Open willmurphyscode opened 11 months ago
What would you like to be added:
Today, syft puts &distro=<distro info> on some PURLs. But there are instances where, for example, a version is missing.
&distro=<distro info>
Consider:
❯ syft -q -o json debian:trixie-20231009-slim | jq '.artifacts[0].purl' "pkg:deb/debian/apt@2.7.6?arch=arm64&distro=debian"
has no version info, but there is at least a codename in:
❯ syft -q -o json debian:trixie-20231009-slim | jq '.distro' { "prettyName": "Debian GNU/Linux trixie/sid", "name": "Debian GNU/Linux", "id": "debian", "versionCodename": "trixie", "homeURL": "https://www.debian.org/", "supportURL": "https://www.debian.org/support", "bugReportURL": "https://bugs.debian.org/" }
Whereas for amazonlinux 2023, for example, the version is already encoded in the PURL:
❯ syft -q -o json amazonlinux:2023.2.20231011.0 | jq '.artifacts[0].purl' "pkg:rpm/amzn/alternatives@1.15-2.amzn2023.0.2?arch=aarch64&upstream=chkconfig-1.15-2.amzn2023.0.2.src.rpm&distro=amzn-2023"
Why is this needed:
https://github.com/anchore/grype/issues/86
Additional context: Syft might need to do this by keeping a map of debian codenames to versions, and we should also see which other supported distros don't get version info in the PURLs.
Blocks https://github.com/anchore/grype/pull/1530
willmurphyscode
commented
11 months ago
What would you like to be added:
Today, syft puts
&distro=<distro info>on some PURLs. But there are instances where, for example, a version is missing.Consider:
has no version info, but there is at least a codename in:
Whereas for amazonlinux 2023, for example, the version is already encoded in the PURL:
Why is this needed:
https://github.com/anchore/grype/issues/86
Additional context: Syft might need to do this by keeping a map of debian codenames to versions, and we should also see which other supported distros don't get version info in the PURLs.