-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multiple purl identifiers in product_identification_helper #774
Comments
Hmm, I'm not sure about that. If we do that, we should probably add also a mandatory test that ensures that only the qualifiers differ between the purls. Otherwise, we open the door widely for combinations that are syntactically not correct. |
I'm not opposed to mandatory tests, but I feel like a vendor publishing disparate purls for a single product branch would be shooting themselves in the foot, so I'm not sure it's all that necessary. |
Unfortunately, I saw things in CSAF 2.0 that don't make sense at all, but people did those as there were no mandatory tests. As we want to make it easy to write CSAF, we need tests to guide wherever there is opportunity to make easy mistakes. |
Could you please provide some examples for that request? I just want to make sure that we are all on the same page. |
You can find an example of a component with multiple purls in one of our example SBOMs: https://github.com/RedHatProductSecurity/security-data-guidelines/blob/71fb1006e269b59208cd6206a6d4c2cd7a30b68c/sbom/examples/product/rhel-9.2-eus.spdx.json#L30-L113 Or do you want a full example of a CSAF file that would use these? |
Thank you for pointing to some example data. I wonder: Shouldn't those be different entries in the |
That particular package is a source package that contains source code files only and is thus architecture-agnostic. It is however distributed in every architecture-specific RPM repository so that you can download e.g. openssl-1.2.3.x86_64 and openssl-1.2.3.src from the same repository. The source package has the same checksum in every one of those repositories too. |
Motion Proposed via this email to the TC |
Currently,
product_identification_helper
allows a purl to be defined as a single item:There are cases though where a component can be identified by more than one purl, for example when the component is accessible through multiple download locations, or have some other purl qualifier that is distribution-specific and can have multiple values but still point to the same component.
The spec also provides a way to list multiple SKUs, model numbers, or generic URIs already, so there is precedence for using an array of identifiers instead of just one and enforcing multiple product tree branches to be used for every component.
My suggestion is to modify the spec to allow an array of purls to be used:
The text was updated successfully, but these errors were encountered: