[BUG]: Checklist step re-evaluates vulnerable dependency potentially effecting scan results

[IlonaShishov]

Version

02-EA

Which installation method(s) does this occur on?

No response

Describe the bug.

When the output includes a detailed checklist, it implies the vulnerable dependency has been identified, though this isn't explicitly stated. In this case, the checklist items assess whether the vulnerability affects the codebase, and we expect the summary to present a final conclusion with the correct justification label.
However, in many cases, the checklist includes an additional step (usually at the end) that rechecks the dependency version. This step sometimes re-evaluates the same vulnerable dependency or checks an unrelated one. If the result of this step is inconclusive, it has no impact. But if it returns a definitive answer, it can unexpectedly change the scan's conclusion.
Output for Example 1:output (6).json
Output for Example 2:output (2) (1).json

Minimum reproducible example

Example 1:
Scenario:
Vulnerable dependency: google.golang.org/protobuf
version v1.31.0
Vulnerable range: < 1.33.0
After identifying this package as vulnerable, the agent runs checks to see if exploitable code (e.g., protojson.Unmarshal) is present during runtime. It correctly concludes that no such code is used, which should deem that scan "not exploitable". Confirmed via manual review.
Later, the 4th checklist item redundantly rechecks the dependencies:
It evaluates github.com/golang/protobuf (not relevant) against the range >= 1.33.0 (incorrect range).
It rechecks google.golang.org/protobuf, though it was already checked.
The results were inconclusive, with no version information found (even though it had been found earlier). Fortunately, this did not change the final conclusion, which correctly marked the dependency as “not exploitable. (edited)

Example 2:
Scenario:
Vulnerable dependency: google.golang.org/protobuf
version v1.31.0
Vulnerable range: < 1.33.0
After identifying this package as vulnerable, the agent runs checks to see if exploitable code (e.g., protojson.Unmarshal) is present during runtime. It correctly concludes that no such code is used, , which should deem that scan "not exploitable". Confirmed via manual review.
Later, the 3rd checklist item redundantly rechecks the dependency:
github.com/golang/protobuf (not relevant) against the range >= 1.33.0 (incorrect range).
This step determines that the container uses github.com/golang/protobuf version 2.0+, which it deems vulnerable. As a result, the summary pivots and incorrectly labels the codebase as “exploitable” based on an irrelevant package (github.com/golang/protobuf), even though the original vulnerability lies with google.golang.org/protobuf.

Relevant log output

Click here to see error details

[Paste the error here, it will be hidden by default]

Full env printout

Click here to see environment details

[Paste the results of print_env.sh here, it will be hidden by default]

Other/Misc.

No response

Code of Conduct

• I agree to follow Morpheus' Code of Conduct
• I have searched the open bugs and have found no duplicates for this bug report

[morpheus-bot-test]

Hi @IlonaShishov!

Thanks for submitting this issue - our team has been notified and we'll get back to you as soon as we can!
In the meantime, feel free to add any relevant information to this issue.