add warnings

shino · shino · commit 9cf6fbd65d32 · 2026-03-26T18:39:33.000+09:00
diff --git a/contrib/trivy/pkg/converter.go b/contrib/trivy/pkg/converter.go
@@ -3,6 +3,7 @@ package pkg
 import (
 	"cmp"
 	"fmt"
+	"maps"
 	"os"
 	"path/filepath"
 	"slices"
@@ -41,6 +42,7 @@ func Convert(results types.Results, artifactType ftypes.ArtifactType, artifactNa
 	pkgs := models.Packages{}
 	srcPkgs := models.SrcPackages{}
 	vulnInfos := models.VulnInfos{}
+	dupPkgs := map[string][]string{} // name -> list of versions seen (for duplicate detection)
 	libraryScannerPaths := map[string]models.LibraryScanner{}
 	for _, trivyResult := range results {
 		for _, vuln := range trivyResult.Vulnerabilities {
@@ -196,7 +198,21 @@ func Convert(results types.Results, artifactType ftypes.ArtifactType, artifactNa
 					pv = fmt.Sprintf("%d:%s", p.Epoch, pv)
 				}
 
-				if existing, ok := pkgs[p.Name]; !ok || compareVersions(trivyResult.Type, pv, existing.Version) >= 0 {
+				if existing, ok := pkgs[p.Name]; ok {
+					if existing.Version != pv {
+						if _, seen := dupPkgs[p.Name]; !seen {
+							dupPkgs[p.Name] = []string{existing.Version}
+						}
+						dupPkgs[p.Name] = append(dupPkgs[p.Name], pv)
+					}
+					if compareVersions(trivyResult.Type, pv, existing.Version) >= 0 {
+						pkgs[p.Name] = models.Package{
+							Name:    p.Name,
+							Version: pv,
+							Arch:    p.Arch,
+						}
+					}
+				} else {
 					pkgs[p.Name] = models.Package{
 						Name:    p.Name,
 						Version: pv,
@@ -281,6 +297,15 @@ func Convert(results types.Results, artifactType ftypes.ArtifactType, artifactNa
 	scanResult.Packages = pkgs
 	scanResult.SrcPackages = srcPkgs
 	scanResult.LibraryScanners = libraryScanners
+
+	for _, name := range slices.Sorted(maps.Keys(dupPkgs)) {
+		slices.Sort(dupPkgs[name])
+		scanResult.Warnings = append(scanResult.Warnings, fmt.Sprintf(
+			"Duplicate OS package detected: %s (%s). The newest version is kept, but false-positive CVEs may remain.",
+			name, strings.Join(dupPkgs[name], ", "),
+		))
+	}
+
 	return scanResult, nil
 }
 
diff --git a/contrib/trivy/pkg/converter_test.go b/contrib/trivy/pkg/converter_test.go
@@ -590,6 +590,9 @@ func TestConvert(t *testing.T) {
 				JSONVersion:     models.JSONVersion,
 				ScannedCves:     models.VulnInfos{},
 				LibraryScanners: models.LibraryScanners{},
+				Warnings: []string{
+					"Duplicate OS package detected: libssl3t64 (3.5.4-1~deb13u1, 3.5.5-1~deb13u1). The newest version is kept, but false-positive CVEs may remain.",
+				},
 				Packages: models.Packages{
 					"libssl3t64": {
 						Name:    "libssl3t64",
@@ -644,6 +647,9 @@ func TestConvert(t *testing.T) {
 				JSONVersion:     models.JSONVersion,
 				ScannedCves:     models.VulnInfos{},
 				LibraryScanners: models.LibraryScanners{},
+				Warnings: []string{
+					"Duplicate OS package detected: libssl3t64 (3.5.4-1~deb13u1, 3.5.5-1~deb13u1). The newest version is kept, but false-positive CVEs may remain.",
+				},
 				Packages: models.Packages{
 					"libssl3t64": {
 						Name:    "libssl3t64",
@@ -716,6 +722,10 @@ func TestConvert(t *testing.T) {
 				JSONVersion:     models.JSONVersion,
 				ScannedCves:     models.VulnInfos{},
 				LibraryScanners: models.LibraryScanners{},
+				Warnings: []string{
+					"Duplicate OS package detected: libssl3t64 (3.5.4-1~deb13u1, 3.5.5-1~deb13u1). The newest version is kept, but false-positive CVEs may remain.",
+					"Duplicate OS package detected: openssl-provider-legacy (3.5.4-1~deb13u1, 3.5.5-1~deb13u1). The newest version is kept, but false-positive CVEs may remain.",
+				},
 				Packages: models.Packages{
 					"libssl3t64": {
 						Name:    "libssl3t64",
@@ -775,6 +785,9 @@ func TestConvert(t *testing.T) {
 				JSONVersion:     models.JSONVersion,
 				ScannedCves:     models.VulnInfos{},
 				LibraryScanners: models.LibraryScanners{},
+				Warnings: []string{
+					"Duplicate OS package detected: openssl (3.5.4-r0, 3.5.5-r0). The newest version is kept, but false-positive CVEs may remain.",
+				},
 				Packages: models.Packages{
 					"openssl": {
 						Name:    "openssl",
