aquasecurity · DmitriyLewen · Oct 9, 2025 · Oct 7, 2025 · Oct 9, 2025
@@ -140,13 +140,13 @@ func TestScanner_Scan(t *testing.T) {
 									CweIDs:           []string{"CWE-78"},
 									LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
 									PublishedDate:    utils.MustTimeParse("2001-01-01T01:01:00Z"),
-									Custom:           []uint8(nil),
+									Custom:           nil,
 								},
 								SeveritySource: "nvd",
 								Layer: ftypes.Layer{
 									DiffID: "sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10",
 								},
-								Custom: []uint8(nil),
+								Custom: nil,
 							},
 						},
 					},

@@ -1,7 +1,8 @@
 package rpc
 
 import (
-	"encoding/json"
+	jsonv2 "encoding/json/v2"
+	"strings"
 	"time"
 
 	"github.com/package-url/packageurl-go"
@@ -299,14 +300,17 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
 			publishedDate = timestamppb.New(*vuln.PublishedDate) // nolint: errcheck
 		}
 
-		var customAdvisoryData, customVulnData []byte
+		var customAdvisoryData, customVulnData *structpb.Value
+		var builder strings.Builder
 		if vuln.Custom != nil {
-			jsonBytes, _ := json.Marshal(vuln.Custom) // nolint: errcheck
-			customAdvisoryData = jsonBytes
+			builder.Reset()
+			_ = jsonv2.MarshalWrite(&builder, vuln.Custom) // nolint: errcheck
+			customAdvisoryData = structpb.NewStringValue(builder.String())
 		}
 		if vuln.Vulnerability.Custom != nil {
-			jsonBytes, _ := json.Marshal(vuln.Vulnerability.Custom) // nolint: errcheck
-			customVulnData = jsonBytes
+			builder.Reset()
+			_ = jsonv2.MarshalWrite(&builder, vuln.Vulnerability.Custom) // nolint: errcheck
+			customVulnData = structpb.NewStringValue(builder.String())
 		}
 
 		rpcVulns = append(rpcVulns, &common.Vulnerability{
@@ -600,6 +604,15 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
 			publishedDate = lo.ToPtr(vuln.PublishedDate.AsTime())
 		}
 
+		// Handle custom data conversion from protobuf.Value
+		var customVulnData, customAdvisoryData any
+		if vuln.CustomVulnData != nil {
+			customVulnData = vuln.CustomVulnData.AsInterface()
+		}
+		if vuln.CustomAdvisoryData != nil {
+			customAdvisoryData = vuln.CustomAdvisoryData.AsInterface()
+		}
+
 		vulns = append(vulns, types.DetectedVulnerability{
 			VulnerabilityID:  vuln.VulnerabilityId,
 			VendorIDs:        vuln.VendorIds,
@@ -619,13 +632,13 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
 				CweIDs:           vuln.CweIds,
 				LastModifiedDate: lastModifiedDate,
 				PublishedDate:    publishedDate,
-				Custom:           vuln.CustomVulnData,
+				Custom:           customVulnData,
 				VendorSeverity:   vendorSeverityMap,
 			},
 			Layer:          ConvertFromRPCLayer(vuln.Layer),
 			SeveritySource: dbTypes.SourceID(vuln.SeveritySource),
 			PrimaryURL:     vuln.PrimaryUrl,
-			Custom:         vuln.CustomAdvisoryData,
+			Custom:         customAdvisoryData,
 			DataSource:     ConvertFromRPCDataSource(vuln.DataSource),
 		})
 	}

@@ -1,10 +1,13 @@
 package rpc
 
 import (
+	jsonv2 "encoding/json/v2"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
@@ -273,6 +276,14 @@ func TestConvertFromRpcPkgs(t *testing.T) {
 func TestConvertToRpcVulns(t *testing.T) {
 	fixedPublishedDate := time.Unix(1257894000, 0)
 	fixedLastModifiedDate := time.Unix(1257894010, 0)
+	type customStruct struct {
+		Field  string
+		Number int
+	}
+	customData := customStruct{Field: "value", Number: 1}
+	customJSONBytes, err := jsonv2.Marshal(customData)
+	require.NoError(t, err)
+	customJSON := string(customJSONBytes)
 
