trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

bug: Trivy should overwrite the namespace and distro qualifier for PURLs when the `--distro` flag is used.

Open DmitriyLewen opened this issue 1 month ago • 0 comments

Description

When the --distro flag is used, we update metadata.OS, but the PURLs for OS packages remain unchanged.

This leads to two problems:

  1. OS initially not detected If the OS is not detected initially, we keep the package PURLs empty even after overriding the OS via --distro. As a result, VEX files cannot be used correctly (see: https://github.com/aquasecurity/trivy/discussions/9767).
  2. OS initially detected If the OS is detected initially, there will be a mismatch between metadata.OS and the package PURLs (their namespace and/or distro qualifier).

Proposed solution

After overriding the OS we should recompute and update the PURLs for OS packages, since OS information is part of the PURL itself.

Relevant code:

https://github.com/aquasecurity/trivy/blob/719ea29d3129b92c78dc25ac6379cda1650eb115/pkg/scan/local/service.go#L84-L88

Discussed in https://github.com/aquasecurity/trivy/discussions/9767

DmitriyLewen avatar Nov 13 '25 06:11 DmitriyLewen