Duplicate findings when NVD and Google OSV Datasource are enabled #5785
Unanswered
cachescrubber
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Our installation relied on NVD (Datasource) + Internal (analyzer) + Sonatype Oss Index (analyzer).
I the last 6-9 month I noticed an ever increasing rate of Findings with Unassigned severity. This observation matches what for example Sonatype as reported in their 2026 SSCR. See CVE-2026-24400 in attached image.
To get more up to date and accurate data we enabled Google OSV (Datasource) as an additional data source. Alias mapping is enabled where possible and seems to work well.
GHSA-rqfh-9r24-8c9r (GITHUB): Published: 26 Jan 2026 Aliases: CVE-2026-24400
CVE-2026-24400 (NVD): Published: 27 Jan 2026 Aliases: GHSA-rqfh-9r24-8c9r
Unfortunately this caused duplicate findings all over the place. Findings are now created by CVE and GHSA. Is there anything to avoid this and effectively merge the findings into one? Or do we need to decide between NVD or OSV/Github?
Any recommendations / best practices are welcome.
Technically this is probably a duplicate of this earlier question: #2225
Beta Was this translation helpful? Give feedback.
All reactions