feat: allow to remove fields from vulnerability reports and omit empty fields

[sathieu]

Description

I propose two changes to limit the problems of etcd max size reached (#757):

• allow to remove some fields from the vulnerability report
• omit (now) empty fields from produced resource

Before:

  vulnerabilities:
  - fixedVersion: 0.45.0
    installedVersion: v0.43.0
    lastModifiedDate: "2025-12-11T19:36:41Z"
    links: []
    packagePURL: pkg:golang/golang.org/x/crypto@v0.43.0
    primaryLink: https://avd.aquasec.com/nvd/cve-2025-47914
    publishedDate: "2025-11-19T21:15:50Z"
    resource: golang.org/x/crypto
    score: 5.3
    severity: MEDIUM
    target: ""
    title: 'golang.org/x/crypto/ssh/agent: in golang.org/x/crypto/ssh/agent'
    vulnerabilityID: CVE-2025-47914

After first commit (and trivy.additionalVulnerabilityReportFields=-Resource,-InstalledVersion,-FixedVersion,-PublishedDate,-LastModifiedDate,-Title,-PrimaryLink,-Score,-PURL):

  - fixedVersion: ""
    installedVersion: ""
    lastModifiedDate: ""
    publishedDate: ""
    resource: ""
    severity: MEDIUM
    target: ""
    title: ""
    vulnerabilityID: CVE-2025-47914

After both commits (and trivy.additionalVulnerabilityReportFields=-<same>):

  - severity: MEDIUM
    vulnerabilityID: CVE-2025-47914

Notes:

• CRDs are changed, this needs to be added in release notes, as the CRD should be updated first
• vulnerabilityID can't be removed. I can change this if you want
• I haven't implemented Reduce the amount of vulnerability fields stored in the vulnerabilities report #442 (comment), as this breaks vulnid metrics
• I've updated tests

Related issues

• Fixes Reduce the amount of vulnerability fields stored in the vulnerabilities report #442
• Related to Reconciler error: Large size VulnerabilityReports will failed create and remains scan jobs #757, but not closing as there is still a limit

Checklist

• I've read the guidelines for contributing to this repository.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[sathieu]

@simar7, @afdesk and others Please review 🙏 .

[afdesk]

Hi @sathieu
Thanks for your efforts!
I'll take a look at this PR tonight or on Monday

[afdesk]

i think we should run strings.TrimSpace before these calls to support a case -PublishedDate.

[afdesk]

also it'd be great to have a test for this case.

[sathieu]

Added strings.TrimSpace before removing prefix, with various tests: " -Resource,- InstalledVersion, - FixedVersion, - PublishedDate,[...]"

[afdesk]

there is a concern about Severity. it may affect on Summary.
so I suggest don't allow to exclude it. because I don't know a case when we need to exclude Severity. may be I miss something
WDYT?

[sathieu]

Severity is now always kept (also in CRD, no omitempty).

[afdesk]

about PURL.
It seems PURL is too common name, because actually we can manage PkgPURL only, can't we?

[sathieu]

Changed to PkgPURL. Thanks

[afdesk]

@sathieu Thank you very much for your effort and for submitting this PR — it’s greatly appreciated.

I’ve left a few inline comments to discuss some ideas.

I also have a small concern regarding backward compatibility. In particular, clients that previously relied on the presence of certain fields (even when they were empty) now need to be prepared for those fields to be omitted entirely.

Specifically, the handling of nil vs empty slices has changed: Links is no longer set when sr.References == nil. Previously, some code paths appeared to expect an empty slice ([]) instead.

This is likely not a critical issue, but it would be good to get feedback from the community and confirm that this change won’t cause unexpected behavior for existing consumers.

[sathieu]

Thanks @afdesk for your review.

About backward compatibility, we can use a new apiVersion (v1alpha2 or v1beta1 or v1), this will give safer approach to backward compatibility issues. This is documented here. A webhook will be needed to convert resources on-fly.

[sathieu]

Added strings.TrimSpace before removing prefix, with various tests: " -Resource,- InstalledVersion, - FixedVersion, - PublishedDate,[...]"

[sathieu]

Severity is now always kept (also in CRD, no omitempty).

[sathieu]

Changed to PkgPURL. Thanks

[sathieu]

@afdesk I have extracted the non-breaking bits in #2860.

Please tell what I should do for the omitempty. I think adding a new apiVersion would be the best path. What do you think about v1beta1?