0-deb security advisory support in Trivy

[raianand]

Hi Trivy team,

I'm Abhishek from KoalaLab working on the 0-deb project - we're developing a rolling release, container-first Linux distribution and would like to integrate vulnerability scanning support into Trivy.

About 0-deb:

• Rolling release model with continuous updates
• Container-first design philosophy
• Debian-style package versioning

Security Advisory Format:
We maintain a minimal JSON-based security advisory that maps packages directly to CVEs. Since we're a rolling release, our schema focuses on tracking the latest fixed versions without the complexity of multiple release branches.
Schema:

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "title": "0-deb Security Advisory",
  "description": "Security Advisory JSON endpoint Schema for 0-deb",
  "patternProperties": {
    "^[a-z0-9][a-z0-9+.-]*$": {
      "type": "object",
      "description": "Package name",
      "patternProperties": {
        "^CVE-[0-9]{4}-[0-9]{4,}$": {
          "type": "object",
          "description": "CVE identifier and its metadata",
          "properties": {
            "fixed_in": {
              "type": "string",
              "description": "Version where the vulnerability is fixed",
              "pattern": "^[0-9]+[a-zA-Z0-9.+~:-]+$"
            }
          },
          "additionalProperties": false
        }
      },
      "additionalProperties": false
    }
  },
  "additionalProperties": false
}

Sample Advisory:

{
    "libc6": {
         "CVE-2025-1234": {
              "fixed_in": "1.2.3-koala1"
         },
        "CVE-2025-2345": {}
   }
}

Current Status:
I've prepared the necessary code changes across:

• vuln-list-update
• trivy-db
• trivy (main repository)

Ready to submit PRs once we have an issue created for tracking this integration.
Looking forward to contributing 0-deb support to the Trivy ecosystem!

[DmitriyLewen]

cc. @itaysk