Duplicate vulnerabilities in vulnerabilityReport (kind of)

[frankonr]

I am running the trivy operator on Kubernetes deployed via Helm. I expose Metrics towards Prometheus and encountered the error metric was collected before with the same name and label values, full error message below

* collected metric "trivy_vulnerability_id" { label:{name:"class" value:""} label:{name:"container_name" value:"zmsadmin"} label:{name:"fixed_version" value:"6.4.4"} label:{name:"image_digest" value:"sha256:1873efc130ad1141faf39299ce0c1a490ed1f77f28a1eb6580b91157340b60d2"} label:{name:"image_registry" value:"crzms.azurecr.io"} label:{name:"image_repository" value:"zmsadmin"} label:{name:"image_tag" value:"fc26b0a2"} label:{name:"installed_version" value:"6.4.3"} label:{name:"last_modified_date" value:"2025-03-24T18:15:22Z"} label:{name:"name" value:"replicaset-zmsadmin-cd99ccdf5-zmsadmin"} label:{name:"namespace" value:"team-frs-zms-zmsadmin"} label:{name:"package_type" value:""} label:{name:"pkg_path" value:""} label:{name:"published_date" value:"2025-03-24T18:15:22Z"} label:{name:"resource" value:"org.springframework.security:spring-security-core"} label:{name:"resource_kind" value:"ReplicaSet"} label:{name:"resource_name" value:"zmsadmin-cd99ccdf5"} label:{name:"severity" value:"Medium"} label:{name:"target" value:""} label:{name:"vuln_id" value:"CVE-2025-22223"} label:{name:"vuln_score" value:"5.3"} label:{name:"vuln_title" value:"spring-security: authorization bypass via incorrectly locating method security annotations on parameterized types or methods"} gauge:{value:1}} was collected before with the same name and label values

I then reviewed the mentioned vulnerabilityReport and found the issue. Two very similar vulnerabilites are being found by trivy which only differ in the packagePURL.

report:
  vulnerabilities:
    - fixedVersion: 6.4.4
      installedVersion: 6.4.3
      lastModifiedDate: '2025-03-24T18:15:22Z'
      links: []
+    packagePURL: pkg:maven/org.springframework.security/[email protected]?type=jar
      primaryLink: https://avd.aquasec.com/nvd/cve-2025-22223
      publishedDate: '2025-03-24T18:15:22Z'
      resource: org.springframework.security:spring-security-core
      score: 5.3
      severity: MEDIUM
      target: ''
      title: >-
        spring-security: authorization bypass via incorrectly locating method
        security annotations on parameterized types or methods
      vulnerabilityID: CVE-2025-22223
    - fixedVersion: 6.4.4
      installedVersion: 6.4.3
      lastModifiedDate: '2025-03-24T18:15:22Z'
      links: []
+    packagePURL: pkg:maven/org.springframework.security/[email protected]
      primaryLink: https://avd.aquasec.com/nvd/cve-2025-22223
      publishedDate: '2025-03-24T18:15:22Z'
      resource: org.springframework.security:spring-security-core
      score: 5.3
      severity: MEDIUM
      target: ''
      title: >-
        spring-security: authorization bypass via incorrectly locating method
        security annotations on parameterized types or methods
      vulnerabilityID: CVE-2025-22223

But Trivy does not expose the packagePURL label, so it looks to Prometheus as if those are the same and an error is thrown.

I would expect that those two vulnerabilities are reduced into one, as it seems to me like they describe the same vulnerability in the same package.

metricsVulnIdEnabled: true is set, and I saw similar issues: #1402, #1578
But those were fixed by updates, and I am already running on the latest version

Environment:

• Trivy-Operator version: 0.25.0, Helm version 0.27.0
• Kubernetes version: v1.31.4
• OS: Ubuntu 22.04.2