You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no default package repository: this should be implied either from the distro qualifiers key or using a base url as a repository_url qualifiers key.
Basically the purl is incomplete. Without the distro information the purl here is ambiguous. I'd argue based on the spec it's technically an invalid purl, but the spec as written is a bit hard to parse. But whether or not it's invalid, it's not specific without the distro information.
The text was updated successfully, but these errors were encountered:
HI @garethr, I really appreciate your input, and thanks for your patience with this issue.
We have another tool entirely focused on the quality of SBOM content here: https://github.com/interlynk-io/sbomqs. I'll migrate this issue to that one to make we track it accurately.
As the PURL spec stands today, this is a valid value. Please see examples from the deb section (please see bold examples below):
I read that this is meant to imply that the dpkg @ 1.19.0.4 is built for amd64 regardless of distribution (and, therefore, any vulnerability applicable to 1.19.0.4 may apply to this component).
This could further narrow by specifying distro, but IMHO, PURL's original goal has been disambiguation rather than refinement. Let me know if you disagree with this assessment.
Appreciate this is more of a problem with the upstream tool, but I wanted to flag the data quality aspect here.
Here's an example of a Debian SBOM created using bom-v0.4.1:
This contains references like:
From the purl spec:
Basically the purl is incomplete. Without the distro information the purl here is ambiguous. I'd argue based on the spec it's technically an invalid purl, but the spec as written is a bit hard to parse. But whether or not it's invalid, it's not specific without the distro information.
The text was updated successfully, but these errors were encountered: