Skip to content

feat: Add PURL field to vulnerability report#43

Open
gorkemmulayim wants to merge 1 commit intogoharbor:mainfrom
gorkemmulayim:feat/add-purl-support
Open

feat: Add PURL field to vulnerability report#43
gorkemmulayim wants to merge 1 commit intogoharbor:mainfrom
gorkemmulayim:feat/add-purl-support

Conversation

@gorkemmulayim
Copy link

@gorkemmulayim gorkemmulayim commented Dec 22, 2025
edited
Loading

Summary

  • Add PkgIdentifier struct to trivy model to capture PURL from scan results
  • Add PURL field to harbor VulnerabilityItem
  • Map PURL from Trivy's PkgIdentifier.PURL to Harbor's vulnerability report

@gorkemmulayim
feat: Add PURL field to vulnerability report
d919ec1 
Signed-off-by: Gorkem Mulayim <gorkemmulayim@icloud.com>
Copilot AI reviewed Dec 30, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds Package URL (PURL) support to vulnerability reports by capturing and mapping PURL identifiers from Trivy scan results to Harbor's vulnerability reporting format. This enables better package identification using the standardized PURL specification.

  • Introduces a new PkgIdentifier struct in the Trivy model to capture PURL information from scan results
  • Adds PURL field to Harbor's VulnerabilityItem structure with proper JSON serialization
  • Implements mapping logic to transform PURL data from Trivy to Harbor format with nil-safe handling

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
pkg/trivy/model.go Adds PkgIdentifier struct with PURL field and includes it as an optional field in Vulnerability struct
pkg/harbor/model.go Adds PURL field to VulnerabilityItem with omitempty JSON tag for optional serialization
pkg/scan/transformer.go Implements toPURL helper function with nil-safety to map PkgIdentifier.PURL to Harbor's PURL field
pkg/scan/transformer_test.go Updates test case with PURL data to validate the complete transformation pipeline

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@reasonerjt
Copy link

reasonerjt commented Dec 31, 2025
edited
Loading

@gorkemmulayim

Thanks for the PR.

Do you need to introduce purl b/c "package+version" does not provide enough information?

@gorkemmulayim
Copy link
Author

gorkemmulayim commented Mar 2, 2026

package+version alone is ambiguous across ecosystems.

For example, curl@7.88.1 could be:

  • pkg:deb/debian/curl@7.88.1
  • pkg:apk/alpine/curl@7.88.1
  • pkg:rpm/fedora/curl@7.88.1

These are different binaries with different vulnerability surfaces. PURL provides the type and namespace needed to uniquely identify a package.

I'm currently building a vulnerability graph that correlates Harbor scan results with other sources (Trivy VulnerabilityReports, OSV, NVD) where PURL is the standard identifier, and without it I'm forced to default type and namespace to "unknown", making deduplication impossible.

Trivy already emits PURL this PR just passes it through to the Harbor report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@reasonerjt reasonerjt Awaiting requested review from reasonerjt

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gorkemmulayim @reasonerjt