The PURL in generated SBOMs for packages should include repository_url information wherever relevant.
Why is this needed:
Without additional context of where the package was installed from, the SBOM is incomplete. With additional information about the repository_url wherever possible, SBOM tooling can make use of this information (for example to check if the package is updated or not).
As an example, Liberica JDK is published by Bellsoft in their own repos: https://bell-sw.com/pages/repositories/. After installing the bellsoft-java21-lite package from the Debian repository, this is how the component is generated by Syft:
The PURL in particular is pkg:deb/debian/bellsoft-java21-lite@21.0.3%2B12?arch=amd64&distro=debian-12. Since this is a non-default installation (not from the Debian 12 repositories), the PURL should instead include the repository_url field:
What would you like to be added:
The PURL in generated SBOMs for packages should include
repository_url
information wherever relevant.Why is this needed:
Without additional context of where the package was installed from, the SBOM is incomplete. With additional information about the
repository_url
wherever possible, SBOM tooling can make use of this information (for example to check if the package is updated or not).As an example, Liberica JDK is published by Bellsoft in their own repos: https://bell-sw.com/pages/repositories/. After installing the
bellsoft-java21-lite
package from the Debian repository, this is how the component is generated by Syft:The PURL in particular is
pkg:deb/debian/bellsoft-java21-lite@21.0.3%2B12?arch=amd64&distro=debian-12
. Since this is a non-default installation (not from the Debian 12 repositories), the PURL should instead include the repository_url field:pkg:deb/debian/bellsoft-java21-lite@21.0.3%2B12?arch=amd64&distro=debian-12&repository_url=https://apt.bell-sw.com%20stable/main%20amd64%20Packages
Additional context:
repository_url
is supported as per the PURL SPEC for multiple types.