Discuss what to do about hitting duplicate facts when gathering for insights

[timclifford]

Since fact names need to be unique per environment we have an issue where the facts gathering will pick up facts with the same name from different sources/images.

The issue is even though we deleteFactsFromSource prior to adding new ones in insights, this does not cover those facts with a different source name.

[timclifford]

Duplicate facts from source - solved
We've updated the source definition of facts to be more generic (rather than tied to a particular service), therefore all facts for a given insight type are now cleared on every scan. For example, all 'sboms' will be deleted from source (sbom:[service]) before a new syft scan is ran preventing having duplicate facts from this instance.

Remaining issues:

• What happens if multiple images being scanned contain the same facts. For example, two node.js images are found with differing npm package versions. Which version do we store and how do we avoid duplication issues?

Current thinking:

• We improve the parsing/fact filtering process to be more dynamic

[tobybellwood]

Right now, given we're only getting key facts in to the API, we should define which service the fact should come from, which would avoid this issue.

One complication I've just thought of, is that we may have to check the service type instead of just the service name, but I'll think on it a bit.