Purl Generation Alpine #1131
Comments
The purl generation for apk packages was faulty. For example the purl for alpine busybox was pkg:apk/alpine/busybox@1.31.1-r9 instead of pkg:apk/alpine/busybox@1.31.1-r9. Here are the result in the OSSINDEX base with the two purls: - https://ossindex.sonatype.org/component/pkg:apk/alpine/busybox@1.31.1-r9 - https://ossindex.sonatype.org/component/pkg:alpine/busybox@1.31.1-r9 Resolves: tern-tools#1131 Signed-off-by: Thiéfaine Mercier <thiefaine.mercier@avisto.com>
|
Can I work on this? |
|
@ivanayov I think @ThiefaineM already opened a PR with a fix for this. |
The purl generation for apk packages was faulty. For example the purl for alpine busybox was pkg:apk/alpine/busybox@1.31.1-r9 instead of pkg:apk/alpine/busybox@1.31.1-r9. Resolves: tern-tools#1131 Signed-off-by: Thiéfaine Mercier <thiefaine.mercier@avisto.com>
|
@ThiefaineM Mentioned this in my PR, but it does not look like apk/alpine packages are actually defined in the purl spec so curious why ossindex has a preference, do you know? |
|
I do not have an idea on why they did it like this sorry. |
Yes, please. By the way, I opened an issue in the purl repository asking about the alpine/apk purl type entry. It would make me feel better to have a specified Alpine type in the purl spec before merging your PR but I'll see what they respond with. I'm not opposed to merging your PR if the purl maintainers seem agreeable with the current ossindex expectation. |
The purl generation for apk packages was faulty. For example the purl for an alpine image busybox package was pkg:apk/alpine/busybox@1.31.1-r9 instead of the correct pkg:alpine/busybox@1.31.1-r9. Note that "apk" type packages are not defined for purl yet, specifically, but OSSINDEX uses the pkg:alpine[1] notation and purl has purposely chosen not to use "apk" as an identifier due to a known conflict with Android which also uses the term apk[2]. [1] https://ossindex.sonatype.org/component/pkg:alpine/busybox@1.31.1-r9 [2] package-url/purl-spec#159 (comment) Resolves: tern-tools#1131 Signed-off-by: Thiéfaine Mercier <thiefaine.mercier@avisto.com> Signed-off-by: Rose Judge <rjudge@vmware.com>
The purl generation for apk packages was faulty. For example the purl for an alpine image busybox package was pkg:apk/alpine/busybox@1.31.1-r9 instead of the correct pkg:alpine/busybox@1.31.1-r9. Note that "apk" type packages are not defined for purl yet, specifically, but OSSINDEX uses the pkg:alpine[1] notation and purl has purposely chosen not to use "apk" as an identifier due to a known conflict with Android which also uses the term apk[2]. [1] https://ossindex.sonatype.org/component/pkg:alpine/busybox@1.31.1-r9 [2] package-url/purl-spec#159 (comment) Resolves: #1131 Signed-off-by: Thiéfaine Mercier <thiefaine.mercier@avisto.com> Signed-off-by: Rose Judge <rjudge@vmware.com>
The purl generation for apk packages was faulty. For example the purl for an alpine image busybox package was pkg:apk/alpine/busybox@1.31.1-r9 instead of the correct pkg:alpine/busybox@1.31.1-r9. Note that "apk" type packages are not defined for purl yet, specifically, but OSSINDEX uses the pkg:alpine[1] notation and purl has purposely chosen not to use "apk" as an identifier due to a known conflict with Android which also uses the term apk[2]. [1] https://ossindex.sonatype.org/component/pkg:alpine/busybox@1.31.1-r9 [2] package-url/purl-spec#159 (comment) Resolves: tern-tools#1131 Signed-off-by: Thiéfaine Mercier <thiefaine.mercier@avisto.com> Signed-off-by: Rose Judge <rjudge@vmware.com>
Describe the bug
The generated purl for alpine composants does not match the one use in OSSINDEX.
To Reproduce
Steps to reproduce the behavior:
1- Create a Docker with an alpine image such as postgres:12.0-alpine
2- Use Tern to generate a BOM in cycloneDx json format
3- Look at the purl generate: for example the one for libxml2
Expected behavior
It seems that for alpine the purl looks like "pkg:alpine/libxml2@2.9.9-r2" instead of "pkg:apk/alpine/libxml2@2.9.9-r2". Here the two result depending on the purl :
https://ossindex.sonatype.org/component/pkg:alpine/libxml2
https://ossindex.sonatype.org/component/pkg:apk/alpine/libxml2
It looks like that for alpine the package type should not be written
The text was updated successfully, but these errors were encountered: