fix(sbom): exclude duplicate vulnerabilities

pkg/sbom/io/encode.go

@@ -173,8 +173,15 @@ func (e *Encoder) encodePackages(parent *core.Component, result types.Result) {
 	// Group vulnerabilities by package ID
 	vulns := make(map[string][]core.Vulnerability)
 	for _, vuln := range result.Vulnerabilities {
-		v := e.vulnerability(vuln)
-		vulns[v.PkgID] = append(vulns[v.PkgID], v)
+		// There are cases when `Result` contains the same vulnerabilities for the same packages but with different file paths
+		// We don't need to include duplicates.
+		vv := vulns[vuln.PkgID]
+		if _, ok := lo.Find(vv, func(v core.Vulnerability) bool {
+			return vuln.VulnerabilityID == v.ID
+		}); !ok {
+			v := e.vulnerability(vuln)
+			vulns[v.PkgID] = append(vulns[v.PkgID], v)
+		}
 	}
 
 	// Convert packages into components and add them to the BOM

pkg/sbom/io/encode_test.go

@@ -97,20 +97,58 @@ func TestEncoder_Encode(t *testing.T) {
 						Class:  types.ClassLangPkg,
 						Packages: []ftypes.Package{
 							{
-								ID:       "org.apache.xmlgraphics/batik-anim:1.9.1",
-								Name:     "org.apache.xmlgraphics/batik-anim",
-								Version:  "1.9.1",
-								FilePath: "/app/batik-anim-1.9.1.jar",
+								ID:       "com.fasterxml.jackson.core:jackson-databind:2.13.4",
+								Name:     "com.fasterxml.jackson.core:jackson-databind",
+								Version:  "2.13.4",
+								FilePath: "/foo/jackson-databind-2.13.4.jar",
 								Identifier: ftypes.PkgIdentifier{
 									PURL: &packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
-										Namespace: "org.apache.xmlgraphics",
-										Name:      "batik-anim",
-										Version:   "1.9.1",
+										Namespace: "com.fasterxml.jackson.core",
+										Name:      "jackson-databind",
+										Version:   "2.13.4",
+									},
+								},
+							},
+							{
+								ID:       "com.fasterxml.jackson.core:jackson-databind:2.13.4",
+								Name:     "com.fasterxml.jackson.core:jackson-databind",
+								Version:  "2.13.4",
+								FilePath: "/bar/jackson-databind-2.13.4.jar",
+								Identifier: ftypes.PkgIdentifier{
+									PURL: &packageurl.PackageURL{
+										Type:      packageurl.TypeMaven,
+										Namespace: "com.fasterxml.jackson.core",
+										Name:      "jackson-databind",
+										Version:   "2.13.4",
 									},
 								},
 							},
 						},
+						Vulnerabilities: []types.DetectedVulnerability{
+							{
+								PkgName:          "com.fasterxml.jackson.core:jackson-databind",
+								PkgID:            "com.fasterxml.jackson.core:jackson-databind:2.13.4",
+								VulnerabilityID:  "CVE-2022-42003",
+								InstalledVersion: "2.13.4",
+								FixedVersion:     "2.12.7.1, 2.13.4.2",
+								PkgPath:          "/foo/jackson-databind-2.13.4.jar",
+								Vulnerability: dtypes.Vulnerability{
+									Severity: "HIGH",
+								},
+							},
+							{
+								PkgName:          "com.fasterxml.jackson.core:jackson-databind",
+								PkgID:            "com.fasterxml.jackson.core:jackson-databind:2.13.4",
+								VulnerabilityID:  "CVE-2022-42003",
+								InstalledVersion: "2.13.4",
+								FixedVersion:     "2.12.7.1, 2.13.4.2",
+								PkgPath:          "/bar/jackson-databind-2.13.4.jar",
+								Vulnerability: dtypes.Vulnerability{
+									Severity: "HIGH",
+								},
+							},
+						},
 					},
 				},
 			},
@@ -218,22 +256,56 @@ func TestEncoder_Encode(t *testing.T) {
 				},
 				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000005"): {
 					Type:    core.TypeLibrary,
-					Group:   "org.apache.xmlgraphics",
-					Name:    "batik-anim",
-					Version: "1.9.1",
+					Group:   "com.fasterxml.jackson.core",
+					Name:    "jackson-databind",
+					Version: "2.13.4",
+					Files: []core.File{
+						{
