Add purl information to SPDX reports when available #1206
Labels
spdx
Issues related to the SPDX formatting of Tern reports
Comments
|
I'd like to work on this. |
ivanayov
added a commit
to ivanayov/tern
that referenced
this issue
Jan 13, 2023
This change adds purl data to all packages listed Addresses tern-tools#1206 Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
ivanayov
added a commit
to ivanayov/tern
that referenced
this issue
Jan 13, 2023
This change adds purl data to all packages listed Addresses tern-tools#1206 Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
ivanayov
added a commit
to ivanayov/tern
that referenced
this issue
Jan 13, 2023
This change adds purl data to all packages listed Addresses tern-tools#1206 Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
ivanayov
added a commit
to ivanayov/tern
that referenced
this issue
Jan 13, 2023
This change adds purl data to all packages listed Addresses tern-tools#1206 Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
ivanayov
added a commit
to ivanayov/tern
that referenced
this issue
Jan 13, 2023
This change adds purl data to all packages listed Addresses tern-tools#1206 Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
ivanayov
added a commit
to ivanayov/tern
that referenced
this issue
Jan 13, 2023
This change adds purl data to all packages listed Addresses tern-tools#1206 Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
ivanayov
added a commit
to ivanayov/tern
that referenced
this issue
Jan 13, 2023
This change adds purl data to all packages listed Addresses tern-tools#1206 Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
ivanayov
added a commit
to ivanayov/tern
that referenced
this issue
Jan 13, 2023
This change adds purl data to all packages listed Addresses tern-tools#1206 Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
rnjudge
added a commit
to rnjudge/tern
that referenced
this issue
Mar 1, 2023
A package object's `pkg_format` attribute is used in the default report, as well as to determine when a license value should be retrieved from the `pkg_licesnes` attribute value (i.e. tern/formats/default/generator.py). Moving forward, we can also use the `pkg_format` as a purl type. This commit changes the go and pacman binary pkg_formats to align with the purl types[1] in the purl specification. [1]https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst Works towards: tern-tools#1206 Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge
added a commit
that referenced
this issue
Mar 1, 2023
A package object's `pkg_format` attribute is used in the default report, as well as to determine when a license value should be retrieved from the `pkg_licesnes` attribute value (i.e. tern/formats/default/generator.py). Moving forward, we can also use the `pkg_format` as a purl type. This commit changes the go and pacman binary pkg_formats to align with the purl types[1] in the purl specification. [1]https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst Works towards: #1206 Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge
added a commit
to rnjudge/tern
that referenced
this issue
Mar 6, 2023
This commit adds package architecture information to Tern's data model by collecting it during analysis. Many purl types[1] include an architecture qualifier key. Having this attribute available in Tern's data model will making creating and reporting purls easier and more accurate. [1]https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst Works towards tern-tools#1206 Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge
added a commit
to rnjudge/tern
that referenced
this issue
Mar 6, 2023
This commit adds package architecture information to Tern's data model by collecting it during analysis. Many purl types[1] include an architecture qualifier key. Having this attribute available in Tern's data model will making creating and reporting purls easier and more accurate. [1]https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst Works towards tern-tools#1206 Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge
added a commit
that referenced
this issue
Mar 7, 2023
This commit adds package architecture information to Tern's data model by collecting it during analysis. Many purl types[1] include an architecture qualifier key. Having this attribute available in Tern's data model will making creating and reporting purls easier and more accurate. [1]https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst Works towards #1206 Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge
added a commit
to rnjudge/tern
that referenced
this issue
Mar 10, 2023
This commit adds `pkg_supplier` metadata collection scripts to base.yml so it can later be used to declare a namespace field for photon package purls. It also makes a few tweaks to the `pkg_supplier` script for `apk` and `pip` based package managers. Works towards tern-tools#1206 Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge
added a commit
to rnjudge/tern
that referenced
this issue
Mar 10, 2023
This commit adds a new function, `get_purl()` to spdx_common.py which uses the packageurl library to generate purl strings for given package objects. The namespace for certain purls is determined using the /etc/os-release file information collected via the `pkg_suppliers` field in base.yml. This commit then adds purl strings as external references[1] to both SPDX tag value and SPDX json reports. [1]https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field Resolves tern-tools#1206 Signed-off-by: Rose Judge <rjudge@vmware.com> Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
rnjudge
added a commit
to rnjudge/tern
that referenced
this issue
Mar 10, 2023
This commit adds a new function, `get_purl()` to spdx_common.py which uses the packageurl library to generate purl strings for given package objects. The namespace for certain purls is determined using the /etc/os-release file information collected via the `pkg_suppliers` field in base.yml. This commit then adds purl strings as external references[1] to both SPDX tag value and SPDX json reports. [1]https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field Resolves tern-tools#1206 Signed-off-by: Rose Judge <rjudge@vmware.com> Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
rnjudge
added a commit
that referenced
this issue
Mar 20, 2023
This commit adds a new function, get_purl() to spdx_common.py which uses the `packageurl` library to generate purl strings for given package objects. The namespace for certain purls is determined using the /etc/os-release file information collected via the pkg_suppliers field in base.yml. This commit then adds purl strings as external references[1] to both SPDX tag value and SPDX json reports. [1]https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field Resolves #1206 Signed-off-by: Rose Judge <rjudge@vmware.com> Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
Tern's SPDX documents are more consumable and interoperable with other tooling if purls are available for the packages.
SPDX supports the inclusion of purls as a
PACKAGE-MANAGERcategory of ExternalReference for a package. See https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field and https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/#f35-purl.The text was updated successfully, but these errors were encountered: