Add ability to merge matches

cmd/root_test.go

@@ -3,6 +3,8 @@ package cmd
 import (
 	"testing"
 
+	"github.com/google/uuid"
+
 	"github.com/anchore/grype/grype/db"
 	grypeDB "github.com/anchore/grype/grype/db/v3"
 	"github.com/anchore/grype/grype/match"
@@ -37,19 +39,24 @@ func (d *mockMetadataStore) GetVulnerabilityMetadata(id, recordSource string) (*
 
 func TestAboveAllowableSeverity(t *testing.T) {
 	thePkg := pkg.Package{
+		ID:      pkg.ID(uuid.NewString()),
 		Name:    "the-package",
 		Version: "v0.1",
 		Type:    syftPkg.RpmPkg,
 	}
 
 	matches := match.NewMatches()
-	matches.Add(thePkg, match.Match{
-		Type: match.ExactDirectMatch,
+	matches.Add(match.Match{
 		Vulnerability: vulnerability.Vulnerability{
 			ID:        "CVE-2014-fake-1",
 			Namespace: "source-1",
 		},
 		Package: thePkg,
+		Details: match.Details{
+			{
+				Type: match.ExactDirectMatch,
+			},
+		},
 	})
 
 	tests := []struct {

go.mod

@@ -10,7 +10,6 @@ require (
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
 	github.com/anchore/stereoscope v0.0.0-20220110181730-c91cf94a3718
 	github.com/anchore/syft v0.36.0
-	github.com/aws/aws-sdk-go v1.31.6 // indirect
 	github.com/bmatcuk/doublestar/v2 v2.0.4
 	github.com/docker/docker v20.10.11+incompatible
 	github.com/dustin/go-humanize v1.0.0
@@ -20,7 +19,6 @@ require (
 	github.com/google/go-cmp v0.5.6
 	github.com/google/uuid v1.2.0
 	github.com/gookit/color v1.4.2
-	github.com/gopherjs/gopherjs v0.0.0-20190910122728-9d188e94fb99 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-getter v1.5.9
 	github.com/hashicorp/go-multierror v1.1.0
@@ -29,15 +27,13 @@ require (
 	github.com/jinzhu/gorm v1.9.14
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
-	github.com/lib/pq v1.2.0 // indirect
-	github.com/mattn/go-colorable v0.1.6 // indirect
 	github.com/mitchellh/go-homedir v1.1.0
+	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/olekukonko/tablewriter v0.0.4
 	github.com/pkg/profile v1.6.0
 	github.com/scylladb/go-set v1.0.2
 	github.com/sergi/go-diff v1.1.0
 	github.com/sirupsen/logrus v1.8.1
-	github.com/smartystreets/assertions v1.0.0 // indirect
 	github.com/spf13/afero v1.6.0
 	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -132,9 +132,8 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
+github.com/aws/aws-sdk-go v1.15.78 h1:LaXy6lWR0YK7LKyuU0QWy2ws/LWTPfYV/UgfiBu4tvY=
 github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM=
-github.com/aws/aws-sdk-go v1.31.6 h1:nKjQbpXhdImctBh1e0iLg9iQW/X297LPPuY/9f92R2k=
-github.com/aws/aws-sdk-go v1.31.6/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -498,9 +497,8 @@ github.com/gookit/color v1.2.5/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1K
 github.com/gookit/color v1.2.7/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1KB7xg=
 github.com/gookit/color v1.4.2 h1:tXy44JFSFkKnELV6WaMo/lLfu/meqITX3iAV52do7lk=
 github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gopherjs/gopherjs v0.0.0-20190910122728-9d188e94fb99 h1:twflg0XRTjwKpxb/jFExr4HGq6on2dEOmnL6FV+fgPw=
-github.com/gopherjs/gopherjs v0.0.0-20190910122728-9d188e94fb99/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
 github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
@@ -571,9 +569,8 @@ github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkr
 github.com/jinzhu/now v1.0.1 h1:HjfetcXq097iXP0uoPCdnM4Efp5/9MsM0/M+XOTeR3M=
 github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7 h1:SMvOWPJCES2GdFracYbBQh93GXac8fq7HeN6JnpduB8=
 github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
-github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -617,9 +614,8 @@ github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lib/pq v1.1.1 h1:sJZmqHoEaY7f+NPP8pgLB/WxulyR3fewgCM2qaSlBb4=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.2.0 h1:LXpIM/LZ5xGFhOpXAQUIMM1HdyqzVYM13zNdjCEEcA0=
-github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381 h1:bqDmpDG49ZRnB5PcgP0RXtQvnMSgIF14M7CBd2shtXs=
 github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@@ -629,14 +625,12 @@ github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho=
+github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.6 h1:SrwhHcpV4nWrMGdNcC2kXpMfcBVYGDuTArqyhocJgvA=
 github.com/mattn/go-isatty v0.0.6/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.7 h1:Ei8KR0497xHyKJPAv59M1dkC+rOZCMBJ+t3fZ+twI54=
@@ -810,9 +804,8 @@ github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrf
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/assertions v1.0.0 h1:UVQPSSmc3qtTi+zPPkCXvZX9VvW/xT/NsRvKfwY81a8=
-github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
@@ -1122,7 +1115,6 @@ golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

