Skip to content

Data quality issue - various vulnerability now have PURLs which includes encoded / for packagist ecosystem #5590

Description

@ericgsmith

Describe the bug

Originally reported to the Drupal advisory database source: DrupalSecurityTeam/drupal-advisory-database#237

We have observed recently that the purls now have %2F (url encoded /) separating drupal and the module name, where as previously they were /

This has caused us an issue when consuming OSV through Dependency Track, in that the vulns are no longer matching on purl (we use trivy to generate our sbom and this formats them with a /)

From the purl spec it looks like / is expected - e.g looking at https://github.com/package-url/purl-spec/blob/995f3878f5bb6979bc6560cd747e422e8262f18b/tests/types/composer-test.json#L9

Example of previous purl format: https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-026 has purl pkg:composer/drupal/openid_connect visible in web ui and json data

Example of latest purl format: https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-069 has purl pkg:composer/drupal%2Fcolorbox visible in web ui and json data

We can also see this in the github sourced vulns. e.g. The more recent https://api.osv.dev/v1/vulns/GHSA-3rg7-wf37-54rm has pkg:composer/symfony%2Fhttp-foundation where as the older https://api.osv.dev/v1/vulns/GHSA-38cx-cq6f-5755 has pkg:composer/symfony/http-foundation

To Reproduce
Steps to reproduce the behaviour:

  1. Go to https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-069
  2. Scroll down to Affected packages
  3. See "Purl pkg:composer/drupal%2Fcolorbox"

Expected behaviour

  1. Go to https://osv.dev/vulnerability/DRUPAL-CONTRIB-2026-069
  2. Scroll down to Affected packages
  3. Expect "Purl pkg:composer/drupal/colorbox"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions