How can we avoid having a CVE multiple times ?

[TheTricky65]

Description

I am trying to use Trivy into our pipelines and one one issue we face is that we have a built-in security gate that prevents the pipeline to continue if the scan result has let's say more than 5 medium for example.
But in some cases we have 4 times the same CVE ID and another one , so the result of the 2 unique CVEs should pass the gate whereas here it doesn't.
What would be the best way to tackle this issue according to you ?

Target

Container Image

Scanner

Vulnerability

[DmitriyLewen]

Hello @TheTricky65

Trivy doesn't have options to aggregate multiple vulnerabilities with same CVE.
This is required to show all vulnerable packages/files.

I have some thought about your case:

• you can use other utilities (e.g. jq) for report in json format
• you can create plugin for your case or create PR with new flag for trivy-plugin-count