Provide a Purl in the root component of the SBOM

[MeikelVielhauer]

What would you like to be added: A Package Url from the docker image is missing in the generated SBOM. Could you please provide the purl for the root component (metadata.component.purl)?

Here you can find examples for purls from docker images: https://github.com/package-url/purl-spec#some-purl-examples.

Why is this needed: This is needed to have a specific identifier for an artifact deployed from a docker image.

Additional conext: There is an "Executive Order on Improving the Nation’s Cybersecurity" providing urgency about delivering sboms for your published products to be compliant. For docker images, you should be able to map your archived sboms to your deployed artifacts via an identifier (purl).

[wagoodman]

Great idea!

In the internal model this could probably go in the source.Metadata (needs more thought), and for each format we'd need to identify the correct location in the SBOM (seems like you're referring to CycloneDX for metadata.component.purl, yes?).

[MeikelVielhauer]

Yes, you're right, I am referring to the CycloneDx format.

[MeikelVielhauer]

Hello @wagoodman, is there anything planned by your side related to this?

[MeikelVielhauer]

Hello @wagoodman, is there anything planned by your side related to this?

I have not seen that you added this to your backlog. Sorry for the inconvenience, thanks a lot! 🚀

[kzantow]

Yes, we've added this to the backlog and will get to it in due time. Thanks, @MeikelVielhauer!

[bureado]

For prior art, just a suggestion to look at how buildkit is using purl for the subject of the SBOMs they're producing since the latest release, see for example:

• https://github.com/moby/buildkit/blob/7bd72856ad4d403260a6f68c31977c72c2d1d8ce/util/purl/image_test.go#L61
• https://github.com/moby/buildkit/blob/7bd72856ad4d403260a6f68c31977c72c2d1d8ce/docs/attestations/sbom.md?plain=1#L116