feat: reduce VulnerabilityReport size by omitting empty fields

sathieu · sathieu · commit caa0cb0a5bda · 2026-01-19T21:39:42.000+01:00
diff --git a/deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml b/deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml
@@ -269,13 +269,7 @@ spec:
                       description: VulnerabilityID the vulnerability identifier.
                       type: string
                   required:
-                  - fixedVersion
-                  - installedVersion
-                  - lastModifiedDate
-                  - publishedDate
-                  - resource
                   - severity
-                  - title
                   - vulnerabilityID
                   type: object
                 type: array
diff --git a/deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml b/deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml
@@ -270,13 +270,7 @@ spec:
                       description: VulnerabilityID the vulnerability identifier.
                       type: string
                   required:
-                  - fixedVersion
-                  - installedVersion
-                  - lastModifiedDate
-                  - publishedDate
-                  - resource
                   - severity
-                  - title
                   - vulnerabilityID
                   type: object
                 type: array
diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
@@ -1476,13 +1476,7 @@ spec:
                       description: VulnerabilityID the vulnerability identifier.
                       type: string
                   required:
-                  - fixedVersion
-                  - installedVersion
-                  - lastModifiedDate
-                  - publishedDate
-                  - resource
                   - severity
-                  - title
                   - vulnerabilityID
                   type: object
                 type: array
@@ -2916,13 +2910,7 @@ spec:
                       description: VulnerabilityID the vulnerability identifier.
                       type: string
                   required:
-                  - fixedVersion
-                  - installedVersion
-                  - lastModifiedDate
-                  - publishedDate
-                  - resource
                   - severity
-                  - title
                   - vulnerabilityID
                   type: object
                 type: array
diff --git a/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go b/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go
@@ -83,29 +83,29 @@ type Vulnerability struct {
 	VulnerabilityID string `json:"vulnerabilityID"`
 
 	// Resource is a vulnerable package, application, or library.
-	Resource string `json:"resource"`
+	Resource string `json:"resource,omitempty"`
 
 	// InstalledVersion indicates the installed version of the Resource.
-	InstalledVersion string `json:"installedVersion"`
+	InstalledVersion string `json:"installedVersion,omitempty"`
 
 	// FixedVersion indicates the version of the Resource in which this vulnerability has been fixed.
-	FixedVersion string `json:"fixedVersion"`
+	FixedVersion string `json:"fixedVersion,omitempty"`
 	// PublishedDate indicates the date of published CVE.
-	PublishedDate string `json:"publishedDate"`
+	PublishedDate string `json:"publishedDate,omitempty"`
 	// LastModifiedDate indicates the last date CVE has been modified.
-	LastModifiedDate string `json:"lastModifiedDate"`
+	LastModifiedDate string `json:"lastModifiedDate,omitempty"`
 	// Severity level of a vulnerability or a configuration audit check.
 	// +kubebuilder:validation:Enum={CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN}
 	Severity    Severity `json:"severity"`
-	Title       string   `json:"title"`
+	Title       string   `json:"title,omitempty"`
 	Description string   `json:"description,omitempty"`
 	CVSSSource  string   `json:"cvsssource,omitempty"`
 	PrimaryLink string   `json:"primaryLink,omitempty"`
 	// +optional
-	Links []string `json:"links"`
+	Links []string `json:"links,omitempty"`
 	Score *float64 `json:"score,omitempty"`
 	// +optional
-	Target string `json:"target"`
+	Target string `json:"target,omitempty"`
 	// +optional
 	CVSS types.VendorCVSS `json:"cvss,omitempty"`
 	// +optional
diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go
@@ -7165,7 +7165,6 @@ var (
 				Severity:         v1alpha1.SeverityMedium,
 				Title:            "openssl: information disclosure in fork()",
 				PrimaryLink:      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-				Links:            []string{},
 			},
 			{
 				VulnerabilityID:  "CVE-2019-1547",
@@ -7175,7 +7174,6 @@ var (
 				Severity:         v1alpha1.SeverityLow,
 				Title:            "openssl: side-channel weak encryption vulnerability",
 				PrimaryLink:      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-				Links:            []string{},
 			},
 		},
 	}
diff --git a/pkg/webhook/webhookreporter_test.go b/pkg/webhook/webhookreporter_test.go
@@ -25,7 +25,7 @@ func Test_sendReports(t *testing.T) {
 	}{
 		{
 			name: "happy path, vuln report data",
-			want: `{"metadata":{},"report":{"updateTimestamp":null,"scanner":{"name":"","vendor":"","version":""},"registry":{"server":""},"artifact":{"repository":""},"os":{"family":""},"summary":{"criticalCount":0,"highCount":0,"mediumCount":0,"lowCount":0,"unknownCount":0,"noneCount":0},"vulnerabilities":[{"vulnerabilityID":"CVE-2022-1234","resource":"","installedVersion":"1.2.3","fixedVersion":"3.4.5","severity":"CRITICAL","title":"foo bar very baz", "lastModifiedDate":"", "links":null, "publishedDate":"", "target":"","class":"os-pkgs"}]}}`,
+			want: `{"metadata":{},"report":{"updateTimestamp":null,"scanner":{"name":"","vendor":"","version":""},"registry":{"server":""},"artifact":{"repository":""},"os":{"family":""},"summary":{"criticalCount":0,"highCount":0,"mediumCount":0,"lowCount":0,"unknownCount":0,"noneCount":0},"vulnerabilities":[{"vulnerabilityID":"CVE-2022-1234","installedVersion":"1.2.3","fixedVersion":"3.4.5","severity":"CRITICAL","title":"foo bar very baz", "class":"os-pkgs"}]}}`,
 			inputReport: v1alpha1.VulnerabilityReport{
 				Report: v1alpha1.VulnerabilityReportData{
 					Vulnerabilities: []v1alpha1.Vulnerability{

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ func Test_sendReports(t *testing.T) {`
`25`	`25`	`}{`
`26`	`26`	`{`
`27`	`27`	`name: "happy path, vuln report data",`
`28`		- want: `{"metadata":{},"report":{"updateTimestamp":null,"scanner":{"name":"","vendor":"","version":""},"registry":{"server":""},"artifact":{"repository":""},"os":{"family":""},"summary":{"criticalCount":0,"highCount":0,"mediumCount":0,"lowCount":0,"unknownCount":0,"noneCount":0},"vulnerabilities":[{"vulnerabilityID":"CVE-2022-1234","resource":"","installedVersion":"1.2.3","fixedVersion":"3.4.5","severity":"CRITICAL","title":"foo bar very baz", "lastModifiedDate":"", "links":null, "publishedDate":"", "target":"","class":"os-pkgs"}]}}`,
	`28`	+ want: `{"metadata":{},"report":{"updateTimestamp":null,"scanner":{"name":"","vendor":"","version":""},"registry":{"server":""},"artifact":{"repository":""},"os":{"family":""},"summary":{"criticalCount":0,"highCount":0,"mediumCount":0,"lowCount":0,"unknownCount":0,"noneCount":0},"vulnerabilities":[{"vulnerabilityID":"CVE-2022-1234","installedVersion":"1.2.3","fixedVersion":"3.4.5","severity":"CRITICAL","title":"foo bar very baz", "class":"os-pkgs"}]}}`,
`29`	`29`	`inputReport: v1alpha1.VulnerabilityReport{`
`30`	`30`	`Report: v1alpha1.VulnerabilityReportData{`
`31`	`31`	`Vulnerabilities: []v1alpha1.Vulnerability{`