Trivy's JSON report schema property error, when the url is an empty string, it doesn't match pattern ^(https?|ftp)://.+

Summary

When Trivy json report has an empty string ("") as a value in the key .vulnerabilities[].identifiers[].url, it will fail the schema validation test required to view the report, and a full report will not be shown. I think it's a re-surfing bug, #348840 (closed).

Example of a failing .vulnerabilities[] block:

$ jq '.vulnerabilities[7]' gl-container-scanning-report.json

{
  "id": "DLA-3482-1",
  "name": "debian-archive-keyring - security update",
  "description": "",
  "severity": "Unknown",
  "solution": "Upgrade debian-archive-keyring to 2019.1+deb10u2",
  "location": {
    "dependency": {
      "package": {
        "name": "debian-archive-keyring"
      },
      "version": "2019.1+deb10u1"
    },
    "operating_system": "Unknown",
    "image": "[REDACTED]"
  },
  "identifiers": [
    {
      "type": "cve",
      "name": "DLA-3482-1",
      "value": "DLA-3482-1",
      "url": ""
    }
  ],
  "links": []
}

Trivy version: v0.49.1

Steps to reproduce

Perform a Trivy security test on any object (container image, filesysten, ...) which will generate a report with an empty string in .vulnerabilities[].identifiers[].url.

What is the current bug behavior

In the merge request page, we're seeing partial vulnerability report:

But when going to the security tab in the pipeline finding, we're getting an error the json file couldn't be parsed (first image).

What is the expected correct behavior?

Full report validation should be able to handle an empty string in the url field.

Possible fixes

Update the validation regex to accept an empty string.