Closed eskultety closed 2 weeks ago
Tests updated -> ready to review.
Since v2:
Package
class in context of mypy dict typing (dict[str, str] -> dict[str, Optional[str])
)noarch
and .src.rpm
I noticed that this improvement has also solved the issue of duplicated SBOM components for noarch
RPMs that come from the same repoid
(although we still download them individually for each arch they happen to be listed under). Should we make not of this in the commit message?
I noticed that this improvement has also solved the issue of duplicated SBOM components for
noarch
RPMs that come from the samerepoid
(although we still download them individually for each arch they happen to be listed under). Should we make not of this in the commit message?
Huh, I just noticed the code being part of the SBOM output model which I only noticed just now, sure.
Since v3:
packageurl.PackageURL
and make use of escaping in all fields/retest
The official PURL spec for RPMs is vague [1]. Red Hat product security team published a PURL guideline for their internal build processes which addresses some of the pitfalls in the current upstream PURL spec and takes a slightly different approach with some of the qualifiers [2]. Some of the fields appear to be more standardized compared to its upstream counterpart this patch adopts the format for now, at least until a more refined vendor-agnostic PURL guideline for RPMs is posted in the upstream space. Most notable changes:
EXAMPLES:
pkg:rpm/redhat/emacs@27.2-9.el9?arch=noarch&repository_id=ubi-9-appstream-rpms
pkg:rpm/redhat/emacs@27.2-9.el9?epoch=1&arch=src&repository_id=ubi-9-appstream-rpms&checksum=sha256:abcd1234
pkg:rpm/foo@1.0-1.el8?arch=x86_64&download_url=<quoted_example.com>
For what it's worth I also tried to revive an old thread on namespaces in the upstream PURL spec to request refreshment of the PURL to cover additional cases: https://github.com/package-url/purl-spec/issues/239 I used the opportunity to also mention [2] to the community and our intended approach as implemented by this PR.
[1] https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#rpm [2] https://redhatproductsecurity.github.io/security-data-guidelines/purl/
Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test
(as is the standard for Pipelines as Code)