jfrog · orto17 · Feb 22, 2026 · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026
diff --git a/utils/outputwriter/outputcontent.go b/utils/outputwriter/outputcontent.go
@@ -421,12 +421,60 @@ func getScaLicenseViolationDetails(violation formats.LicenseViolationRow, writer
 
 // Sca Vulnerabilities
 
+func vulnerabilitySummaryKey(v formats.VulnerabilityOrViolationRow) string {
+	ids := make([]string, 0, len(v.Cves)+1)
+	for _, cve := range v.Cves {
+		ids = append(ids, cve.Id)
+	}
+	sort.Strings(ids)
+	return v.IssueId + "|" + strings.Join(ids, ",")
+}
+
+func aggregateVulnerabilitiesByCve(vulnerabilities []formats.VulnerabilityOrViolationRow) []formats.VulnerabilityOrViolationRow {
+	if len(vulnerabilities) == 0 {
+		return vulnerabilities
+	}
+	byKey := make(map[string]*formats.VulnerabilityOrViolationRow)
+	for i := range vulnerabilities {
+		v := &vulnerabilities[i]
+		key := vulnerabilitySummaryKey(*v)
+		if existing, ok := byKey[key]; ok {
+			existing.ImpactPaths = append(existing.ImpactPaths, v.ImpactPaths...)
+			if len(v.FixedVersions) > 0 {
+				existing.FixedVersions = append(existing.FixedVersions, v.FixedVersions...)
+			}
+		} else {
+			agg := *v
+			agg.ImpactPaths = append([][]formats.ComponentRow(nil), v.ImpactPaths...)
+			agg.FixedVersions = append([]string(nil), v.FixedVersions...)
+			byKey[key] = &agg
+		}
+	}
+	result := make([]formats.VulnerabilityOrViolationRow, 0, len(byKey))
+	for _, v := range byKey {
+		result = append(result, *v)
+	}
+	// Preserve relative order by first occurrence
+	order := make(map[string]int)
+	for i, v := range vulnerabilities {
+		key := vulnerabilitySummaryKey(v)
+		if _, ok := order[key]; !ok {
+			order[key] = i
+		}
+	}
+	sort.Slice(result, func(i, j int) bool {
+		return order[vulnerabilitySummaryKey(result[i])] < order[vulnerabilitySummaryKey(result[j])]
+	})
+	return result
+}
+
 func GetVulnerabilitiesContent(vulnerabilities []formats.VulnerabilityOrViolationRow, writer OutputWriter) (content []string) {
 	if len(vulnerabilities) == 0 {
 		return []string{}
 	}
-	content = append(content, getVulnerabilitiesSummaryTable(vulnerabilities, writer))
-	content = append(content, getScaSecurityIssueDetailsContent(vulnerabilities, false, writer)...)
+	aggregated := aggregateVulnerabilitiesByCve(vulnerabilities)
+	content = append(content, getVulnerabilitiesSummaryTable(aggregated, writer))
+	content = append(content, getScaSecurityIssueDetailsContent(aggregated, false, writer)...)
 	return ConvertContentToComments(content, writer, getDecoratorWithScaVulnerabilitiesTitle(writer))
 }
 

diff --git a/utils/outputwriter/outputcontent_test.go b/utils/outputwriter/outputcontent_test.go
@@ -2,6 +2,7 @@ package outputwriter
 
 import (
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/jfrog/froggit-go/vcsutils"
@@ -431,6 +432,43 @@ func TestVulnerabilitiesContent(t *testing.T) {
 	}
 }
 
+func TestVulnerabilitiesContent_aggregatesSameCveIntoOneRow(t *testing.T) {
+	sameCve := "CVE-2017-1000487"
+	vulnerabilities := []formats.VulnerabilityOrViolationRow{
+		{
+			ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+				SeverityDetails:           formats.SeverityDetails{Severity: "Critical"},
+				ImpactedDependencyName:    "org.codehaus.plexus:plexus-utils",
+				ImpactedDependencyVersion: "1.5.15",
+			},
+			Applicable: "Not Applicable",
+			ImpactPaths: [][]formats.ComponentRow{
+				{{Name: "root", Version: "1.0.0"}, {Name: "some-dep", Version: "1.0.0"}, {Name: "org.codehaus.plexus:plexus-utils", Version: "1.5.15"}},
+			},
+			Cves: []formats.CveRow{{Id: sameCve}},
+		},
+		{
+			ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+				SeverityDetails:           formats.SeverityDetails{Severity: "Critical"},
+				ImpactedDependencyName:    "org.codehaus.plexus:plexus-utils",
+				ImpactedDependencyVersion: "1.5.1",
+			},
+			Applicable: "Not Applicable",
+			ImpactPaths: [][]formats.ComponentRow{
+				{{Name: "root", Version: "1.0.0"}, {Name: "other-dep", Version: "1.0.0"}, {Name: "org.codehaus.plexus:plexus-utils", Version: "1.5.1"}},
+			},
+			Cves: []formats.CveRow{{Id: sameCve}},
+		},
+	}
+	content := GetVulnerabilitiesContent(vulnerabilities, &SimplifiedOutput{})
+	assert.NotEmpty(t, content)
+	tableSection := content[0]
+	assert.Contains(t, tableSection, sameCve, "output should mention the CVE")
+	assert.Contains(t, tableSection, "2 Transitive", "same CVE in two transitive paths should be aggregated and show 2 Transitive")
+	// CVE should appear only once in the table (one row), not twice
+	assert.Equal(t, 1, strings.Count(tableSection, sameCve), "CVE should appear once in the summary table (one aggregated row)")
+}
+
 func TestSecurityViolationsContent(t *testing.T) {
 	testCases := []struct {
 		name   string