A purl spec for the C/C++ package manager vcpkg #245
Conversation
stevespringett
added
the
PURL type definition
…rameter. - Renaming registry-version paramater to be consistent. - Adding description of features parameter. - Adding a distinct examples section.
|
I'm contemplating whether or not we can simplify the spec further and whether it's still missing anything vital. The principle that the components of the purl string should only be what is necessary to disambiguate different packages from each other runs into a problem of having the same package used in different ways by the same consumer (say, it depends on a static build of the package on one platform and a dynamic build of the package on another platform). Where I'm headed with this is to distinguish between 2 kinds of data.
Data under 1. should be specified in the purl specification and the specification should allow for the flexibility to record data under 2. Properties for that 2. data could be also documented in a subparagraph, but it would be non-normative with regards to the purl spec. With that approach, I think it means that the existing I'm going to make those changes soon, and want this comment to serve as a record of the thought process behind the decision. |
…ditional, unspecified qualifeirs must be tolerated.
|
After discussing it some with the vcpkg team, I don't think we need to necessarily distinguish ports from artifacts at this time, so I've made the changes mentioned above, but have not added a |
|
Alright. I'm moving this out of draft status. I'm looking for reviews from stakeholders in addition to maintainers of the purl-spec repository. Pinging @dan-shaw, @ras0219-msft, @jhutchings1, @adriandiglio. |
… of the registry_version qualifier should be percent-encoded.
|
I think the purl spec is somewhat unclear on what guarantees users are to expect of PURLs that make making a judgement call on whether this represents vcpkg effectively there. Couple of questions:
Examples like conan already here seem to say that different URIs to the same content as well as the same URI potentially identifying different content are OK but that seems to make PURLs almost meaningless. Given a PURL, what is a user expected to be able to do with it? I look at what SPDX and what GitHub dependencies and similar want, and they want such vastly different things and want different guarantees on what that means. Potential examples. It isn't clear to me which of these apply. I'm sure I missed some.
|
PURLs should be deterministic. If there are things which could affect what dependency you resolve, they should be available as properties in the PURL schema for a type. The registry is a common example; most types allow you to provide a registry, but have a default option as well. Reviewing your list, I believe every one of those is a goal. Sometimes purls will have maximum specificity (eg, a runtime might report that it ran a very specific piece of software), and other times, they'll have less (eg, a CVE may specify something like pkg:npm/lodash@1.0.0-2.0.0 to specify a large range of affected products, at least if the version range spec is added #93 ).
|
|
@jhutchings1 How do we reconcile that with many existing examples that fail most of these tests? Examples: pkg:conan/openssl@3.0.3
pkg:cargo/rand@0.7.2
pkg:nuget/EnterpriseLibrary.Common@6.0.1304
|
|
@jhutchings1 (To clarify, I'm trying to make sure vcpkg's support for this is consistent with the spec's design goals but the front matter seems to be missing these details and the examples seem to not be consistent with what design goals are listed there so I don't know how I feel about it) |
|
Producers should provide as much information as they have, but most properties should be optional so that producers like CVE issuers can issue CVEs that target a broader set of packages with just one purl. There's not a one size fits all approach here, so design for flexibility. |
It sounds like the PURL spec should then be viewed as serving two separate purposes:
Solving (2) is much more complicated than identifying individual packages; there's a certain policy decision of applicability. For example, if I get More realistically, does How does this currently work for PURLs into Linux distributions -- especially Debian Stable? |
|
CVE matching seems like it is always messy. For PURL I think typically zlib@1.2.11 is expected to always be zlib@1.2.11, not zlib1g@1:1.2.11.dfsg-1+deb10u2 or 1:1.2.11.dfsg-2+deb11u2 depending on what version of Debian the software is installed on. CVEs usually are matched using CPEs like For PURLs into Debian, the spec says you should have a PURL like At least I'm pretty sure that's how it works for tools like Trivy and debscan. For software library packages being incorporated into a product via bundling or static linking, it's much simpler because the packages are (usually) specific, immutable files in specific repositories, so the question of whether that package is vulnerable or not depends on only the package, of which there is only a single instance, published by the package author (ie CVE-2022-37434 is resolved by upgrading to ¹ I'm not sure this is useful. Does Debian keep every version of every package forever? I know for Alpine this is not the case, so |
|
This discussion seems to be a bit stale, but I think it is still very relevant, because at the moment vcpkg does not use any CPE or Package URL in the SBOMs it produces. That prevents it from being used easily for automated analysis. So I would like to revive it and add my 2 cents:
To sum up, I would argue for a simple purl like |
|
@michaelbprice Do you plan to work on this PR still? In my opinion, vulnerability detection is of vital importance to package managers like vcpkg, so I hope you are still planning to work on it, and otherwise that somebody else can take it over. |
Revive package-url#245 by adding the following changes: - `registry_url` -> `repository_url` - `registry_version` -> `port_revision` - Remove percent escaping from `repository_url` to be more consistent with other uses of `repository_url` in the purl spec
Revive package-url#245 by adding the following changes: - `registry_url` -> `repository_url` - `registry_version` -> `port_revision` - Remove percent escaping from `repository_url` to be more consistent with other uses of `repository_url` in the purl spec
Revive package-url#245 by adding the following changes: - `registry_url` -> `repository_url` - `registry_version` -> `port_revision` - Remove percent escaping from `repository_url` to be more consistent with other uses of `repository_url` in the purl spec
Revive package-url#245 by adding the following changes: - `registry_url` -> `repository_url` - `registry_version` -> `port_revision` - Remove percent escaping from `repository_url` to be more consistent with other uses of `repository_url` in the purl spec
Co-authored-by: Michael B. Price <michael.b.price.dev@gmail.com>
Add optional `repository_revision` so that mistakes in `port_revision` and `version` can be accounted for. Not relevant for filesystem registries or overlay ports because that gives no further external traceability. Along with this, describe the filesystem registries and overlay port cases.
Extend the port overlay or filesystem registry example with port revision. Add an example for additional qualifiers.
|
@pombredanne - What steps still remain in order to merge this spec for a vcpkg PURL type? |
jkowalleck
added
Proposed new type
and removed
PURL type definition
This would address Issue #217. It is also being tracked on the vcpkg side in this discussion. microsoft/vcpkg#32732