Describe the bug
Originally reported to the Drupal advisory database source: DrupalSecurityTeam/drupal-advisory-database#237
We have observed recently that the purls now have %2F (url encoded /) separating drupal and the module name, where as previously they were /
This has caused us an issue when consuming OSV through Dependency Track, in that the vulns are no longer matching on purl (we use trivy to generate our sbom and this formats them with a /)
From the purl spec it looks like / is expected - e.g looking at https://github.com/package-url/purl-spec/blob/995f3878f5bb6979bc6560cd747e422e8262f18b/tests/types/composer-test.json#L9
Example of previous purl format: https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-026 has purl pkg:composer/drupal/openid_connect visible in web ui and json data
Example of latest purl format: https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-069 has purl pkg:composer/drupal%2Fcolorbox visible in web ui and json data
We can also see this in the github sourced vulns. e.g. The more recent https://api.osv.dev/v1/vulns/GHSA-3rg7-wf37-54rm has pkg:composer/symfony%2Fhttp-foundation where as the older https://api.osv.dev/v1/vulns/GHSA-38cx-cq6f-5755 has pkg:composer/symfony/http-foundation
To Reproduce
Steps to reproduce the behaviour:
- Go to https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-069
- Scroll down to Affected packages
- See "Purl
pkg:composer/drupal%2Fcolorbox"
Expected behaviour
- Go to https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-069
- Scroll down to Affected packages
- Expect "Purl
pkg:composer/drupal/colorbox"
Describe the bug
Originally reported to the Drupal advisory database source: DrupalSecurityTeam/drupal-advisory-database#237
We have observed recently that the purls now have
%2F(url encoded/) separating drupal and the module name, where as previously they were/This has caused us an issue when consuming OSV through Dependency Track, in that the vulns are no longer matching on purl (we use trivy to generate our sbom and this formats them with a
/)From the purl spec it looks like
/is expected - e.g looking at https://github.com/package-url/purl-spec/blob/995f3878f5bb6979bc6560cd747e422e8262f18b/tests/types/composer-test.json#L9Example of previous purl format: https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-026 has purl
pkg:composer/drupal/openid_connectvisible in web ui and json dataExample of latest purl format: https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-069 has purl
pkg:composer/drupal%2Fcolorboxvisible in web ui and json dataWe can also see this in the github sourced vulns. e.g. The more recent https://api.osv.dev/v1/vulns/GHSA-3rg7-wf37-54rm has
pkg:composer/symfony%2Fhttp-foundationwhere as the older https://api.osv.dev/v1/vulns/GHSA-38cx-cq6f-5755 haspkg:composer/symfony/http-foundationTo Reproduce
Steps to reproduce the behaviour:
pkg:composer/drupal%2Fcolorbox"Expected behaviour
pkg:composer/drupal/colorbox"