Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bom-v0.4.1 SBOMs don't contain distro information for Debian? #30

Open
garethr opened this issue Apr 17, 2023 · 1 comment
Open

bom-v0.4.1 SBOMs don't contain distro information for Debian? #30

garethr opened this issue Apr 17, 2023 · 1 comment

Comments

@garethr
Copy link

garethr commented Apr 17, 2023

Appreciate this is more of a problem with the upstream tool, but I wanted to flag the data quality aspect here.

Here's an example of a Debian SBOM created using bom-v0.4.1:

sbomex pull --id 442

This contains references like:

pkg:deb/debian/gpgv@2.2.40-1?arch=s390x

From the purl spec:

There is no default package repository: this should be implied either from the distro qualifiers key or using a base url as a repository_url qualifiers key.

Basically the purl is incomplete. Without the distro information the purl here is ambiguous. I'd argue based on the spec it's technically an invalid purl, but the spec as written is a bit hard to parse. But whether or not it's invalid, it's not specific without the distro information.

@surendrapathak
Copy link
Collaborator

HI @garethr, I really appreciate your input, and thanks for your patience with this issue.

  1. We have another tool entirely focused on the quality of SBOM content here: https://github.com/interlynk-io/sbomqs. I'll migrate this issue to that one to make we track it accurately.
  2. As the PURL spec stands today, this is a valid value. Please see examples from the deb section (please see bold examples below):

pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie
pkg:deb/debian/dpkg@1.19.0.4?arch=amd64&distro=stretch
pkg:deb/ubuntu/dpkg@1.19.0.4?arch=amd64

I read that this is meant to imply that the dpkg @ 1.19.0.4 is built for amd64 regardless of distribution (and, therefore, any vulnerability applicable to 1.19.0.4 may apply to this component).

This could further narrow by specifying distro, but IMHO, PURL's original goal has been disambiguation rather than refinement. Let me know if you disagree with this assessment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants