search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
5.73k stars 526 forks source link

Include repository_url information in PURLs for non-default repository packages #2968

Open captn3m0 opened 1 week ago

captn3m0 commented 1 week ago

What would you like to be added:

The PURL in generated SBOMs for packages should include repository_url information wherever relevant.

Why is this needed:

Without additional context of where the package was installed from, the SBOM is incomplete. With additional information about the repository_url wherever possible, SBOM tooling can make use of this information (for example to check if the package is updated or not).

As an example, Liberica JDK is published by Bellsoft in their own repos: https://bell-sw.com/pages/repositories/. After installing the bellsoft-java21-lite package from the Debian repository, this is how the component is generated by Syft:

{
            "bom-ref": "pkg:deb/debian/bellsoft-java21-lite@21.0.3%2B12?arch=amd64&distro=debian-12&package-id=278a5f620bae9f5d",
            "type": "library",
            "publisher": "BellSoft <info@bell-sw.com>",
            "name": "bellsoft-java21-lite",
            "version": "21.0.3+12",
            "cpe": "cpe:2.3:a:bellsoft-java21-lite:bellsoft-java21-lite:21.0.3\\+12:*:*:*:*:*:*:*",
            "purl": "pkg:deb/debian/bellsoft-java21-lite@21.0.3%2B12?arch=amd64&distro=debian-12",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "dpkg-db-cataloger"
                },
                {
                    "name": "syft:package:type",
                    "value": "deb"
                },
                {
                    "name": "syft:package:metadataType",
                    "value": "dpkg-db-entry"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft-java21-lite:bellsoft_java21_lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft_java21_lite:bellsoft-java21-lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft_java21_lite:bellsoft_java21_lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft-java21:bellsoft-java21-lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft-java21:bellsoft_java21_lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft_java21:bellsoft-java21-lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft_java21:bellsoft_java21_lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft:bellsoft-java21-lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:cpe23",
                    "value": "cpe:2.3:a:bellsoft:bellsoft_java21_lite:21.0.3\\+12:*:*:*:*:*:*:*"
                },
                {
                    "name": "syft:location:0:path",
                    "value": "var/lib/dpkg/info/bellsoft-java21-lite.md5sums"
                },
                {
                    "name": "syft:location:1:path",
                    "value": "var/lib/dpkg/status"
                },
                {
                    "name": "syft:metadata:installedSize",
                    "value": "0"
                }
            ]
        }

The PURL in particular is pkg:deb/debian/bellsoft-java21-lite@21.0.3%2B12?arch=amd64&distro=debian-12. Since this is a non-default installation (not from the Debian 12 repositories), the PURL should instead include the repository_url field:

pkg:deb/debian/bellsoft-java21-lite@21.0.3%2B12?arch=amd64&distro=debian-12&repository_url=https://apt.bell-sw.com%20stable/main%20amd64%20Packages

Additional context:

repository_url is supported as per the PURL SPEC for multiple types.