fix: skip processing of duplicate products

don't add duplicate affected packages to extended response

vmaas/vulnerabilities.go

@@ -186,7 +186,14 @@ func evaluate(c *Cache, opts *options, request *Request) (*VulnerabilitiesCvesDe
 
 func evaluateUnpatchedCves(c *Cache, products []ProductsPackage, cves *VulnerabilitiesCvesDetails) {
 	for _, pp := range products {
+		seenProducts := make(map[CSAFProduct]bool, len(pp.ProductsUnfixed))
 		for _, product := range pp.ProductsUnfixed {
+			if seenProducts[product] {
+				// duplicate product in pp.ProductsUnfixed
+				// skip processing of already processed product
+				continue
+			}
+			seenProducts[product] = true
 			module := product.ModuleStream
 			cn := CpeIDNameID{CpeID: product.CpeID, NameID: product.PackageNameID}
 			csafCves := c.CSAFCVEs[cn][product]
@@ -210,7 +217,14 @@ func evaluateUnpatchedCves(c *Cache, products []ProductsPackage, cves *Vulnerabi
 func evaluateManualCves(c *Cache, products []ProductsPackage, cves *VulnerabilitiesCvesDetails) {
 	for _, pp := range products {
 		pp := pp // make copy because &pp is used
+		seenProducts := make(map[CSAFProduct]bool, len(pp.ProductsFixed))
 		for _, product := range pp.ProductsFixed {
+			if seenProducts[product] {
+				// duplicate product in pp.ProductsFixed
+				// skip processing of already processed product
+				continue
+			}
+			seenProducts[product] = true
 			updateNevra := pkgID2Nevra(c, product.PackageID)
 			if !isApplicable(c, &updateNevra, &pp.Package.Nevra) {
 				continue