I wish PURL proposed something sensible or at least usable for tracking C / C++ native libraries, that are NOT hosted on a registry like conan.io, or one of the linux distro registries, but is still (self-)hosted somewhere online.
For libraries that are hosted on `github`, there's at least the github type.
But there is no official `gitlab` or `git` type, and i've read comments that even the `github` type is considered a mistake.
One example of such a library could be a Qt or KDE / Plasma library.
So to the more knowledgeable people out there, what is the PURL way of identifying a C++ library like that?
Is `generic` type + vcs_url qualifier really the only way?
Right now it seems impossible to track vulnerabilities for such libraries with OSS / open tools, because none of the open tools or databases support a custom type or registry or ecosystem.
For example none of services here support some custom C++ ecosystem (putting aside conan):
Something else PURLs don't capture well for native libraries is any sort of build configuration. I don't know of any clear way in a PURL to describe a say Debian package built from a src package with a custom set of compiler options.
For Java and interpreted language packages the "build" configuration is less important or non-existent. For compiled packages the build environment is important.
It seems the only way is to use a custom namespace and abuse the qualifiers but then you've got a non-canonical PURL and its utility in things like SBOMs is limited.
Good point, but that's may not be in scope either... since this is not even something you can get from Debian easily: not just looking at a Debian pool or diving into a package control files AFAIK?
Say I rebuild a Debian package with some new build options.
Is this a the same or a new package? I'd say a new one.
Is this the same name? I'd say a new one.
Is this distributed by Debian? Nope, so this comes from another repo and pool, right?
The idea with PURL is to have simple and short PURLs for the common case, and make it possible to handle less common cases. Rebuilding a package and sharing it on another repo would be a less common case to me? WDYT?
If you want to chip in and help, this would be awesome.
And IMHO, aligned with your thinking this should not be tied to a build system or a for-profit operation like conan.io, or a linux distro, or for that matter a specific build tool or approach as they are so many, and be self-hosted, easy to sync, and simple to store in a git repo.
Thanks for the links!
I hope the proposal works out.
I skimmed through the doc, and one thing i’d suggest is to consider using the CPS format rather than the ABOUT one for the metadata.
The format is driven by Kitware, the developers of cmake, and thus if it’s contributed to them, a big chunk of the cpp ecosystem would get buy-in just because of the intertia of using cmake, and getting it for free with the tool.
I’m not sure how I can help, but I’m open for discussion, because the company i work for is also interested in how to handle this well for our products.
completely agree here `git` type using the namespace of your choice would be plenty to enable tools to find these packages. Even though its not "officially" supported in the spec this is what we do internally
IMHO, a bare git stuff would be a git URL as specified in pip and SPDX and not a PURL... I would be interested to know more about your use case. Feel free to drop a note at pombredanne@aboutcode.org
That's actually the best explanation I have seen in a long time!
- in most cases, no guesses needed
- you can use it in Cyclone, SPDX, and CSAF and still talk about the same package even if the format varies
- CVE.org is considering it as an addition on the same footing as CPE
- there a good bunch of databases that "speak" PURL, like Google OSV, Sonatype OSS Index, Deps.dev, and AboutCode's PurlDB and VulnerableCode (disclosure: I am a lead maintainer for AboutCode FOSS projects)
- most scanners speak PURL too.
Note that same scanners and tools speak not exactly PURL but some "PURLish" dialect and we have a project to help streamline that and lift up the whole ecosystem of PURL users with https://nlnet.nl/project/purlvalidator/
In my opinion, there are some problems with this, such as:
- The cryptographic hash is not included. (They do mention security, a hash and/or public keys would be helpful for security. It would also be helpful for identification if names are reused for unrelated reasons.)
- There is not a distinction between interfaces and implementations (which in some cases you might care about, although not always).
- They do not mention examples of what qualifiers are possible for some package types.
For all its expressiveness of the CPE format I find PURLs much easier to work with. Especially when it comes to software that doesn't fall neatly into the classic vendor/product split like what CPE envisions.
Yeah, the CPE idea of a vendor for an open source package does not compute too well!
FWIW, PURL came about as I could NOT put my mind around CPEs when I was scanning for package and deps with scancode and could not find any easy way to go from that to looking up a vulnerability/CVE in the NVD, as it was all guesswork and manual.
So we started instead to put the vuln data in our own db, keyed by something that would be easy to relate from the scans. This eventually became PURL
Is this about Maven "groupid" mapped to a namespace? "com.foo.bar" is Maven's own invention and notation.... in most cases we are just trying to adopt the ecosystem convention to minimize fictions.
The standard supports a repository_url "qualifier" (query parameter)[0], which can be used to override whatever the default registry is (which, for Docker, is hub.docker.com[1]).
>There's even a generic type as a catch-all for things that don't fit an existing ecosystem (for example, a proprietary or legacy component) or for ecosystems that build custom distributions, such as yocto or buildroot. We should note, however, that SBOM and software composition analysis tools vary widely in their ability to understand generic PURLs, so we do recommend you talk to your current (or prospective) vendor if this is an important feature for you.
