Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
This commit adds a new function, get_purl() to spdx_common.py which
uses the packageurl library to generate purl strings for given package
objects. The namespace for certain purls is determined using the
/etc/os-release file information collected via the pkg_suppliers field
in base.yml.
This commit then adds purl strings as external references[1] to both
SPDX tag value and SPDX json reports.
This commit adds a new function,
get_purl()to spdx_common.py which uses the packageurl library to generate purl strings for given package objects. The namespace for certain purls is determined using the /etc/os-release file information collected via thepkg_suppliersfield in base.yml.This commit then adds purl strings as external references[1] to both SPDX tag value and SPDX json reports.
[1]https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field
Resolves https://github.com/tern-tools/tern/issues/1206
Signed-off-by: Rose Judge rjudge@vmware.com Signed-off-by: Ivana Atanasova iyovcheva@vmware.com