vulnlog modify copy
Copies one or more vulnerability entries from a source file into one or more target files. This propagates an existing analysis across multiple branch files.
vulnlog modify copy <source-file> <target-file...> --vuln-id <id> [--vuln-id <id>...]
| Flag | Description |
|---|---|
|
Vulnerability ID to copy. Required and repeatable. Each ID must exist in the source file. |
The first positional argument is the source file.
All subsequent positional arguments are target files.
At least one --vuln-id is required; repeat the flag to copy multiple entries in one invocation.
Target files are rewritten in the canonical style, exactly as fmt would format them, so a later fmt is a no-op.
Any valid YAML layout is accepted as input.
YAML comments are not preserved; the command warns when it drops them.
For each target file, the releases field on the copied entry is rewritten to the last release in the target’s list of releases.
If an entry with the same id already exists in a target file, the existing entry is merged with the source entry rather than overwritten:
-
Scalar fields (
name,description,analysis,analyzed_at,verdict,justification,resolution,comment) keep the existing value when set; otherwise the source value is used. -
List fields (
aliases,packages,tags) are unioned, preserving the existing order. -
reportsare merged by reporter: an existing report is kept, with the source’svuln_idsappended and missing scalars filled in from the source. -
releasesis replaced with the target’s last release, as for new entries.
Example
In this example the vulnerability CVE-2026-002 is copied from source.vl.yml to target1.vl.yml and target2.vl.yml.
CVE-2026-002 from source.vl.yml to target1.vl.yml and target2.vl.yml.vulnlog modify copy source.vl.yml target1.vl.yml target2.vl.yml --vuln-id CVE-2026-002
Copied to target1.vl.yml: CVE-2026-002
Copied to target2.vl.yml: CVE-2026-002
The command adds the vulnerability entry to the previously empty vulnerabilities list.
This copies CVE-2026-002 from before:
vulnerabilities: []
After the operation, the vulnerability entry is added with releases pointing to the target’s last release:
vulnerabilities:
- id: CVE-2026-002
description: Remote code execution in example-lib
releases: [1.0.0]
packages: ["pkg:npm/example-lib@2.3.0"]
reports:
- reporter: trivy
analysis: >-
The vulnerable code path is not reachable in our application because we only use the safe subset of the API.
verdict: not affected
justification: vulnerable code not in execute path