fix(vulnfeeds): Deduplicate references with ReferenceType priority (#4934)

Ly-Joey · web-flow · commit eb1c92979c64 · 2026-03-04T12:02:16.000+11:00
Updated logic to deduplicate references by their URL. 
A priority map is defined to make sure we keep the most useful reference
type.

The priority:
FIX
INTRODUCED
DETECTION
REPORT
PACKAGE 
EVIDENCE
ADVISORY 
ARTICLE 
DISCUSSION 
WEB 
GIT
diff --git a/vulnfeeds/cvelist2osv/__snapshots__/converter_test.snap b/vulnfeeds/cvelist2osv/__snapshots__/converter_test.snap
@@ -74,14 +74,6 @@
       "type": "REPORT",
       "url": "https://hackerone.com/reports/2972576"
     },
-    {
-      "type": "ARTICLE",
-      "url": "https://hackerone.com/reports/2972576"
-    },
-    {
-      "type": "EVIDENCE",
-      "url": "https://hackerone.com/reports/2972576"
-    },
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1110"
diff --git a/vulnfeeds/cvelist2osv/converter_test.go b/vulnfeeds/cvelist2osv/converter_test.go
@@ -238,8 +238,6 @@ func TestFromCVE5(t *testing.T) {
 						},
 					},
 					References: []*osvschema.Reference{
-						{Type: osvschema.Reference_ARTICLE, Url: "https://hackerone.com/reports/2972576"},
-						{Type: osvschema.Reference_EVIDENCE, Url: "https://hackerone.com/reports/2972576"},
 						{Type: osvschema.Reference_REPORT, Url: "https://hackerone.com/reports/2972576"},
 						{Type: osvschema.Reference_REPORT, Url: "https://gitlab.com/gitlab-org/gitlab/-/issues/517693"},
 					},
diff --git a/vulnfeeds/cves/testdata/TestReposFromReferences_A_CVE_with_a_repo_that_redirects_(docker_docker_-__moby_moby).yaml b/vulnfeeds/cves/testdata/TestReposFromReferences_A_CVE_with_a_repo_that_redirects_(docker_docker_-__moby_moby).yaml
diff --git a/vulnfeeds/vulns/vulns.go b/vulnfeeds/vulns/vulns.go
@@ -82,6 +82,24 @@ const (
 	Filler                             // Has been determined to be a filler word
 )
 
+// refTypePriority is a read-only map ReferenceType to priority.
+// When multiple references are associated with the same URL, we deduplicate and only keep the type with the highest priority.
+// Priority (highest to lowest):
+// FIX > INTRODUCED > DETECTION > REPORT > PACKAGE > EVIDENCE > ADVISORY > ARTICLE > DISCUSSION > WEB > GIT
+var refTypePriority = map[osvschema.Reference_Type]int{
+	osvschema.Reference_FIX:        11,
+	osvschema.Reference_INTRODUCED: 10,
+	osvschema.Reference_DETECTION:  9,
+	osvschema.Reference_REPORT:     8,
+	osvschema.Reference_PACKAGE:    7,
+	osvschema.Reference_EVIDENCE:   6,
+	osvschema.Reference_ADVISORY:   5,
+	osvschema.Reference_ARTICLE:    4,
+	osvschema.Reference_DISCUSSION: 3,
+	osvschema.Reference_WEB:        2,
+	osvschema.Reference_GIT:        1,
+}
+
 // AttachExtractedVersionInfo converts the models.VersionInfo struct to OSV GIT and ECOSYSTEM AffectedRanges and AffectedPackage.
 func AttachExtractedVersionInfo(v *Vulnerability, version models.VersionInfo) {
 	// commit holds a commit hash of one of the supported commit types.
@@ -662,37 +680,36 @@ func Unique[T comparable](s []T) []T {
 }
 
 // ClassifyReferences annotates reference links based on their tags or their shape.
+// References with the same URL are deduplicated, and only keep the RefType of the highest priority (see refTypePriority).
 func ClassifyReferences(refs []models.Reference) []*osvschema.Reference {
-	var references []*osvschema.Reference
-	refMap := make(map[string]map[osvschema.Reference_Type]bool)
-
-	for _, reference := range refs {
-		if _, ok := refMap[reference.URL]; !ok {
-			refMap[reference.URL] = make(map[osvschema.Reference_Type]bool)
-		}
-
-		if len(reference.Tags) > 0 {
-			for _, tag := range reference.Tags {
-				refType := ClassifyReferenceLink(reference.URL, tag)
-				if !refMap[reference.URL][refType] {
-					references = append(references, &osvschema.Reference{
-						Type: refType,
-						Url:  reference.URL,
-					})
-					refMap[reference.URL][refType] = true
+	references := make([]*osvschema.Reference, 0, len(refs))
+	bestTypes := make(map[string]osvschema.Reference_Type)
+
+	for _, ref := range refs {
+		if len(ref.Tags) > 0 {
+			for _, tag := range ref.Tags {
+				refType := ClassifyReferenceLink(ref.URL, tag)
+				bestType, ok := bestTypes[ref.URL]
+				if !ok || refTypePriority[refType] > refTypePriority[bestType] {
+					bestTypes[ref.URL] = refType
 				}
 			}
 		} else {
-			refType := ClassifyReferenceLink(reference.URL, "")
-			if !refMap[reference.URL][refType] {
-				references = append(references, &osvschema.Reference{
-					Type: refType,
-					Url:  reference.URL,
-				})
-				refMap[reference.URL][refType] = true
+			refType := ClassifyReferenceLink(ref.URL, "")
+			bestType, ok := bestTypes[ref.URL]
+			if !ok || refTypePriority[refType] > refTypePriority[bestType] {
+				bestTypes[ref.URL] = refType
 			}
 		}
 	}
+
+	for refURL, refType := range bestTypes {
+		references = append(references, &osvschema.Reference{
+			Type: refType,
+			Url:  refURL,
+		})
+	}
+
 	sort.SliceStable(references, func(i, j int) bool {
 		return references[i].GetType() < references[j].GetType()
 	})
diff --git a/vulnfeeds/vulns/vulns_test.go b/vulnfeeds/vulns/vulns_test.go
@@ -106,8 +106,6 @@ func TestClassifyReferences(t *testing.T) {
 				},
 			},
 			references: []*osvschema.Reference{
-				{Url: "https://github.com/curl/curl/issues/9271", Type: osvschema.Reference_ADVISORY},
-				{Url: "https://github.com/curl/curl/issues/9271", Type: osvschema.Reference_EVIDENCE},
 				{Url: "https://github.com/curl/curl/issues/9271", Type: osvschema.Reference_REPORT},
 			},
 		},