+							Path: "/foo/jackson-databind-2.13.4.jar",
+						},
+					},
+					Properties: []core.Property{
+						{
+							Name:  core.PropertyFilePath,
+							Value: "/foo/jackson-databind-2.13.4.jar",
+						},
+						{
+							Name:  core.PropertyPkgID,
+							Value: "com.fasterxml.jackson.core:jackson-databind:2.13.4",
+						},
+						{
+							Name:  core.PropertyPkgType,
+							Value: "jar",
+						},
+					},
+					PkgIdentifier: ftypes.PkgIdentifier{
+						PURL: &packageurl.PackageURL{
+							Type:      packageurl.TypeMaven,
+							Namespace: "com.fasterxml.jackson.core",
+							Name:      "jackson-databind",
+							Version:   "2.13.4",
+						},
+						BOMRef: "3ff14136-e09f-4df9-80ea-000000000005",
+					},
+				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000006"): {
+					Type:    core.TypeLibrary,
+					Group:   "com.fasterxml.jackson.core",
+					Name:    "jackson-databind",
+					Version: "2.13.4",
 					Files: []core.File{
 						{
-							Path: "/app/batik-anim-1.9.1.jar",
+							Path: "/bar/jackson-databind-2.13.4.jar",
 						},
 					},
 					Properties: []core.Property{
 						{
 							Name:  core.PropertyFilePath,
-							Value: "/app/batik-anim-1.9.1.jar",
+							Value: "/bar/jackson-databind-2.13.4.jar",
 						},
 						{
 							Name:  core.PropertyPkgID,
-							Value: "org.apache.xmlgraphics/batik-anim:1.9.1",
+							Value: "com.fasterxml.jackson.core:jackson-databind:2.13.4",
 						},
 						{
 							Name:  core.PropertyPkgType,
@@ -243,11 +315,11 @@ func TestEncoder_Encode(t *testing.T) {
 					PkgIdentifier: ftypes.PkgIdentifier{
 						PURL: &packageurl.PackageURL{
 							Type:      packageurl.TypeMaven,
-							Namespace: "org.apache.xmlgraphics",
-							Name:      "batik-anim",
-							Version:   "1.9.1",
+							Namespace: "com.fasterxml.jackson.core",
+							Name:      "jackson-databind",
+							Version:   "2.13.4",
 						},
-						BOMRef: "pkg:maven/org.apache.xmlgraphics/[email protected]",
+						BOMRef: "3ff14136-e09f-4df9-80ea-000000000006",
 					},
 				},
 			},
@@ -261,6 +333,10 @@ func TestEncoder_Encode(t *testing.T) {
 						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000005"),
 						Type:       core.RelationshipContains,
 					},
+					{
+						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000006"),
+						Type:       core.RelationshipContains,
+					},
 				},
 				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): {
 					{
@@ -280,6 +356,7 @@ func TestEncoder_Encode(t *testing.T) {
 					},
 				},
 				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000005"): nil,
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000006"): nil,
 			},
 			wantVulns: map[uuid.UUID][]core.Vulnerability{
 				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000004"): {
@@ -294,6 +371,30 @@ func TestEncoder_Encode(t *testing.T) {
 						},
 					},
 				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000005"): {
+					{
+						ID:               "CVE-2022-42003",
+						PkgID:            "com.fasterxml.jackson.core:jackson-databind:2.13.4",
+						PkgName:          "com.fasterxml.jackson.core:jackson-databind",
+						InstalledVersion: "2.13.4",
+						FixedVersion:     "2.12.7.1, 2.13.4.2",
+						Vulnerability: dtypes.Vulnerability{
+							Severity: "HIGH",
+						},
+					},
+				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000006"): {
+					{
+						ID:               "CVE-2022-42003",
+						PkgID:            "com.fasterxml.jackson.core:jackson-databind:2.13.4",
+						PkgName:          "com.fasterxml.jackson.core:jackson-databind",
+						InstalledVersion: "2.13.4",
+						FixedVersion:     "2.12.7.1, 2.13.4.2",
+						Vulnerability: dtypes.Vulnerability{
+							Severity: "HIGH",
+						},
+					},
+				},
 			},
 		},
 		{