Grype shows the same dependency with different ID even when they are related

[tomerse-sg]

What happened:
I have a question regarding Grype’s behavior:
I’ve created an image containing requests package.
I see 2 vulnerabilities are related: CVE-2023-32681, GHSA-j8r2-6x86-q33q.
However, when I checked it deeply, I saw it is the same dependency, moreover, in GHSA-j8r2-6x86-q33q we have a field of relatedVulnerabilities which contains CVE-2023-32681.
I think presenting both vulnerabilities are wrong, since it is the same dependency.
Is this the expected behavior? Is it planned to filter in the future these kinds of duplicates?
What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Here is the Dockerfile to reproduce and the command I’ve run:
docker build -t requests .
grype requests

FROM python:3.7-alpine
RUN pip install requests==2.20.0
WORKDIR /app
CMD ["python", "app.py"]

Anything else we need to know?:

Environment:

• Output of grype version: 0.63.1
• OS (e.g: cat /etc/os-release or similar): alpine:3.18.2

[willmurphyscode]

Hi @tomerse-sg, I think we talked on the community slack. Re-posting here what I said there:

I think passing --by-cve will make grype do what you're expecting. But note that --by-cve currently has some limitations: #1202

There's some discussion about whether this should be the default behavior. In general, if we matched the vulnerability using the GHSA's matching criteria, it will be included in the results.

Closing as duplicate of #973.