Open another-rex opened 1 year ago
prabhu
commented
1 year ago +1
cdxgen team has a custom definition of distro and distro_name, where distro is of the form ID-VERSION_ID to deal with alpine and other distro-specific issues.
https://github.com/CycloneDX/cdxgen/blob/master/binary.js#L387
oliverchang
commented
9 months ago @pombredanne
The discussion on https://github.com/ossf/osv-schema/issues/208 reminded me of this issue again :)
Would it make sense to tighten down (for each supported distro), the exact definition of how the distro qualifier is meant to be encoded?
For instance, for Debian in the OSV Schema, we define a Debian distro as the exact release number as it appears in https://debian.pages.debian.net/distro-info-data/debian.csv. e.g. "4.0" as opposed to "4", and "8" as opposed to "8.0".
There doesn't seem to be a specification for how
distroshould be formatted apart from in examples (e.g. debian), or for some distros like Alpine there are no examples of thedistroqualifier, so it's hard to implement a parser for it. (Alpine also does not have a shared package pool across releases, so knowing what alpine version a package is for is very important).Defining a format for
distroqualifier for each ecosystem would be very helpful for implementing tooling that need to know what distro release a PURL is for.