Deduplicate CVS vulnerabilities for container scanning

Description

During container scanning, duplicate vulnerabilities and SBOM occurrences are generated when the same image is scanned multiple times. Incorrect Vulnerability Locations may also be displayed when an image is updated.

For instance, if an image is tagged as latest is scanned for each software release, vulnerabilities identified in the old version might be reported for the new image with tag latest.

Example:

Screenshot_2024-06-03_at_5.22.26_PM

Proposal

  1. Add the 'Manifest Digest' image to the 'SBOM' source.
  2. Display 'Manifest Digest' on the vulnerabilities page and vulnerability report page.
  3. Avoid generating the vulnerability if the Manifest Digest changes. This can be achieved by selecting the latest Sbom::Occurrences of the same manifest digest.
Rationale:
  • Points 1 and 2: Help segregate vulnerabilities found in different images.
  • Point 3: Prevents reporting vulnerabilities on overridden images
Edited by Aditya Tiwari