Skip to content

feat: Add PURL list input/output format #3853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
May 12, 2025
Merged

feat: Add PURL list input/output format #3853

merged 15 commits into from
May 12, 2025

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented May 5, 2025
edited by wagoodman
Loading

Description

This PR adds a purls format (with aliases: purl). This allows a user to export and by association convert to and from a list of PURLs:

# instead of an SBOM, get a list of PURLs
$ syft -q alpine:latest -o purl 

pkg:apk/alpine/alpine-baselayout@3.6.8-r1?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/alpine-baselayout-data@3.6.8-r1?arch=aarch64&distro=alpine-3.21.3&upstream=alpine-baselayout
pkg:apk/alpine/alpine-keys@2.5-r0?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/alpine-release@3.21.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=alpine-base
pkg:apk/alpine/apk-tools@2.14.6-r3?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/busybox@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/busybox-binsh@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3&upstream=busybox
pkg:apk/alpine/ca-certificates-bundle@20241121-r1?arch=aarch64&distro=alpine-3.21.3&upstream=ca-certificates
pkg:apk/alpine/libcrypto3@3.3.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=openssl
pkg:apk/alpine/libssl3@3.3.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=openssl
pkg:apk/alpine/musl@1.2.5-r9?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/musl-utils@1.2.5-r9?arch=aarch64&distro=alpine-3.21.3&upstream=musl
pkg:apk/alpine/scanelf@1.3.8-r1?arch=aarch64&distro=alpine-3.21.3&upstream=pax-utils
pkg:apk/alpine/ssl_client@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3&upstream=busybox
pkg:apk/alpine/zlib@1.3.1-r2?arch=aarch64&distro=alpine-3.21.3
# converting from SPDX json to a list of PURLs
$ syft -q convert alpine.spdx.json -o purl 

pkg:apk/alpine/alpine-baselayout@3.6.8-r1?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/alpine-baselayout-data@3.6.8-r1?arch=aarch64&distro=alpine-3.21.3&upstream=alpine-baselayout
pkg:apk/alpine/alpine-keys@2.5-r0?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/alpine-release@3.21.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=alpine-base
pkg:apk/alpine/apk-tools@2.14.6-r3?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/busybox@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/busybox-binsh@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3&upstream=busybox
pkg:apk/alpine/ca-certificates-bundle@20241121-r1?arch=aarch64&distro=alpine-3.21.3&upstream=ca-certificates
pkg:apk/alpine/libcrypto3@3.3.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=openssl
pkg:apk/alpine/libssl3@3.3.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=openssl
pkg:apk/alpine/musl@1.2.5-r9?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/musl-utils@1.2.5-r9?arch=aarch64&distro=alpine-3.21.3&upstream=musl
pkg:apk/alpine/scanelf@1.3.8-r1?arch=aarch64&distro=alpine-3.21.3&upstream=pax-utils
pkg:apk/alpine/ssl_client@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3&upstream=busybox
pkg:apk/alpine/zlib@1.3.1-r2?arch=aarch64&distro=alpine-3.21.3

Additionally, after reading an SBOM, formats are able to "enhance" Syft package data from information in the PURL if the data isn't present in the package. For example: a maven PURL includes the GroupID, something like: pkg:maven/org.apache/something, but this GroupID was not being mapped to the internal data location for GroupID which could result in false positives in Grype. This happens for PURL input as well as other formats including SPDX and CycloneDX in order to improve support for SBOMs created with tools other than Syft.

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@wagoodman wagoodman added this to OSS May 7, 2025
@wagoodman wagoodman moved this to In Progress in OSS May 7, 2025
@kzantow kzantow changed the title feat: purl-list format feat: purl list format May 7, 2025
kzantow added 4 commits May 7, 2025 12:28
@kzantow
chore: rename purl-list purls
a8bbb12 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: fixes and update tests
9bf1245 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: backfill syft format
f0d469f 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: correct backfill epoch handling
9ddd3e6 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow mentioned this pull request May 7, 2025
Merged
@kzantow
chore: cleanup
46c235a 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@wagoodman wagoodman moved this from In Progress to In Review in OSS May 7, 2025
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
wagoodman
wagoodman approved these changes May 7, 2025
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a few comments, but crosses the threshold of mergable for me 👍

@wagoodman wagoodman added the enhancement New feature or request label May 8, 2025
@wagoodman wagoodman changed the title feat: purl list format feat: Add PURL list input/output format May 8, 2025
@wagoodman wagoodman mentioned this pull request May 8, 2025
Closed
@kzantow kzantow merged commit 621d21e into anchore:main May 12, 2025
13 checks passed
@kzantow kzantow deleted the feat/purl-list branch May 12, 2025 17:33
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS May 12, 2025
spiffcs added a commit that referenced this pull request May 13, 2025
@spiffcs
Merge branch 'main' into 3088-new-license-ctx-scaner
a1a046b 
* main:
  Translate Portage license strings to SPDX expressions (#1763)
  fix: stop emitting redis redis CPE for PHP PECL redis (#3881)
  feat: Add PURL list input/output format (#3853)
  chore(deps): update CPE dictionary index (#3877)
  chore(deps): update tools to latest versions (#3878)
  do not search binary contents for version for go package (#3874)
  fix: remove race when writing errors in generic cataloger (#3875)
  clear devel version for go packages (#3873)

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@BrewTestBot BrewTestBot mentioned this pull request May 14, 2025
Merged
@wagoodman wagoodman mentioned this pull request May 20, 2025
Merged
4 tasks
@chovanecadam chovanecadam mentioned this pull request Aug 8, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@kzantow kzantow

Labels
enhancement New feature or request
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CycloneDX group field not symmetrically handled by encoder/decoders
2 participants
@kzantow @wagoodman