grype/db/v3/namespace_test.go

@@ -7,6 +7,7 @@ import (
 	"github.com/anchore/grype/grype/distro"
 	"github.com/anchore/grype/grype/pkg"
 	syftPkg "github.com/anchore/syft/syft/pkg"
+	"github.com/google/uuid"
 	"github.com/scylladb/go-set/strset"
 	"github.com/stretchr/testify/assert"
 )
@@ -214,6 +215,7 @@ func Test_NamespacesForLanguage(t *testing.T) {
 		{
 			language: syftPkg.Rust,
 			namerInput: &pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 			},
 			expectedNamespaces: []string{
@@ -226,6 +228,7 @@ func Test_NamespacesForLanguage(t *testing.T) {
 		{
 			language: syftPkg.Go,
 			namerInput: &pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 			},
 			expectedNamespaces: []string{
@@ -239,6 +242,7 @@ func Test_NamespacesForLanguage(t *testing.T) {
 		{
 			language: syftPkg.Ruby,
 			namerInput: &pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 			},
 			expectedNamespaces: []string{
@@ -251,6 +255,7 @@ func Test_NamespacesForLanguage(t *testing.T) {
 		{
 			language: syftPkg.JavaScript,
 			namerInput: &pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 			},
 			expectedNamespaces: []string{
@@ -263,6 +268,7 @@ func Test_NamespacesForLanguage(t *testing.T) {
 		{
 			language: syftPkg.Python,
 			namerInput: &pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 			},
 			expectedNamespaces: []string{
@@ -275,6 +281,7 @@ func Test_NamespacesForLanguage(t *testing.T) {
 		{
 			language: syftPkg.Java,
 			namerInput: &pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 				Metadata: pkg.JavaMetadata{
 					VirtualPath:   "v-path",
@@ -329,6 +336,7 @@ func Test_githubJavaPackageNamer(t *testing.T) {
 		{
 			name: "both artifact and manifest",
 			namerInput: pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 				Metadata: pkg.JavaMetadata{
 					VirtualPath:   "v-path",
@@ -345,6 +353,7 @@ func Test_githubJavaPackageNamer(t *testing.T) {
 		{
 			name: "no group id",
 			namerInput: pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 				Metadata: pkg.JavaMetadata{
 					VirtualPath:   "v-path",
@@ -357,6 +366,7 @@ func Test_githubJavaPackageNamer(t *testing.T) {
 		{
 			name: "only manifest",
 			namerInput: pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 				Metadata: pkg.JavaMetadata{
 					VirtualPath:  "v-path",
@@ -371,6 +381,7 @@ func Test_githubJavaPackageNamer(t *testing.T) {
 		{
 			name: "only artifact",
 			namerInput: pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 				Metadata: pkg.JavaMetadata{
 					VirtualPath:   "v-path",
@@ -385,6 +396,7 @@ func Test_githubJavaPackageNamer(t *testing.T) {
 		{
 			name: "no artifact or manifest",
 			namerInput: pkg.Package{
+				ID:   pkg.ID(uuid.NewString()),
 				Name: "a-name",
 				Metadata: pkg.JavaMetadata{
 					VirtualPath: "v-path",

grype/db/vulnerability_provider_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/google/uuid"
 
 	"github.com/stretchr/testify/assert"
 