 	type args struct {
 		vulns []types.DetectedVulnerability
@@ -295,6 +306,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 							Title:       "DoS",
 							Description: "Denial of Service",
 							Severity:    "MEDIUM",
+							Custom:      customData,
 							VendorSeverity: dbTypes.VendorSeverity{
 								vulnerability.RedHat: dbTypes.SeverityMedium,
 							},
@@ -327,6 +339,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 							Name: "GitHub Security Advisory Maven",
 							URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
 						},
+						Custom: customData,
 					},
 				},
 			},
@@ -363,9 +376,11 @@ func TestConvertToRpcVulns(t *testing.T) {
 						Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812",
 						DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 					},
-					PrimaryUrl:       "https://avd.aquasec.com/nvd/CVE-2019-0001",
-					PublishedDate:    timestamppb.New(fixedPublishedDate),
-					LastModifiedDate: timestamppb.New(fixedLastModifiedDate),
+					CustomVulnData:     structpb.NewStringValue(customJSON),
+					CustomAdvisoryData: structpb.NewStringValue(customJSON),
+					PrimaryUrl:         "https://avd.aquasec.com/nvd/CVE-2019-0001",
+					PublishedDate:      timestamppb.New(fixedPublishedDate),
+					LastModifiedDate:   timestamppb.New(fixedLastModifiedDate),
 					DataSource: &common.DataSource{
 						Name: "GitHub Security Advisory Maven",
 						Url:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
@@ -434,6 +449,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 func TestConvertFromRPCResults(t *testing.T) {
 	fixedPublishedDate := time.Date(2009, 11, 10, 23, 0, 0, 0, time.UTC)
 	fixedLastModifiedDate := time.Date(2009, 11, 10, 23, 0, 10, 0, time.UTC)
+	customJSON := `{"Field":"value","Number":1}`
 
 	type args struct {
 		rpcResults []*scanner.Result
@@ -480,9 +496,11 @@ func TestConvertFromRPCResults(t *testing.T) {
 									Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812",
 									DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 								},
-								PrimaryUrl:       "https://avd.aquasec.com/nvd/CVE-2019-0001",
-								PublishedDate:    timestamppb.New(fixedPublishedDate),
-								LastModifiedDate: timestamppb.New(fixedLastModifiedDate),
+								CustomVulnData:     structpb.NewStringValue(customJSON),
+								CustomAdvisoryData: structpb.NewStringValue(customJSON),
+								PrimaryUrl:         "https://avd.aquasec.com/nvd/CVE-2019-0001",
+								PublishedDate:      timestamppb.New(fixedPublishedDate),
+								LastModifiedDate:   timestamppb.New(fixedLastModifiedDate),
 								DataSource: &common.DataSource{
 									Name: "GitHub Security Advisory Maven",
 									Url:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
@@ -530,13 +548,13 @@ func TestConvertFromRPCResults(t *testing.T) {
 								References:       []string{"http://example.com"},
 								PublishedDate:    &fixedPublishedDate,
 								LastModifiedDate: &fixedLastModifiedDate,
-								Custom:           []uint8(nil),
+								Custom:           customJSON,
 							},
 							DataSource: &dbTypes.DataSource{
 								Name: "GitHub Security Advisory Maven",
 								URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
 							},
-							Custom: []uint8(nil),
+							Custom: customJSON,
 						},
 					},
 				},
@@ -618,9 +636,9 @@ func TestConvertFromRPCResults(t *testing.T) {
 									},
 								},
 								References: []string{"http://example.com"},
-								Custom:     []uint8(nil),
+								Custom:     any(nil),
 							},
-							Custom: []uint8(nil),
+							Custom: any(nil),
 						},
 					},
 				},

@@ -140,8 +140,8 @@ message Vulnerability {
   string primary_url = 14;
   google.protobuf.Timestamp published_date = 15;
   google.protobuf.Timestamp last_modified_date = 16;
-  bytes custom_advisory_data = 17;
-  bytes custom_vuln_data = 18;
+  google.protobuf.Value custom_advisory_data = 17;
+  google.protobuf.Value custom_vuln_data = 18;
   repeated string vendor_ids = 19;
   DataSource data_source = 20;
   map<string, Severity> vendor_severity = 21;