vulnlog modify copy

Copies one or more vulnerability entries from a source file into one or more target files. This propagates an existing analysis across multiple branch files.

vulnlog modify copy <source-file> <target-file...> --vuln-id <id> [--vuln-id <id>...]
Flag Description

--vuln-id <id>

Vulnerability ID to copy. Required and repeatable. Each ID must exist in the source file.

The first positional argument is the source file. All subsequent positional arguments are target files. At least one --vuln-id is required; repeat the flag to copy multiple entries in one invocation.

Target files are rewritten in the canonical style, exactly as fmt would format them, so a later fmt is a no-op. Any valid YAML layout is accepted as input. YAML comments are not preserved; the command warns when it drops them.

For each target file, the releases field on the copied entry is rewritten to the last release in the target’s list of releases.

If an entry with the same id already exists in a target file, the existing entry is merged with the source entry rather than overwritten:

  • Scalar fields (name, description, analysis, analyzed_at, verdict, justification, resolution, comment) keep the existing value when set; otherwise the source value is used.

  • List fields (aliases, packages, tags) are unioned, preserving the existing order.

  • reports are merged by reporter: an existing report is kept, with the source’s vuln_ids appended and missing scalars filled in from the source.

  • releases is replaced with the target’s last release, as for new entries.

Example

In this example the vulnerability CVE-2026-002 is copied from source.vl.yml to target1.vl.yml and target2.vl.yml.

Copy CVE-2026-002 from source.vl.yml to target1.vl.yml and target2.vl.yml.
vulnlog modify copy source.vl.yml target1.vl.yml target2.vl.yml --vuln-id CVE-2026-002

Copied to target1.vl.yml: CVE-2026-002
Copied to target2.vl.yml: CVE-2026-002

The command adds the vulnerability entry to the previously empty vulnerabilities list.

This copies CVE-2026-002 from before:

vulnerabilities: []

After the operation, the vulnerability entry is added with releases pointing to the target’s last release:

vulnerabilities:

  - id: CVE-2026-002
    description: Remote code execution in example-lib
    releases: [1.0.0]
    packages: ["pkg:npm/example-lib@2.3.0"]
    reports:
      - reporter: trivy
    analysis: >-
      The vulnerable code path is not reachable in our application because we only use the safe subset of the API.
    verdict: not affected
    justification: vulnerable code not in execute path