From 43c730f927f8f24c254428764fddbcba758df672 Mon Sep 17 00:00:00 2001
From: rafi <refaei.shikho@hotmail.com>
Date: Thu, 26 Feb 2026 17:29:22 +0100
Subject: [PATCH] Deduplicate CVE and component PURL combinations in
 GetComponentRisk method

Signed-off-by: rafi <refaei.shikho@hotmail.com>
---
 services/statistics_service.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/services/statistics_service.go b/services/statistics_service.go
index b8d8eeddf..6a1c8cb06 100644
--- a/services/statistics_service.go
+++ b/services/statistics_service.go
@@ -35,11 +35,19 @@ func (s *statisticsService) GetComponentRisk(artifactName *string, assetVersionN
 
 	distributionPerComponent := make(map[string]models.Distribution)
 
+	uniqueCombinations := make(map[string]struct{})
 	for _, dependencyVuln := range dependencyVulns {
 		componentName := dependencyVuln.ComponentPurl
 		if _, exists := distributionPerComponent[componentName]; !exists {
 			distributionPerComponent[componentName] = models.Distribution{}
 		}
+
+		combinationKey := fmt.Sprintf("%s|%s", dependencyVuln.CVEID, dependencyVuln.ComponentPurl)
+
+		if _, exists := uniqueCombinations[combinationKey]; exists {
+			continue // already counted this CVE+PURL combination
+		}
+
 		distribution := distributionPerComponent[componentName]
 
 		risk := utils.OrDefault(dependencyVuln.RawRiskAssessment, 0)
@@ -68,6 +76,8 @@ func (s *statisticsService) GetComponentRisk(artifactName *string, assetVersionN
 		}
 
 		distributionPerComponent[componentName] = distribution
+
+		uniqueCombinations[combinationKey] = struct{}{}
 	}
 
 	return distributionPerComponent, nil