Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967
stars
188
forks
source link
Correction of the purl generation for apk package #1154
The purl generation for apk packages was faulty. For example the purl
for an alpine image busybox package was pkg:apk/alpine/busybox@1.31.1-r9
instead of the correct pkg:alpine/busybox@1.31.1-r9.
Note that "apk" type packages are not defined for purl yet,
specifically, but OSSINDEX uses the pkg:alpine[1] notation and purl has
purposely chosen not to use "apk" as an identifier due to a known
conflict with Android which also uses the term apk[2].
The purl generation for apk packages was faulty. For example the purl for an alpine image busybox package was pkg:apk/alpine/busybox@1.31.1-r9 instead of the correct pkg:alpine/busybox@1.31.1-r9.
Note that "apk" type packages are not defined for purl yet, specifically, but OSSINDEX uses the pkg:alpine[1] notation and purl has purposely chosen not to use "apk" as an identifier due to a known conflict with Android which also uses the term apk[2].
[1] https://ossindex.sonatype.org/component/pkg:alpine/busybox@1.31.1-r9 [2] https://github.com/package-url/purl-spec/issues/159#issuecomment-1081087336
Resolves: #1131
Signed-off-by: Thiéfaine Mercier thiefaine.mercier@avisto.com Signed-off-by: Rose Judge rjudge@vmware.com