fix(contrib/trivy): O(N²) library duplication in trivy-to-vuls ClassLangPkg handling (#2450)

* Initial plan

* fix: remove inner loop causing O(N²) library duplication in ClassLangPkg and add regression test

Co-authored-by: shino <10225+shino@users.noreply.github.com>

* refactor: rename test to nodePkgUniqueFilePaths to describe scenario, not absence of bug

Co-authored-by: shino <10225+shino@users.noreply.github.com>

* Update contrib/trivy/parser/v2/parser_test.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: shino <10225+shino@users.noreply.github.com>
Co-authored-by: Shunichi Shinohara <shino.shun@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

contrib/trivy/parser/v2/parser_test.go

@@ -39,6 +39,10 @@ func TestParse(t *testing.T) {
 			vulnJSON: includeDevDependenciesTrivy,
 			expected: includeDevDependenciesSR,
 		},
+		"nodePkgUniqueFilePaths": {
+			vulnJSON: nodePkgUniqueFilePathsTrivy,
+			expected: nodePkgUniqueFilePathsSR,
+		},
 	}
 
 	for testcase, v := range cases {
@@ -3005,6 +3009,116 @@ var includeDevDependenciesSR = &models.ScanResult{
 	Optional: nil,
 }
 
+// nodePkgUniqueFilePathsTrivy is a test input with node-pkg type where each
+// package has a unique FilePath (e.g. node_modules/<pkg>/package.json), resulting
+// in a separate LibraryScanner entry per package.
+var nodePkgUniqueFilePathsTrivy = []byte(`{
+  "SchemaVersion": 2,
+  "CreatedAt": "2026-03-10T00:00:00Z",
+  "ArtifactName": "myapp:latest",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "amd64",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "linux",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Node.js",
+      "Class": "lang-pkgs",
+      "Type": "node-pkg",
+      "Packages": [
+        {
+          "Name": "express",
+          "Identifier": {
+            "PURL": "pkg:npm/express@4.18.2"
+          },
+          "Version": "4.18.2",
+          "FilePath": "node_modules/express/package.json",
+          "Layer": {}
+        },
+        {
+          "Name": "lodash",
+          "Identifier": {
+            "PURL": "pkg:npm/lodash@4.17.21"
+          },
+          "Version": "4.17.21",
+          "FilePath": "node_modules/lodash/package.json",
+          "Layer": {}
+        },
+        {
+          "Name": "debug",
+          "Identifier": {
+            "PURL": "pkg:npm/debug@4.3.4"
+          },
+          "Version": "4.3.4",
+          "FilePath": "node_modules/debug/package.json",
+          "Layer": {}
+        }
+      ],
+      "Vulnerabilities": []
+    }
+  ]
+}
+`)
+
+var nodePkgUniqueFilePathsSR = &models.ScanResult{
+	JSONVersion: 4,
+	ServerName:  "myapp",
+	Family:      "pseudo",
+	ScannedBy:   "trivy",
+	ScannedVia:  "trivy",
+	ScannedCves: models.VulnInfos{},
+	Packages:    models.Packages{},
+	SrcPackages: models.SrcPackages{},
+	LibraryScanners: models.LibraryScanners{
+		{
+			Type:         "node-pkg",
+			LockfilePath: "/node_modules/debug/package.json",
+			Libs: []models.Library{
+				{
+					Name:     "debug",
+					Version:  "4.3.4",
+					PURL:     "pkg:npm/debug@4.3.4",
+					FilePath: "node_modules/debug/package.json",
+				},
+			},
+		},
+		{
+			Type:         "node-pkg",
+			LockfilePath: "/node_modules/express/package.json",
+			Libs: []models.Library{
+				{
+					Name:     "express",
+					Version:  "4.18.2",
+					PURL:     "pkg:npm/express@4.18.2",
+					FilePath: "node_modules/express/package.json",
+				},
+			},
+		},
+		{
+			Type:         "node-pkg",
+			LockfilePath: "/node_modules/lodash/package.json",
+			Libs: []models.Library{
+				{
+					Name:     "lodash",
+					Version:  "4.17.21",
+					PURL:     "pkg:npm/lodash@4.17.21",
+					FilePath: "node_modules/lodash/package.json",
+				},
+			},
+		},
+	},
+	Optional: map[string]any{"TRIVY_IMAGE_NAME": "myapp", "TRIVY_IMAGE_TAG": "latest"},
+}
+
 func TestParseError(t *testing.T) {
 	cases := map[string]struct {
 		vulnJSON []byte

contrib/trivy/pkg/converter.go

@@ -211,15 +211,13 @@ func Convert(results types.Results, artifactType ftypes.ArtifactType, artifactNa
 
 				libScanner := libraryScannerPaths[lockfilePath]
 				libScanner.Type = trivyResult.Type
-				for _, p := range trivyResult.Packages {
-					libScanner.Libs = append(libScanner.Libs, models.Library{
-						Name:     p.Name,
-						Version:  p.Version,
-						PURL:     getPURL(p),
-						FilePath: p.FilePath,
-						Dev:      p.Dev,
-					})
-				}
+				libScanner.Libs = append(libScanner.Libs, models.Library{
+					Name:     p.Name,
+					Version:  p.Version,
+					PURL:     getPURL(p),
+					FilePath: p.FilePath,
+					Dev:      p.Dev,
+				})
 				libraryScannerPaths[lockfilePath] = libScanner
 			}
 		default: