Red Hat reports vulnerabilities and their affected repos and currently the OVAL feeds list every repo for every vulnerability (this also causes DB bloat as we view these as distinct vulnerabilities). As most images will, by default, have appstream and baseos repos enabled, Clair will report 2 vulnerabilities from distinct repos.

As the Quay UI doesn't show any repo context, these vulns seem like duplicates. This task is to de-duplicate all vulnerabilities using the package_name, package_version and vulnerability name to show a more succinct report to users.