Feat: Add Anchore Grype detailed scan type for per-file-path deduplication documentation

Kasyap7 · Kasyap7 · commit 4733c0f4a5cb · 2026-03-28T12:40:57.000+05:30
Reference: DefectDojo#14573
diff --git a/docs/content/supported_tools/parsers/file/anchore_grype.md b/docs/content/supported_tools/parsers/file/anchore_grype.md
@@ -203,3 +203,31 @@ By default, DefectDojo identifies duplicate Findings using these [hashcode field
 - severity
 - component name
 - component version
+
+### Anchore Grype Detailed
+
+Both scan types accept the same JSON report format. The difference is in how Findings are deduplicated:
+
+- **`Anchore Grype`** — Aggregates all matches for the same CVE, component name, and version into a single Finding, regardless of file path. Deduplication is based on hashcode fields (`title`, `severity`, `component_name`, `component_version`).
+- **`Anchore Grype detailed`** — Creates a separate Finding for each unique file path. Deduplication is based on `unique_id_from_tool`, composed as `{vuln_id}|{component_name}|{component_version}|{file_path}`.
+
+A typical case is a package installed at multiple paths in a container image (e.g., /usr/lib/x86_64-linux-gnu/libc.so.6 and /lib/x86_64-linux-gnu/libc.so.6) — the same CVE would produce one Finding in default mode and two in detailed mode.
+
+**Field mapping:**
+
+| Finding Field | Grype JSON Source |
+|---|---|
+| `title` | `{vulnerability.id} in {artifact.name}:{artifact.version}` |
+| `severity` | `vulnerability.severity` (mapped: `Unknown`/`Negligible` → `Info`) |
+| `description` | `vulnerability.namespace`, `vulnerability.description`, `matchDetails[].matcher`, `artifact.purl` |
+| `component_name` | `artifact.name` |
+| `component_version` | `artifact.version` |
+| `file_path` | `artifact.locations[0].path` |
+| `vuln_id_from_tool` | `vulnerability.id` |
+| `unique_id_from_tool` | `vuln_id\|component_name\|component_version\|file_path` (detailed mode only) |
+| `references` | `vulnerability.dataSource`, `vulnerability.urls`, `relatedVulnerabilities[0].dataSource`, `relatedVulnerabilities[0].urls` |
+| `mitigation` | `vulnerability.fix.versions` |
+| `fix_available` | `true` if `vulnerability.fix.versions` is non-empty |
+| `fix_version` | `vulnerability.fix.versions[0]` (or comma-joined if multiple) |
+| `cvssv3` | `vulnerability.cvss` or `relatedVulnerabilities[0].cvss` |
+| `epss_score` / `epss_percentile` | `vulnerability.epss` or `relatedVulnerabilities[0].epss` |
diff --git a/dojo/tools/anchore_grype/parser.py b/dojo/tools/anchore_grype/parser.py
@@ -225,7 +225,7 @@ def get_findings(self, file, test):
                 )
                 if self.mode == "detailed":
                     dupes[dupe_key].unique_id_from_tool = dupe_key
-                dupes[dupe_key].unsaved_vulnerability_ids = vulnerability_ids                
+                dupes[dupe_key].unsaved_vulnerability_ids = vulnerability_ids
                 if settings.V3_FEATURE_LOCATIONS and artifact_purl:
                     dupes[dupe_key].unsaved_locations.append(
                         LocationData.dependency(purl=artifact_purl, file_path=file_path),

Original file line number	Diff line number	Diff line change
`@@ -225,7 +225,7 @@ def get_findings(self, file, test):`
`225`	`225`	`)`
`226`	`226`	`if self.mode == "detailed":`
`227`	`227`	`dupes[dupe_key].unique_id_from_tool = dupe_key`
`228`		`- dupes[dupe_key].unsaved_vulnerability_ids = vulnerability_ids`
	`228`	`+ dupes[dupe_key].unsaved_vulnerability_ids = vulnerability_ids`
`229`	`229`	`if settings.V3_FEATURE_LOCATIONS and artifact_purl:`
`230`	`230`	`dupes[dupe_key].unsaved_locations.append(`
`231`	`231`	`LocationData.dependency(purl=artifact_purl, file_path=file_path),`