Skip to content

fix: overwrite OS packages PURLs after overwrite OS #9797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DmitriyLewen wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix: overwrite OS packages PURLs after overwrite OS #9797

DmitriyLewen wants to merge 5 commits into from
+124 −2

Conversation

@DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Nov 13, 2025

Description

This PR fixes an issue where OS package PURLs (Package URLs) were not being updated when the --distro flag is used to override the detected OS. Previously, when Trivy detected one OS version but the user specified a different one via
the distro flag, the package PURLs would still contain the originally detected OS information, creating inconsistency between the overridden OS and the package metadata.

Examples:

  1. Override OS
    before: 
    ➜  trivy -q image almalinux:9.5 -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[].Packages[0].Identifier.PURL}' 
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/acl@2.3.1-4.el9?arch=x86_64&distro=alma-9.5"
}
    after: 
    ➜  ./trivy -q image almalinux:9.5 -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[].Packages[0].Identifier.PURL}'
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/acl@2.3.1-4.el9?arch=x86_64&distro=alma-9.6"
}
  2. Override empty OS
    before: 
    ➜  trivy -q image slos-test:latest -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[0].Packages[0].Identifier.PURL}' 
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": null
}
    after: 
    ➜  ./trivy -q image slos-test:latest -f json --distro alma/9.6 | jq '{OS: .Metadata.OS, pkg: .Results[0].Packages[0].Identifier.PURL}'
{
  "OS": {
    "Family": "alma",
    "Name": "9.6"
  },
  "pkg": "pkg:rpm/alma/alternatives@1.24-2.slos1?arch=x86_64&distro=alma-9.6"
}

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen changed the title fix: overwrite PURLs after overwrite OS fix: overwrite OS packages PURLs after overwrite OS Nov 13, 2025
@DmitriyLewen DmitriyLewen self-assigned this Nov 13, 2025
@DmitriyLewen DmitriyLewen added the autoready Automatically mark PR as ready for review when all checks pass label Nov 13, 2025
@github-actions github-actions bot marked this pull request as ready for review November 13, 2025 08:57
@github-actions github-actions bot requested a review from knqyf263 as a code owner November 13, 2025 08:57
@github-actions github-actions bot removed the autoready Automatically mark PR as ready for review when all checks pass label Nov 13, 2025
@joda-work
Copy link

joda-work commented Nov 26, 2025

Is there any estimate when this fix could be merged?

@DmitriyLewen
Copy link
Contributor Author

DmitriyLewen commented Nov 26, 2025

Hello @joda-work
We’re currently focused on higher-priority tasks.

Please be patient — we’ll get back to this PR as soon as we have time.

Regards, Dmitriy

@github-actions
Copy link

github-actions bot commented Jan 26, 2026

This PR is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jan 26, 2026
@joda-work
Copy link

joda-work commented Feb 6, 2026

Is there anything I can do to help getting this merged?

@DmitriyLewen DmitriyLewen removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Feb 6, 2026
@DmitriyLewen
Copy link
Contributor Author

DmitriyLewen commented Feb 6, 2026

Hello @joda-work
I added this task to the v0.70.0 milestone.
I hope we will have time to check this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@DmitriyLewen DmitriyLewen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Trivy should overwrite the namespace and distro qualifier for PURLs when the --distro flag is used.

2 participants

@DmitriyLewen @joda-work