Project and Releases

project

Project-level metadata. Used in report generation.

Field Type Required Description

organization

String

Yes

Name of the organization or vendor.

name

String

Yes

Name of the software project.

author

String

Yes

Name of the responsible security team or author.

contact

String (email)

No

Contact email for the security team.

releases

Defines the releases tracked in this Vulnlog file. Releases must be listed in chronological order (oldest first). This ordering is used by the CLI to resolve --release filtering.

Field Type Required Description

id

String

Yes

Unique release identifier (e.g., 8.1.1, 2.0.0-SNAPSHOT).

published_at

String (date, YYYY-MM-DD)

No

Publication date of the release. Absence indicates the release is not yet published.

purls

Array of PURL entries

No

Versioned Package URLs identifying the release artifacts.

PURL Entry

A release artifact identified by its Package URL, optionally tagged for scoping.

Field Type Required Description

purl

String (Package URL)

Yes

The versioned Package URL for this artifact in this release.

tags

Array of String

No

Tags associated with this purl. Must reference tags defined in the tags section. See Tags and Filtering.

Package URL Examples

pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1
pkg:docker/demo-project@8.1.1
pkg:npm/image-lib@3.1.0
pkg:generic/demo-project@8.1.1