Closed itaysk closed 1 year ago
+1 — This is a great question, and we need to be clear on the expectation here!
My vote is for approach number 1 above. Here's how I'm thinking about it: I would treat qualifiers similar to how query string parameters would idiomatically be handled in an HTTP request.
Continuing with the npm/lib
SBOMs example, I'd expect:
arch=amd64
would match only the package from SBOM-tool-B
license=MIT
or arch=arm64
) would match neither of the SBOMs' packagesI agree with Dan's expectations. VEX qualifiers can glob the SBOM qualifiers, obviously not the other way around. We should write this down and implement a function to compare purls in the OpenVEX libraries to ensure applications match purls in the same way.
This issue is now resolved by the release of the v0.2.0 spec and the v0.2.5 libraries that have built-in purl matching. Thanks!
It is clear that
pkg://my@1.2.3?arch=amd64
means just theamd64
variation of packagemy@1.2.3
, but what doespkg://my@1.2.3
means? Instinctively, no qualifiers means all possible variations of the package, but since PURL specifiers are optional, we don't know if the user omitted the qualifiers intentionally in order to widen the scope, or neglected to include them for another reason (since they are optional). This is relevant to VEX because when matching the product id PURLs, we need to assume that the PURL in both locations followed the same choices as to which specifiers to use.Example: Let there be package
pkg://npm/libA
that has onlyamd64
architecture variation.SBOM-tool-A
generated SBOM with packagepkg://npm/libA@1.2.3
whileSBOM-tool-B
generated SBOM withpkg://npm/libA@1.2.3?arch=amd64
. Note that Both SBOM tools produced correct results. Since libA has only one architecture variation, maintainers of libA issued VEX with product id:pkg://npm/libA@1.2.3
. What should the VEX consumer do?Possible approaches:
?file_name=libA
, or if the same qualifier will be used in a another VEX (maintainers later added support forarm64
).SBOM-tool-B
.