Add vcs data to purls

src/main.rs

@@ -6,7 +6,6 @@ use clap::Parser;
 use serde_cyclonedx::cyclonedx::v_1_5 as cyclonedx;
 
 use crate::model::Model;
-use crate::nixtract::Nixtract;
 
 mod model;
 mod nixtract;
@@ -28,7 +27,7 @@ fn main() -> Result<(), io::Error> {
         let entry: nixtract::NixtractEntry = serde_json::from_str(line.trim()).unwrap();
         entries.push(entry);
     }
-    let nixtract: Nixtract = Nixtract { entries };
+    let nixtract: nixtract::Nixtract = nixtract::Nixtract { entries };
 
     let model: Model = nixtract.into();
     let cyclonedx: cyclonedx::CycloneDx = model.into();

src/model.rs

@@ -20,6 +20,8 @@ pub(crate) struct ModelComponent {
     pub(crate) description: String,
     pub(crate) external_references: Vec<ModelExternalReference>,
     pub(crate) licenses: Option<Vec<ModelLicense>>,
+    // Not directly taken from the cycloneDX spec, but part of the purl
+    pub(crate) src: Option<ModelSource>,
 }
 
 #[derive(Debug)]
@@ -50,6 +52,12 @@ pub(crate) struct ModelLicense {
     pub(crate) name: Option<String>,
 }
 
+#[derive(Debug)]
+pub(crate) struct ModelSource {
+    pub(crate) git_repo_url: String,
+    pub(crate) rev: String,
+}
+
 #[derive(Debug)]
 pub(crate) struct ModelDependency {
     pub(crate) r#ref: String,
@@ -100,10 +108,17 @@ impl From<ModelComponent> for cyclonedx::Component {
         builder.external_references(external_references);
 
         if !model_component.name.is_empty() && !model_component.version.is_empty() {
-            let purl: String = format!(
-                "pkg:generic/{}@{}",
-                model_component.name, model_component.version
-            )
+            let purl: String = if let Some(src) = model_component.src {
+                format!(
+                    "pkg:generic/{}@{}?vcs_url=git+{}@{}",
+                    model_component.name, model_component.version, src.git_repo_url, src.rev
+                )
+            } else {
+                format!(
+                    "pkg:generic/{}@{}",
+                    model_component.name, model_component.version
+                )
+            }
             .to_owned();
             builder = builder.purl(purl);
         }

src/nixtract.rs

@@ -10,7 +10,7 @@ use serde::Deserialize;
 
 use crate::model::{
     Model, ModelComponent, ModelDependency, ModelExternalReference, ModelExternalReferenceType,
-    ModelLicense, ModelType,
+    ModelLicense, ModelSource, ModelType,
 };
 
 #[derive(Deserialize, Debug)]
@@ -31,6 +31,7 @@ pub(crate) struct NixtractEntry {
     pub(crate) _name: String,
     pub(crate) parsed_name: NixtractParsedName,
     pub(crate) nixpkgs_metadata: NixtractNixpkgsMetadata,
+    pub(crate) src: Option<NixtractSource>,
     pub(crate) build_inputs: Vec<NixtractBuiltInput>,
 }
 
@@ -61,6 +62,13 @@ pub(crate) struct NixtractNixpkgsMetadata {
     pub(crate) licenses: Option<Vec<NixtractLicense>>,
 }
 
+#[derive(Deserialize, Debug)]
+pub(crate) struct NixtractSource {
+    pub(crate) git_repo_url: String,
+    // Revision or tag of the git repo
+    pub(crate) rev: String,
+}
+
 #[derive(Deserialize, Debug)]
 pub(crate) struct NixtractLicense {
     // Not all licenses in nixpkgs have an associated spdx id
@@ -99,6 +107,11 @@ impl From<Nixtract> for Model {
                     .as_ref()
                     .map(|v| v.iter().map(Into::into).collect());
 
+                let src = entry.src.as_ref().map(|src| ModelSource {
+                    git_repo_url: src.git_repo_url.clone(),
+                    rev: src.rev.clone(),
+                });
+
                 ModelComponent {
                     r#type: ModelType::Application,
                     name: entry.parsed_name.name.clone(),
@@ -107,6 +120,7 @@ impl From<Nixtract> for Model {
                     description: entry.nixpkgs_metadata.description.clone(),
                     external_references,
                     licenses,
+                    src,
                 }
             })
             .collect();