@@ -24,6 +25,7 @@ func TestGetByDistro(t *testing.T) {
 	}
 
 	p := pkg.Package{
+		ID:   pkg.ID(uuid.NewString()),
 		Name: "neutron",
 	}
 
@@ -62,6 +64,7 @@ func TestGetByDistro_nilDistro(t *testing.T) {
 	provider := NewVulnerabilityProvider(newMockStore())
 
 	p := pkg.Package{
+		ID:   pkg.ID(uuid.NewString()),
 		Name: "neutron",
 	}
 

grype/match/details.go

@@ -0,0 +1,54 @@
+package match
+
+import (
+	"fmt"
+
+	"github.com/mitchellh/hashstructure/v2"
+)
+
+type Details []Detail
+
+type Detail struct {
+	Type       Type        // The kind of match made (an exact match, fuzzy match, indirect vs direct, etc).
+	SearchedBy interface{} // The specific attributes that were used to search (other than package name and version) --this indicates "how" the match was made.
+	Found      interface{} // The specific attributes on the vulnerability object that were matched with --this indicates "what" was matched on / within.
+	Matcher    MatcherType // The matcher object that discovered the match.
+	Confidence float64     // The certainty of the match as a ratio (currently unused, reserved for future use).
+}
+
+// String is the string representation of select match fields.
+func (m Detail) String() string {
+	return fmt.Sprintf("Detail(searchedBy=%q found=%q matcher=%q)", m.SearchedBy, m.Found, m.Matcher)
+}
+
+func (m Details) Matchers() (tys []MatcherType) {
+	if len(m) == 0 {
+		return nil
+	}
+	for _, d := range m {
+		tys = append(tys, d.Matcher)
+	}
+	return tys
+}
+
+func (m Details) Types() (tys []Type) {
+	if len(m) == 0 {
+		return nil
+	}
+	for _, d := range m {
+		tys = append(tys, d.Type)
+	}
+	return tys
+}
+
+func (m Detail) ID() string {
+	f, err := hashstructure.Hash(&m, hashstructure.FormatV2, &hashstructure.HashOptions{
+		ZeroNil:      true,
+		SlicesAsSets: true,
+	})
+	if err != nil {
+		return ""
+	}
+
+	return fmt.Sprintf("%x", f)
+}

grype/match/explicit_ignores_test.go

@@ -63,22 +63,20 @@ func Test_ApplyExplicitIgnoreRules(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			matches := Matches{
-				byPackage: make(map[pkg.ID][]Match),
-			}
+			matches := NewMatches()
 
 			for _, cp := range test.matches {
-				matches.byPackage[pkg.ID(cp.pkg)] = []Match{
-					{
-						Package: pkg.Package{
-							Name: cp.pkg,
-							Type: test.typ,
-						},
-						Vulnerability: vulnerability.Vulnerability{
-							ID: cp.cve,
-						},
+				matches.Add(Match{
+
+					Package: pkg.Package{
+						ID:   pkg.ID(cp.pkg),
+						Name: cp.pkg,
+						Type: test.typ,
+					},
+					Vulnerability: vulnerability.Vulnerability{
+						ID: cp.cve,
 					},
-				}
+				})
 			}
 
 			filtered := ApplyExplicitIgnoreRules(matches)

grype/match/fingerprint.go

@@ -0,0 +1,31 @@
+package match
+
+import (
+	"fmt"
+
+	"github.com/anchore/grype/grype/pkg"
+	"github.com/mitchellh/hashstructure/v2"
+)
+
+type Fingerprint struct {
+	vulnerabilityID        string
+	vulnerabilityNamespace string
+	vulnerabilityFixes     string
+	packageID              pkg.ID // note: this encodes package name, version, type, location
+}
+
+func (m Fingerprint) String() string {
+	return fmt.Sprintf("Fingerprint(vuln=%q namespace=%q fixes=%q package=%q)", m.vulnerabilityID, m.vulnerabilityNamespace, m.vulnerabilityFixes, m.packageID)
+}
+
+func (m Fingerprint) ID() string {
+	f, err := hashstructure.Hash(&m, hashstructure.FormatV2, &hashstructure.HashOptions{
+		ZeroNil:      true,
+		SlicesAsSets: true,
+	})
+	if err != nil {
+		return ""
+	}
+
+	return fmt.Sprintf("%x", f)
+}