Skip to content

fix: overwrite OS packages PURLs after overwrite OS#10298

Open
DmitriyLewen wants to merge 5 commits intoaquasecurity:mainfrom
DmitriyLewen:fix/overwrite-os-pkg-purl-for-distro-flag
Open

fix: overwrite OS packages PURLs after overwrite OS#10298
DmitriyLewen wants to merge 5 commits intoaquasecurity:mainfrom
DmitriyLewen:fix/overwrite-os-pkg-purl-for-distro-flag

Conversation

@DmitriyLewen
Copy link
Copy Markdown
Contributor

@DmitriyLewen DmitriyLewen commented Mar 3, 2026
edited
Loading

Description

This PR fixes an issue where OS package PURLs (Package URLs) were not being updated when the --distro flag is used to override the detected OS. Previously, when Trivy detected one OS version but the user specified a different one via
the distro flag, the package PURLs would still contain the originally detected OS information, creating inconsistency between the overridden OS and the package metadata.

Examples:

  1. Override OS
    before: 
    ➜  trivy -q image almalinux:9.5 -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[].Packages[0].Identifier.PURL}' 
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/acl@2.3.1-4.el9?arch=x86_64&distro=alma-9.5"
}
    after: 
    ➜  ./trivy -q image almalinux:9.5 -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[].Packages[0].Identifier.PURL}'
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/acl@2.3.1-4.el9?arch=x86_64&distro=alma-9.6"
}
  2. Override empty OS
    before: 
    ➜  trivy -q image slos-test:latest -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[0].Packages[0].Identifier.PURL}' 
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": null
}
    after: 
    ➜  ./trivy -q image slos-test:latest -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[0].Packages[0].Identifier.PURL}'
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/alternatives@1.24-2.slos1?arch=x86_64&distro=alma-9.6"
}

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner March 3, 2026 11:22
@DmitriyLewen
Copy link
Copy Markdown
Contributor Author

DmitriyLewen commented Mar 3, 2026

Reopened from #9797 after recreating the fork.

@joda-work
Copy link
Copy Markdown

joda-work commented Mar 10, 2026

So, what does this re-opening mean for the inclusion of the change?

@DmitriyLewen
Copy link
Copy Markdown
Contributor Author

DmitriyLewen commented Mar 10, 2026

Hi @joda-work ,
I just reopened this PR because I had to delete and recreate the fork (see https://github.com/aquasecurity/trivy/discussions/10265)

Regards, Dmitriy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Trivy should overwrite the namespace and distro qualifier for PURLs when the --distro flag is used.

2 participants

@DmitriyLewen @joda-work