Skip to content

RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE) #3534

New issue
New issue
Closed
#3615
Closed
RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE)#3534
#3615
Assignees
spiffcs
Labels
bugSomething isn't workinggood-first-issueGood for newcomers
@njv299

Description

@njv299
njv299
opened on Dec 17, 2024

What happened:

Packages created based on RPM database information (such as those from OpenSUSE) sometimes contain incorrect PURL namespace values.

For example, running Syft against the opensuse/leap:15.6 official Docker image produces PURLs similar to the following:

pkg:rpm/opensuse-leap/bash-sh@4.4-150400.25.22?arch=x86_64&distro=opensuse-leap-15.6&upstream=bash-4.4-150400.25.22.src.rpm
pkg:rpm/opensuse-leap/boost-license1_66_0@1.66.0-12.3.1?arch=noarch&distro=opensuse-leap-15.6&upstream=boost-base-1.66.0-12.3.1.src.rpm
pkg:rpm/opensuse-leap/libpsl5@0.20.1-150000.3.3.1?arch=x86_64&distro=opensuse-leap-15.6&upstream=libpsl-0.20.1-150000.3.3.1.src.rpm

While there aren't any 'official' documents detailing what the PURL namespace field should be, it appears that the expected value for OpenSUSE Leap is just opensuse, and 'Leap 15.6' should be encoded into the distro qualifier (as it correctly is in the above-mentioned cases).

The supporting evidence I have found for the 'correct' namespace simply being opensuse is:

  • The one opensuse example PURL on the official PURL spec github page:
    pkg:rpm/opensuse/curl@7.56.1-1.1.?arch=i386&distro=opensuse-tumbleweed
  • The OpenSUSE PURL entries that currently exist on osv.dev such as this one:
    pkg:rpm/opensuse/libaom-devel-doc&distro=openSUSE%20Leap%2015.5

It appears that the Syft logic to generate PURLs for such packages simply uses the value of Distro.ID verbatim, with the exception of translating rhel to redhat. I believe that the most straightforward fix would be to add an additional check, something along the lines of "if the Distro.ID value starts with opensuse, set the namespace to be opensuse".

This same issue likely applies to other RPM-based systems (it all depends on how the Distro.ID values they use correspond to the expected PURL namespace values), but I haven't done any additional research yet into other distros.

What you expected to happen:

The PURL namespace value for all OpenSUSE packages should be opensuse.

Other RPM-based distros should be evaluated to determine if similar issues apply to them.

Steps to reproduce the issue:

Run Syft against the official opensuse/leap:15.6 docker image.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinggood-first-issueGood for newcomers

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions