'component' metadata claims Airflow is an npm or application

[raboof]

Apache Airflow version

2.10.3

If "Other Airflow 2 version" selected, which one?

No response

What happened?

Looking at Airflow SBOMs such as apache-airflow-sbom-2.10.3-python3.12.json and apache-airflow-sbom-2.10.3-python3.12-python-only.json, it identifies the artifact being described by those SBOMs as pkg:npm/apache-airflow@2.10.3 and pkg:application/apache-airflow@2.10.3. These are Purls, but I'm pretty sure Airflow is not an npm package, and application does not exist as purl type entirely.

What you think should happen instead?

• describe 'exactly what' is being described by this SBOM. Does it describe a particular artifact, such as https://pypi.org/project/apache-airflow/ ? Then it should probably use the pypi Purl type. If it described Airflow more 'in the abstract', perhaps we should use the generic Purl type or introduce an asf purl type

How to reproduce

Generate the SBOMs

Operating System

n/a

Versions of Apache Airflow Providers

No response

Deployment

Other

Deployment details

No response

Anything else?

Part of this may be an upstream issue in https://github.com/CycloneDX/cdxgen , but I figured it would be good to first determine what we want to achieve 'concretely' here, and only look at what changes we may or may not need to generalize in upstream tooling after that.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.