vulnlog modify copy

Copies one or more vulnerability entries from a source file into one or more target files. This propagates an existing analysis across multiple branch files.

vulnlog modify copy <source-file> <target-file...> --vuln-id <id> [--vuln-id <id>...]

Flag Description

Flag	Description
`--vuln-id <id>`	Vulnerability ID to copy. Required and repeatable. Each ID must exist in the source file.

--vuln-id <id>

Vulnerability ID to copy. Required and repeatable. Each ID must exist in the source file.

The first positional argument is the source file. All subsequent positional arguments are target files. At least one --vuln-id is required; repeat the flag to copy multiple entries in one invocation.

For each target file, the releases field on the copied entry is rewritten to the latest release of the target, favoring releases with a publication date over unpublished ones.

If an entry with the same id already exists in a target file, the existing entry is merged with the source entry rather than overwritten:

Scalar fields (name, description, analysis, analyzed_at, verdict, justification, resolution, comment) keep the existing value when set; otherwise the source value is used.
List fields (aliases, packages, tags) are unioned, preserving the existing order.
reports are merged by reporter: an existing report is kept, with the source’s vuln_ids appended and missing scalars filled in from the source.
releases is replaced with the target’s latest release, as for new entries.

Example

In this example the vulnerability CVE-2026-002 is copied from source.vl.yml to target1.vl.yml and target2.vl.yml.

Copy CVE-2026-002 from source.vl.yml to target1.vl.yml and target2.vl.yml.

vulnlog modify copy source.vl.yml target1.vl.yml target2.vl.yml --vuln-id CVE-2026-002

Copied to target1.vl.yml: CVE-2026-002
Copied to target2.vl.yml: CVE-2026-002

The command adds the vulnerability entry to the previously empty vulnerabilities list.

This copies CVE-2026-002 from before:

vulnerabilities: []

After the operation, the vulnerability entry is added with releases pointing to the target’s latest release:

vulnerabilities:

  - id: "CVE-2026-002"
    description: "Remote code execution in example-lib"
    releases:
    - "1.0.0"
    packages:
    - "pkg:npm/example-lib@2.3.0"
    reports:
    - reporter: "trivy"
      at: null
      source: null
      vuln_ids: []
      suppress: null
    analysis: "The vulnerable code path is not reachable in our application because we\
      \ only use the safe subset of the API.\n"
    verdict: "not affected"
    justification: "vulnerable code not in execute path"