-12-15 09:19:43.769488 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

created #5796 for this task