You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a Fingerprint field to vulnerability results to provide a consistent and unique identifier for each vulnerability. This enables external systems (security management platforms, issue trackers, databases, etc.) to reliably deduplicate and track vulnerabilities across multiple scans.
Background
When integrating Trivy with external security management systems, there's a need for a stable identifier to:
Deduplicate the same vulnerability across multiple scan runs
Maintain persistent dismissals/suppressions across scans
Link vulnerabilities to external ticketing systems
Build historical trend analysis
Currently, external systems must generate their own identifiers by combining various fields, which leads to inconsistency across different tools and platforms.
Requirements
The fingerprint should provide the following characteristics:
Same Artifact + Same Target + Same Package → Same Fingerprint
If a vulnerability is detected in the same artifact, same target (file path), and same package, it should produce the same fingerprint
Different Artifacts → Different Fingerprints
Example: alpine:3.20 and alpine:3.21 both detect CVE-2025-0001 in the same package, but their fingerprints must differ
Different Targets (file paths) → Different Fingerprints
Example: app1/package-lock.json and app2/package-lock.json both contain the same vulnerable package with the same CVE, but their fingerprints must differ
This allows proper tracking of vulnerabilities in monorepos or multi-project containers
Different Packages → Different Fingerprints
Example: package-a and package-b both affected by CVE-2025-0001 must have different fingerprints
Different Package Versions → Different Fingerprints
Example: Within the same project, if package-a@v1.0.0 and package-a@v2.0.0 are both affected by CVE-2025-0001, their fingerprints should be different
Proposed Implementation
Add a Fingerprint field to the DetectedVulnerability struct (in pkg/types/result.go):
Description
Add a
Fingerprintfield to vulnerability results to provide a consistent and unique identifier for each vulnerability. This enables external systems (security management platforms, issue trackers, databases, etc.) to reliably deduplicate and track vulnerabilities across multiple scans.Background
When integrating Trivy with external security management systems, there's a need for a stable identifier to:
Currently, external systems must generate their own identifiers by combining various fields, which leads to inconsistency across different tools and platforms.
Requirements
The fingerprint should provide the following characteristics:
Same Artifact + Same Target + Same Package → Same Fingerprint
Different Artifacts → Different Fingerprints
alpine:3.20andalpine:3.21both detectCVE-2025-0001in the same package, but their fingerprints must differDifferent Targets (file paths) → Different Fingerprints
app1/package-lock.jsonandapp2/package-lock.jsonboth contain the same vulnerable package with the same CVE, but their fingerprints must differDifferent Packages → Different Fingerprints
package-aandpackage-bboth affected byCVE-2025-0001must have different fingerprintsDifferent Package Versions → Different Fingerprints
package-a@v1.0.0andpackage-a@v2.0.0are both affected byCVE-2025-0001, their fingerprints should be differentProposed Implementation
Add a
Fingerprintfield to theDetectedVulnerabilitystruct (inpkg/types/result.go):The fingerprint should be generated from a combination of:
ArtifactID(from Report, introduced in feat: add ArtifactID field to uniquely identify scan targets #9663) - uniquely identifies the scan target/artifactTarget(from Result) - identifies the file/path within the artifact (e.g.,app1/package-lock.json,app2/package-lock.json)PkgID- package identifier (includes name, version, and other package-specific identifiers)VulnerabilityID- CVE/vulnerability identifierExample fingerprint generation:
Benefits
Related Work
ArtifactIDfield to uniquely identify scan targets, which is a key component for fingerprint generationArtifactIDcalculation to include registry and repository information for container images