Across the different package types you support (e.g. DEB, RPM, etc) each has multiple distros. Each of those distros have their their own CVEs and security RSS feeds for package dependencies.
Even within the same distribution there's multiple releases across distros which have their own versioning and CVE patch channels i.e. backports.
Request
Can you make the pkg url optionally have a customizable distro type in the pkg url?
For example, instead of:
pkg:rpm/curl-minimal@8.2.1
I would like to see
pkg:rpm/amazonlinux2023/curl-minimal@8.2.1
So that security vendors can support specific operating systems and not need to infer.
And it does seed some metadata about the OS but not in a way that vendors would easily be able to support it. Maybe an additional option like --release-pkg-url or something?
Why the feature
Projects are typically multi-lingual and have a stack to support. pkg url is meant to provide unique identifiers which make up a project. It is common for SBOMs to be combined into a unified SBOM.
For example, a python project with JavaScript shipping a docker container would have separate SBOMs for: Python pip, NodeJS npm packages, operating system packages. Making a unified SBOM means creating one file mixing the pkg url for all three of those in the same file.
In this scenario, you lose the extra metadata you seed and the only thing which can be relied upon is the pkg-url for full content of what that dependency provides. So it is important for the pkg url to be sufficiently unique across Linux distributions and single-distribution releases (e.g. LTS or not etc).
Background
Across the different package types you support (e.g. DEB, RPM, etc) each has multiple distros. Each of those distros have their their own CVEs and security RSS feeds for package dependencies.
Even within the same distribution there's multiple releases across distros which have their own versioning and CVE patch channels i.e. backports.
Request
Can you make the pkg url optionally have a customizable distro type in the pkg url?
For example, instead of:
I would like to see
So that security vendors can support specific operating systems and not need to infer.
Additional information
I tried getting different results with:
And it does seed some metadata about the OS but not in a way that vendors would easily be able to support it. Maybe an additional option like --release-pkg-url or something?
Why the feature
Projects are typically multi-lingual and have a stack to support. pkg url is meant to provide unique identifiers which make up a project. It is common for SBOMs to be combined into a unified SBOM.
For example, a python project with JavaScript shipping a docker container would have separate SBOMs for: Python pip, NodeJS npm packages, operating system packages. Making a unified SBOM means creating one file mixing the pkg url for all three of those in the same file.
In this scenario, you lose the extra metadata you seed and the only thing which can be relied upon is the pkg-url for full content of what that dependency provides. So it is important for the pkg url to be sufficiently unique across Linux distributions and single-distribution releases (e.g. LTS or not etc).