Hello,
this is a general issue which also happens in some images, but mostly on VMs or ec2 machines.
I’ve noticed that I am getting the same x CVEs for different packages, which makes grype results huge.
Mostly, it comes from the kernel-modules cataloger, and it happens due to the way of matching the CVEs against the upstream (linux*)
it happens in multiple linux distributions (debian, ubuntu, amzn).
In general you see something like this:
package a - kernel (x CVEs)
package b - kernel-module (x CVEs - duplicates of a)
package c - kernel-module (x CVEs - duplicates of a)
package d - kernel-module (x CVEs - duplicates of a)
etc.
correct me if I am wrong - but once a user upgrades the kernel he should expect all of the CVEs will be resolved (in case this is the remediation). So in this case, what is the point of the duplication? why reporting on both packages and not merge them? (like merging python binaries with python cataloger)
This is only 1 case, but when I checked the results, I saw some more issues with duplications of CVEs.
let me know what do you think