Add repositoryURL to vulnerability report attributes (#585)

Find this from a default annotation and communicate it upstream

Author: michaeljguarino

go.mod

@@ -37,7 +37,7 @@ require (
 	github.com/openshift/api v0.0.0-20250908150922-8634aa495a26
 	github.com/orcaman/concurrent-map/v2 v2.0.1
 	github.com/pkg/errors v0.9.1
-	github.com/pluralsh/console/go/client v1.54.3
+	github.com/pluralsh/console/go/client v1.54.4
 	github.com/pluralsh/controller-reconcile-helper v0.1.0
 	github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34
 	github.com/pluralsh/polly v0.3.3

go.sum

@@ -881,6 +881,8 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgm
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pluralsh/console/go/client v1.54.3 h1:J/GDYuHFAUaTlsRv1tiUPfXrq5RElFTJKwqAvkn5+88=
 github.com/pluralsh/console/go/client v1.54.3/go.mod h1:EwMrcI23s61oLY3etCVc3NE5RYxgfoiokvU0O7KDOQg=
+github.com/pluralsh/console/go/client v1.54.4 h1:61wfURaw7si9zsNbGjJA3diVa+OyJsETryzM0kkZmuE=
+github.com/pluralsh/console/go/client v1.54.4/go.mod h1:EwMrcI23s61oLY3etCVc3NE5RYxgfoiokvU0O7KDOQg=
 github.com/pluralsh/controller-reconcile-helper v0.1.0 h1:BV3dYZFH5rn8ZvZjtpkACSv/GmLEtRftNQj/Y4ddHEo=
 github.com/pluralsh/controller-reconcile-helper v0.1.0/go.mod h1:RxAbvSB4/jkvx616krCdNQXPbpGJXW3J1L3rASxeFOA=
 github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34 h1:ab2PN+6if/Aq3/sJM0AVdy1SYuMAnq4g20VaKhTm/Bw=

internal/controller/vulnerabilityreports_controller.go

@@ -38,6 +38,8 @@ const (
 	vulnerabilityJitter = 10 * time.Minute
 
 	reportChunkSize = 15
+
+	repositoryURLAnnotationKey = "platform.plural.sh/repository-url"
 )
 
 // VulnerabilityReportReconciler reconciles a Trivy VulnerabilityReport resource.
@@ -63,18 +65,23 @@ func (r *VulnerabilityReportReconciler) Reconcile(ctx context.Context, req ctrl.
 		return ctrl.Result{}, nil
 	}
 
-	var serviceId *string
+	var serviceId, repositoryURL *string
 	if len(vulnerabilityReport.OwnerReferences) > 0 {
 		k8sObj, err := GetObjectFromOwnerReference(ctx, r.Client, vulnerabilityReport.OwnerReferences[0], vulnerabilityReport.Namespace)
 		if err != nil {
 			return ctrl.Result{}, err
 		}
-		svcId, ok := k8sObj.GetAnnotations()[smcommon.OwningInventoryKey]
-		if ok {
+
+		annotations := k8sObj.GetAnnotations()
+		if svcId, ok := annotations[smcommon.OwningInventoryKey]; ok {
 			serviceId = lo.ToPtr(svcId)
 		}
+
+		if repoURL, ok := annotations[repositoryURLAnnotationKey]; ok {
+			repositoryURL = lo.ToPtr(repoURL)
+		}
 	}
-	attrs, timestamp := createVulnAttributes(*vulnerabilityReport, serviceId)
+	attrs, timestamp := createVulnAttributes(*vulnerabilityReport, serviceId, repositoryURL)
 	r.reports.Set(req.String(), vulnReport{
 		attributes: &attrs,
 		timestamp:  timestamp,
@@ -85,7 +92,7 @@ func (r *VulnerabilityReportReconciler) Reconcile(ctx context.Context, req ctrl.
 	return jitterRequeue(vulnerabilityRequeueAfter, vulnerabilityJitter), nil
 }
 
-func createVulnAttributes(vulnerabilityReport trivy.VulnerabilityReport, serviceID *string) (console.VulnerabilityReportAttributes, time.Time) {
+func createVulnAttributes(vulnerabilityReport trivy.VulnerabilityReport, serviceID *string, repositoryURL *string) (console.VulnerabilityReportAttributes, time.Time) {
 	var namespaces []*console.NamespaceVulnAttributes
 	os := &console.VulnOsAttributes{
 		Eosl:   lo.ToPtr(vulnerabilityReport.Report.OS.Eosl),
@@ -147,6 +154,7 @@ func createVulnAttributes(vulnerabilityReport trivy.VulnerabilityReport, service
 			Class:            lo.ToPtr(v.Class),
 			PackageType:      lo.ToPtr(v.PackageType),
 			PkgPath:          lo.ToPtr(v.PkgPath),
+			RepositoryURL:    repositoryURL,
 		}
 		if v.PublishedDate != "" {
 			vulnerabilityAttr.PublishedDate = lo.ToPtr(v.PublishedDate)