Skip to content

feat(report): add fingerprint generation for vulnerabilities #9794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 17, 2025
Merged

feat(report): add fingerprint generation for vulnerabilities #9794

merged 6 commits into from
Nov 17, 2025

Conversation

@knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Nov 12, 2025

Description

This PR implements fingerprint generation for detected vulnerabilities to enable external systems to uniquely identify and track vulnerabilities across multiple scans.

Each vulnerability is assigned a deterministic SHA256-based fingerprint composed of:

  • ArtifactID (unique identifier for the scanned artifact)
  • Target (scan target path)
  • PkgID (package identifier with version)
  • VulnerabilityID (CVE or vulnerability identifier)

The fingerprint format uses the "sha256:" prefix for consistency with Docker/OCI digest standards.

Related issues

Before and After

Before (without fingerprint)

{
  "VulnerabilityID": "CVE-2023-42366",
  "PkgID": "[email protected]",
  "PkgName": "busybox",
  "InstalledVersion": "1.35.0-r17",
  "FixedVersion": "1.35.0-r18",
  "Status": "fixed",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-42366",
  "Title": "busybox: A heap-buffer-overflow",
  "Severity": "MEDIUM"
}

After (with fingerprint)

{
  "VulnerabilityID": "CVE-2023-42366",
  "PkgID": "[email protected]",
  "PkgName": "busybox",
  "InstalledVersion": "1.35.0-r17",
  "FixedVersion": "1.35.0-r18",
  "Status": "fixed",
  "Fingerprint": "sha256:c2f054e07c516fabf395ddc7b362fbe43597bc2e1d80ac46d6043a0e67968efb",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-42366",
  "Title": "busybox: A heap-buffer-overflow",
  "Severity": "MEDIUM"
}

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263
feat(report): add fingerprint generation for vulnerabilities
d4b1f41 
This change adds unique fingerprint generation for detected vulnerabilities
to enable external systems to track and deduplicate vulnerabilities across
multiple scans.

Key changes:
- Add Fingerprint field to DetectedVulnerability type
- Create pkg/fingerprint package with Fill() function
- Fingerprint is SHA256 hash of: artifactID:target:pkgID:vulnerabilityID
- Add CalcSHA256() function to pkg/digest for byte array hashing
- Rename CalcSHA256 to CalcSHA256FromReader for clarity
- Include comprehensive unit tests for fingerprint generation
- Update integration test golden files with fingerprint values

The fingerprint is deterministic, ensuring the same inputs always produce
the same hash. This enables reliable tracking of vulnerabilities across
scans even when other metadata may change.

Future work will extend fingerprint generation to misconfigurations,
secrets, and licenses using the same pattern.

Closes aquasecurity#9793
@knqyf263
feat(fingerprint): add sha256 prefix to fingerprints
54e7c59 
This commit adds the "sha256:" prefix to fingerprint values for
consistency with Docker/OCI digest standards. The fingerprint format
is now "sha256:<64-char-hex>" instead of just the hex string.

Changes:
- Updated pkg/fingerprint to use digest.String() instead of Encoded()
- Updated pkg/digest/digest.go to use hex.EncodeToString for better performance
- Added nolint directives for placeholder functions
- Updated all integration test golden files with new fingerprint format
@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. scan/vulnerability Issues relating to vulnerability scanning labels Nov 12, 2025
@knqyf263 knqyf263 self-assigned this Nov 12, 2025
@github-actions github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Nov 12, 2025
@github-actions
Copy link

github-actions bot commented Nov 12, 2025
edited
Loading

📊 API Changes Detected

Semver impact: major

github.com/aquasecurity/trivy/pkg/fingerprint
  Compatible changes:
  - Fill: added

github.com/aquasecurity/trivy/pkg/digest
  Incompatible changes:
  - CalcSHA256: changed from func(io.ReadSeeker) (Digest, error) to func([]byte) Digest
  Compatible changes:
  - CalcSHA256FromReader: added

github.com/aquasecurity/trivy/pkg/types
  Compatible changes:
  - DetectedVulnerability.Fingerprint: added

@aqua-bot aqua-bot requested a review from a team November 12, 2025 17:37
@knqyf263
test(integration): update fingerprint validation to 71 characters
a1d6df4 
Update the fingerprint length validation from 64 to 71 characters to
account for the 'sha256:' prefix (7 characters) added to fingerprints.
@knqyf263
test(module): add fingerprint to spring4shell golden files
4cdaea0 
Update spring4shell-jre8 and spring4shell-jre11 golden files to include
the Fingerprint field with sha256 prefix for vulnerability CVE-2022-22965.
@knqyf263
test(integration): add overrideFingerprint to SBOM and Tar tests
22b89b0 
Add overrideFingerprint to TestSBOMEquivalence and TestTarWithOverride
to clear fingerprints before comparison, as fingerprints vary between tests.
@knqyf263
docs: update comments
32d4da3 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263 knqyf263 added the autoready Automatically mark PR as ready for review when all checks pass label Nov 13, 2025
@github-actions github-actions bot marked this pull request as ready for review November 13, 2025 06:00
@github-actions github-actions bot removed the autoready Automatically mark PR as ready for review when all checks pass label Nov 13, 2025
DmitriyLewen
DmitriyLewen approved these changes Nov 13, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knqyf263 knqyf263 added this pull request to the merge queue Nov 17, 2025
Merged via the queue into aquasecurity:main with commit cbad9ca Nov 17, 2025
14 checks passed
@knqyf263 knqyf263 deleted the feat/vulnerability-fingerprint branch November 17, 2025 07:43
@aqua-bot aqua-bot mentioned this pull request Nov 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

@knqyf263 knqyf263

Labels

apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) kind/feature Categorizes issue or PR as related to a new feature. scan/vulnerability Issues relating to vulnerability scanning

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add Fingerprint field to vulnerability results for consistent identification

2 participants

@knqyf263 @DmitriyLewen