fix(ci): dedupe vulnerability findings by id within each scanner

brendan-kellam · claude · brendan-kellam · commit a685d01227d7 · 2026-06-17T16:16:36.000-07:00
Trivy can report the same CVE multiple times (across lockfiles/targets or
when a CVE affects several packages). The previous build mapped over every
Trivy entry, so duplicate ids produced duplicate findings and therefore
duplicate Linear issues. Group Trivy and Dependabot by id so each unique id
yields exactly one finding, collecting all affected packages into it.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/vulnerability-triage.yml b/.github/workflows/vulnerability-triage.yml
@@ -433,9 +433,11 @@ jobs:
         run: |
           set -euo pipefail
           # Deterministically build the findings list from the three normalized scan
-          # files. Dedup by the pre-computed `id` field: a CVE/GHSA id present in both
-          # Trivy and Dependabot is merged into one entry; CodeQL alerts are grouped by
-          # rule id. Titles and descriptions are templated from the scan fields — no LLM.
+          # files. Dedup by the pre-computed `id` field so each unique id yields exactly
+          # one finding: duplicate ids within a single scanner are collapsed, a CVE/GHSA
+          # id present in both Trivy and Dependabot is merged into one entry, and CodeQL
+          # alerts are grouped by rule id. Titles and descriptions are templated from the
+          # scan fields — no LLM.
           for f in trivy-alerts.json dependabot-alerts.json codeql-alerts.json; do
             [ -f "$f" ] || echo "[]" > "$f"
           done
@@ -451,20 +453,24 @@ jobs:
             ($codeql[0] // []) as $codeql_raw |
             ($trivy_raw | map(.id)) as $trivy_ids |
 
-            # --- Trivy findings (merged with Dependabot when ids collide) ---
-            ($trivy_raw | map(
-              . as $t |
+            # --- Trivy findings (deduped by id, merged with Dependabot when ids collide) ---
+            # Trivy can report the same CVE multiple times (across lockfiles/targets or
+            # affecting several packages), so group by id and collect every package.
+            ($trivy_raw | group_by(.id) | map(
+              . as $group |
+              ($group[0]) as $t |
+              ($group | map(.pkg_name) | unique) as $pkgs |
               ($dep_raw | map(select(.id == $t.id)) | .[0]) as $match |
               {
                 cveId: $t.id,
                 severity: ($t.severity | sev),
                 source: (if $match then "trivy+dependabot" else "trivy" end),
-                title: (if (($t.title // "") != "") then $t.title else (($t.severity | sev) + " vulnerability in " + $t.pkg_name) end),
-                affectedPackage: $t.pkg_name,
+                title: (if (($t.title // "") != "") then $t.title else (($t.severity | sev) + " vulnerability in " + ($pkgs | join(", "))) end),
+                affectedPackage: ($pkgs | join(", ")),
                 description: (
                   "**Source:** Trivy container scan" + (if $match then " + Dependabot" else "" end) + "\n\n"
-                  + "**Package:** `" + $t.pkg_name + "` (installed `" + $t.installed_version + "`"
-                  + (if (($t.fixed_version // "") != "") then ", fixed in `" + $t.fixed_version + "`" else ", no fix available" end) + ")\n\n"
+                  + "**Affected package(s):**\n"
+                  + ($group | map("- `" + .pkg_name + "` (installed `" + .installed_version + "`" + (if ((.fixed_version // "") != "") then ", fixed in `" + .fixed_version + "`" else ", no fix available" end) + ")") | unique | join("\n")) + "\n\n"
                   + "**Severity:** " + ($t.severity | sev) + "\n\n"
                   + (if (($t.title // "") != "") then "**" + $t.title + "**\n\n" else "" end)
                   + (if (($t.description // "") != "") then $t.description + "\n\n" else "" end)
@@ -475,18 +481,20 @@ jobs:
               }
             )) as $trivy_findings |
 
-            # --- Dependabot-only findings (ids not already covered by Trivy) ---
-            ($dep_raw | map(select(.id as $id | ($trivy_ids | index($id)) | not)) | map(
-              . as $d |
+            # --- Dependabot-only findings (deduped by id, ids not already covered by Trivy) ---
+            ($dep_raw | group_by(.id) | map(select((.[0].id) as $id | ($trivy_ids | index($id)) | not)) | map(
+              . as $group |
+              ($group[0]) as $d |
+              ($group | map(.package_name) | unique) as $pkgs |
               {
                 cveId: $d.id,
                 severity: ($d.severity | sev),
                 source: "dependabot",
-                title: (if (($d.summary // "") != "") then $d.summary else (($d.severity | sev) + " vulnerability in " + $d.package_name) end),
-                affectedPackage: $d.package_name,
+                title: (if (($d.summary // "") != "") then $d.summary else (($d.severity | sev) + " vulnerability in " + ($pkgs | join(", "))) end),
+                affectedPackage: ($pkgs | join(", ")),
                 description: (
                   "**Source:** Dependabot\n\n"
-                  + "**Package:** `" + $d.package_name + "` (" + $d.package_ecosystem + ")"
+                  + "**Package:** `" + ($pkgs | join("`, `")) + "` (" + $d.package_ecosystem + ")"
                   + (if (($d.first_patched_version // "") != "") then " — patched in `" + $d.first_patched_version + "`" else " — no patched version available" end) + "\n\n"
                   + (if (($d.manifest_path // "") != "") then "**Manifest:** `" + $d.manifest_path + "`\n\n" else "" end)
                   + "**Severity:** " + ($d.severity | sev) + "\n\n"
