Fill the PkgRef of a vulnerability when scanning container images, filesystem, etc

[pablogalegoc]

Description

I've noticed this comment in the code when trying to find why the vulnerabilities in a report don't have a pURL of the package affected:

trivy/pkg/types/vulnerability.go

Lines 22 to 27 in 74dbd8a

	// PkgRef is populated only when scanning SBOM and contains the reference ID used in the SBOM.
	// It could be PURL, UUID, etc.
	// e.g.
	// - pkg:npm/acme/component@1.0.0
	// - b2a46a4b-8367-4bae-9820-95557cfe03a8
	PkgRef string `json:",omitempty"`

Could this decision be reconsidered? It would be nice if a standard scan* would fill the PkgRef of the vulnerability, ideally with a pURL, so it is easier to link with VEX statements.

* I mean something like:

trivy -q i --scanners vuln library/redis:7.2.1-bookworm -f json

Target

Container Image

Scanner

Vulnerability

[knqyf263]

Yeah, we're planning to do that.

[pablogalegoc]

Awesome, thanks!

[mpermar]

@knqyf263 does it sound good if we (Bitnami) contribute a PR for this feature? Probably we should not even ask but I want to make sure you guys don't have any strong opinions on the implementation or are already doing it and waiting for just being pushed.

[knqyf263]

Yeah, it will be appreciated! I don't have a concrete idea yet, just wondering if we should add PURL to Package or Identifiers.PURL to Package so that we can have Identifiers.CPE or other IDs` in the future. If you already have an idea, I'd like to hear that.

[mpermar]

@juan131 is going to take a look at this. We do rely purl in our SBOMs, scans and VEX statements but I concur that it makes sense to support other package identification formats.

[knqyf263]

Thanks!

[juan131]

@pablogalegoc @mpermar @knqyf263 I just created this draft PR with a possible implementation for this: #5439

[juan131]

@knqyf263 please take a look to the above mentioned PR when you find time for it.