Readit News
For libraries that are hosted on `github`, there's at least the github type.
But there is no official `gitlab` or `git` type, and i've read comments that even the `github` type is considered a mistake.
One example of such a library could be a Qt or KDE / Plasma library.
They are hosted on their own forges, https://code.qt.io/ and https://invent.kde.org respectively.
So to the more knowledgeable people out there, what is the PURL way of identifying a C++ library like that?
Is `generic` type + vcs_url qualifier really the only way?
Right now it seems impossible to track vulnerabilities for such libraries with OSS / open tools, because none of the open tools or databases support a custom type or registry or ecosystem.
For example none of services here support some custom C++ ecosystem (putting aside conan):
https://docs.dependencytrack.org/analysis-types/known-vulner...
Same for https://docs.dependencytrack.org/datasources/osv/
For Java and interpreted language packages the "build" configuration is less important or non-existent. For compiled packages the build environment is important.
It seems the only way is to use a custom namespace and abuse the qualifiers but then you've got a non-canonical PURL and its utility in things like SBOMs is limited.
Say I rebuild a Debian package with some new build options.
Is this a the same or a new package? I'd say a new one.
Is this the same name? I'd say a new one.
Is this distributed by Debian? Nope, so this comes from another repo and pool, right?
The idea with PURL is to have simple and short PURLs for the common case, and make it possible to handle less common cases. Rebuilding a package and sharing it on another repo would be a less common case to me? WDYT?
> So to the more knowledgeable people out there, what is the PURL way of identifying a C++ library like that?
That's a blind spot. This is a real problem for every as you rightfully explained.
So I have been thinking a lot about how to track C/C++ native libraries, and I have been working on a plan to deal with this.
You can read a summary there (that I just posted to supply this discussion!) - https://github.com/aboutcode-org/www.aboutcode.org/issues/30
And this comment links to more detailed work-in-progress planning doc: - https://github.com/aboutcode-org/www.aboutcode.org/issues/30...
If you want to chip in and help, this would be awesome.
And IMHO, aligned with your thinking this should not be tied to a build system or a for-profit operation like conan.io, or a linux distro, or for that matter a specific build tool or approach as they are so many, and be self-hosted, easy to sync, and simple to store in a git repo.
https://cps-org.github.io/cps/overview.html
I’m not sure how I can help, but I’m open for discussion, because the company i work for is also interested in how to handle this well for our products.
gitlab and github do provide package-like discoverability. Do you have a pointer that says a github package is a mistake?
https://purl.archive.org/
I wonder if Yarn will support PURLs. ;)
And the new thing, working towards making it a real standard with Ecma https://tc54.org/purl/ ... :)
$ mpm install pkg:npm/left-pad@1.2.3
Other commands allows you to export the SBOM of all packages installed on your machine. More info at: https://github.com/kdeldycke/meta-package-manager
- in most cases, no guesses needed - you can use it in Cyclone, SPDX, and CSAF and still talk about the same package even if the format varies - CVE.org is considering it as an addition on the same footing as CPE - there a good bunch of databases that "speak" PURL, like Google OSV, Sonatype OSS Index, Deps.dev, and AboutCode's PurlDB and VulnerableCode (disclosure: I am a lead maintainer for AboutCode FOSS projects) - most scanners speak PURL too.
Note that same scanners and tools speak not exactly PURL but some "PURLish" dialect and we have a project to help streamline that and lift up the whole ecosystem of PURL users with https://nlnet.nl/project/purlvalidator/
- The cryptographic hash is not included. (They do mention security, a hash and/or public keys would be helpful for security. It would also be helpful for identification if names are reused for unrelated reasons.)
- There is not a distinction between interfaces and implementations (which in some cases you might care about, although not always).
- They do not mention examples of what qualifiers are possible for some package types.
- an optional(?) hash parameter
- a way to say you depend on a thing for which there are multiple implementations and not specify which implementation
FWIW, PURL came about as I could NOT put my mind around CPEs when I was scanning for package and deps with scancode and could not find any easy way to go from that to looking up a vulnerability/CVE in the NVD, as it was all guesswork and manual.
So we started instead to put the vuln data in our own db, keyed by something that would be easy to relate from the scans. This eventually became PURL
This is all tracked in these places: - The original issue: https://github.com/aboutcode-org/scancode-toolkit/issues/805 - The initial pull request with many comments: https://github.com/package-url/purl-spec/pull/1
What’s the point of com.something.other? Why are we using dot notation when everything else is kebab case?
[0]: https://github.com/package-url/purl-spec/blob/main/PURL-SPEC...
[1]: https://github.com/package-url/purl-spec/blob/main/PURL-TYPE...
>There's even a generic type as a catch-all for things that don't fit an existing ecosystem (for example, a proprietary or legacy component) or for ecosystems that build custom distributions, such as yocto or buildroot. We should note, however, that SBOM and software composition analysis tools vary widely in their ability to understand generic PURLs, so we do recommend you talk to your current (or prospective) vendor if this is an important feature for you.