Open garethr opened 1 year ago
HI @garethr, I really appreciate your input, and thanks for your patience with this issue.
pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie pkg:deb/debian/dpkg@1.19.0.4?arch=amd64&distro=stretch pkg:deb/ubuntu/dpkg@1.19.0.4?arch=amd64
I read that this is meant to imply that the dpkg @ 1.19.0.4 is built for amd64 regardless of distribution (and, therefore, any vulnerability applicable to 1.19.0.4 may apply to this component).
This could further narrow by specifying distro, but IMHO, PURL's original goal has been disambiguation rather than refinement. Let me know if you disagree with this assessment.
Appreciate this is more of a problem with the upstream tool, but I wanted to flag the data quality aspect here.
Here's an example of a Debian SBOM created using bom-v0.4.1:
This contains references like:
From the purl spec:
Basically the purl is incomplete. Without the distro information the purl here is ambiguous. I'd argue based on the spec it's technically an invalid purl, but the spec as written is a bit hard to parse. But whether or not it's invalid, it's not specific without the distro information.