-
Notifications
You must be signed in to change notification settings - Fork 588
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
purl field for distros #1575
Comments
Interesting! I think this would be a fun addition. I think the biggest question before starting on work is to understand how the tag id can be determined nicely for distros. That is, is there somewhere on the filesystem we could discover the tagid of |
Yeah, the big problem here is that I don't believe that many distros support swid tags atm Supports SWID:
No Support for SWID :
As I understand, the distro creators should be creating SWID identifiers for their distros and storing that info at I just realized that cpes could also be used here to identify the OS version, and it looks like they are already supported in syft, but only for some distros. For example, amazonlinux has them, but not Ubuntu. Do you know why that might be? A bug or expected behaviour? Amazon Linux
Ubuntu
|
Upon further investigation, it looks like the CpeName is an optional property in CpeName runs into the same problem as SWID, where there is not a very high usage across the distros. (But more for CpeName than SWID). Additionally, there's not really a way we could generate a swid purl for the OS based in the same way we do for package purls now without breaking the purl-spec, because |
At first ,I agree your comment. And I think CPE can cover OS type (coreos, z_system) and exntended support status (eus) in some cases.
If syft (or other tool) can create proper CPE, we can clarify OS EOL perfectly. In my work, I use current |
See package-url/purl-spec#214 and especially package-url/purl-spec#161 for extensive discussion over at In many cases, support status will likely be contingent on configured repositories and even access tokens/machine registration status beyond vendor/release tuples evaluated at a given time, notwithstanding the discovery/awareness value. Also see |
After reading this issue I think I'm on the side of adding this field as optional and filling it in when an operating system supports the SWID. We can get an optional field added that adds the value for:
Opinion: I don't think we should start trying to compute the SWID if the distro does not support it yet. I wanted to bubble @wagoodman's comment back up to the top since I think this is still an open question. Do we have to determine this if the distro provides an SWID out of the box already?
|
What would you like to be added:
Just like syft generates a
purl
for packages, I would like to be able to generate purls for distros. The purl-spec supports aswid
type that we can use for identifying OS versions.One suggestion in the purl-spec was that an
os
type could be created, but the maintainers of purl-spec made it clear thatswid
should be used for identifying OS packages.Why is this needed:
I would like to use a PURL for OS versions to identify OS versions that are End of Life for my project at https://github.com/noqcks/xeol
If the maintainers of Syft think that PURLs for distros is a fine suggestion, I can help implement it.
The text was updated successfully, but these errors were encountered: