trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

fix: overwrite OS packages PURLs after overwrite OS

Open DmitriyLewen opened this issue 1 month ago • 2 comments

Description

This PR fixes an issue where OS package PURLs (Package URLs) were not being updated when the --distro flag is used to override the detected OS. Previously, when Trivy detected one OS version but the user specified a different one via the distro flag, the package PURLs would still contain the originally detected OS information, creating inconsistency between the overridden OS and the package metadata.

Examples:

  1. Override OS before: 
    ➜  trivy -q image almalinux:9.5 -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[].Packages[0].Identifier.PURL}' 
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/[email protected]?arch=x86_64&distro=alma-9.5"
}
    after: 
    ➜  ./trivy -q image almalinux:9.5 -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[].Packages[0].Identifier.PURL}'
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/[email protected]?arch=x86_64&distro=alma-9.6"
}
  2. Override empty OS before: 
    ➜  trivy -q image slos-test:latest -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[0].Packages[0].Identifier.PURL}' 
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": null
}
    after: 
    ➜  ./trivy -q image slos-test:latest -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[0].Packages[0].Identifier.PURL}'
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/[email protected]?arch=x86_64&distro=alma-9.6"
}

Related issues

  • Close #9796

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen avatar Nov 13 '25 07:11 DmitriyLewen

Is there any estimate when this fix could be merged?

joda-work avatar Nov 26 '25 11:11 joda-work

Hello @joda-work We’re currently focused on higher-priority tasks.

Please be patient — we’ll get back to this PR as soon as we have time.

Regards, Dmitriy

DmitriyLewen avatar Nov 26 '25 12:11 DmitriyLewen