Skip to content

bug: Trivy should overwrite the namespace and distro qualifier for PURLs when the --distro flag is used. #9796

New issue
New issue
Open
Bug
#9797
Open
bug: Trivy should overwrite the namespace and distro qualifier for PURLs when the --distro flag is used.#9796
Bug
#9797
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Nov 13, 2025

Description

When the --distro flag is used, we update metadata.OS, but the PURLs for OS packages remain unchanged.

This leads to two problems:

  1. OS initially not detected
    If the OS is not detected initially, we keep the package PURLs empty even after overriding the OS via --distro.
    As a result, VEX files cannot be used correctly (see: VEX pkg:identifier fails, because SBOM seems to be missing PURL when --distro alma/9 override is used #9767).
  2. OS initially detected
    If the OS is detected initially, there will be a mismatch between metadata.OS and the package PURLs (their namespace and/or distro qualifier).

Proposed solution

After overriding the OS we should recompute and update the PURLs for OS packages, since OS information is part of the PURL itself.

Relevant code:

trivy/pkg/scan/local/service.go

Lines 84 to 88 in 719ea29

if !lo.IsEmpty(options.Distro) && !lo.IsEmpty(detail.OS) {
log.Info("Overriding detected OS with provided distro", log.String("detected", detail.OS.String()),
log.String("provided", options.Distro.String()))
detail.OS = options.Distro
}

Discussed in #9767

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions