-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A purl spec for the C/C++ package manager vcpkg #245
base: master
Are you sure you want to change the base?
Conversation
…rameter. - Renaming registry-version paramater to be consistent. - Adding description of features parameter. - Adding a distinct examples section.
I'm contemplating whether or not we can simplify the spec further and whether it's still missing anything vital. The principle that the components of the purl string should only be what is necessary to disambiguate different packages from each other runs into a problem of having the same package used in different ways by the same consumer (say, it depends on a static build of the package on one platform and a dynamic build of the package on another platform). Where I'm headed with this is to distinguish between 2 kinds of data.
Data under 1. should be specified in the purl specification and the specification should allow for the flexibility to record data under 2. Properties for that 2. data could be also documented in a subparagraph, but it would be non-normative with regards to the purl spec. With that approach, I think it means that the existing I'm going to make those changes soon, and want this comment to serve as a record of the thought process behind the decision. |
…ditional, unspecified qualifeirs must be tolerated.
After discussing it some with the vcpkg team, I don't think we need to necessarily distinguish ports from artifacts at this time, so I've made the changes mentioned above, but have not added a |
Alright. I'm moving this out of draft status. I'm looking for reviews from stakeholders in addition to maintainers of the purl-spec repository. Pinging @dan-shaw, @ras0219-msft, @jhutchings1, @adriandiglio. |
… of the registry_version qualifier should be percent-encoded.
I think the purl spec is somewhat unclear on what guarantees users are to expect of PURLs that make making a judgement call on whether this represents vcpkg effectively there. Couple of questions:
Examples like conan already here seem to say that different URIs to the same content as well as the same URI potentially identifying different content are OK but that seems to make PURLs almost meaningless. Given a PURL, what is a user expected to be able to do with it? I look at what SPDX and what GitHub dependencies and similar want, and they want such vastly different things and want different guarantees on what that means. Potential examples. It isn't clear to me which of these apply. I'm sure I missed some.
|
PURLs should be deterministic. If there are things which could affect what dependency you resolve, they should be available as properties in the PURL schema for a type. The registry is a common example; most types allow you to provide a registry, but have a default option as well. Reviewing your list, I believe every one of those is a goal. Sometimes purls will have maximum specificity (eg, a runtime might report that it ran a very specific piece of software), and other times, they'll have less (eg, a CVE may specify something like pkg:npm/[email protected] to specify a large range of affected products, at least if the version range spec is added #93 ).
|
@jhutchings1 How do we reconcile that with many existing examples that fail most of these tests? Examples: pkg:conan/[email protected]
pkg:cargo/[email protected]
pkg:nuget/[email protected]
|
@jhutchings1 (To clarify, I'm trying to make sure vcpkg's support for this is consistent with the spec's design goals but the front matter seems to be missing these details and the examples seem to not be consistent with what design goals are listed there so I don't know how I feel about it) |
Producers should provide as much information as they have, but most properties should be optional so that producers like CVE issuers can issue CVEs that target a broader set of packages with just one purl. There's not a one size fits all approach here, so design for flexibility. |
It sounds like the PURL spec should then be viewed as serving two separate purposes:
Solving (2) is much more complicated than identifying individual packages; there's a certain policy decision of applicability. For example, if I get More realistically, does How does this currently work for PURLs into Linux distributions -- especially Debian Stable? |
CVE matching seems like it is always messy. For PURL I think typically [email protected] is expected to always be [email protected], not zlib1g@1:1.2.11.dfsg-1+deb10u2 or 1:1.2.11.dfsg-2+deb11u2 depending on what version of Debian the software is installed on. CVEs usually are matched using CPEs like For PURLs into Debian, the spec says you should have a PURL like At least I'm pretty sure that's how it works for tools like Trivy and debscan. For software library packages being incorporated into a product via bundling or static linking, it's much simpler because the packages are (usually) specific, immutable files in specific repositories, so the question of whether that package is vulnerable or not depends on only the package, of which there is only a single instance, published by the package author (ie CVE-2022-37434 is resolved by upgrading to ¹ I'm not sure this is useful. Does Debian keep every version of every package forever? I know for Alpine this is not the case, so |
This discussion seems to be a bit stale, but I think it is still very relevant, because at the moment vcpkg does not use any CPE or Package URL in the SBOMs it produces. That prevents it from being used easily for automated analysis. So I would like to revive it and add my 2 cents:
To sum up, I would argue for a simple purl like |
Revive package-url#245 by adding the following changes: - `registry_url` -> `repository_url` - `registry_version` -> `port_revision` - Remove percent escaping from `repository_url` to be more consistent with other uses of `repository_url` in the purl spec
Revive package-url#245 by adding the following changes: - `registry_url` -> `repository_url` - `registry_version` -> `port_revision` - Remove percent escaping from `repository_url` to be more consistent with other uses of `repository_url` in the purl spec
Revive package-url#245 by adding the following changes: - `registry_url` -> `repository_url` - `registry_version` -> `port_revision` - Remove percent escaping from `repository_url` to be more consistent with other uses of `repository_url` in the purl spec
Revive package-url#245 by adding the following changes: - `registry_url` -> `repository_url` - `registry_version` -> `port_revision` - Remove percent escaping from `repository_url` to be more consistent with other uses of `repository_url` in the purl spec
Co-authored-by: Michael B. Price <[email protected]>
Add optional `repository_revision` so that mistakes in `port_revision` and `version` can be accounted for. Not relevant for filesystem registries or overlay ports because that gives no further external traceability. Along with this, describe the filesystem registries and overlay port cases.
Extend the port overlay or filesystem registry example with port revision. Add an example for additional qualifiers.
@pombredanne - What steps still remain in order to merge this spec for a vcpkg PURL type? |
@pombredanne @jkowalleck @BillyONeal @stevespringett @jhutchings1 @matt-phylum This PR has been open for in unchanged state for about 2 months already. As not having purls for vcpkg is a security risk, could you please contribute to reviewing and merging this PR? |
Update: Fixed some potentially confusing wording. I would like to add a few thoughts to the comment by @matt-phylum. For certain communities like Debian, there is a designated security team and process that ultimately allows you to link a specific PURL to vulnerabilities. Correct me if I am wrong, but I do not see this heavyweight approach for the vcpkg community in the foreseeable future. What you can expect to happen then is that aggregators like the Github Advisory Database try to build a somewhat heuristic mapping from a vcpkg PURL to CPEs. This mapping is difficult and messy enough without details such as port revisions. Hence in practice, for vulnerability searches at least, I would expect that only the package name and version are relevant. Furthermore, similar to Matt's comment, I am not sure how well-suited the PURL concept is for non-binary packages in the first place. With, say Newtonsoft.Json version x.y.z, the situation is simple: There is just one package, it has a specific content, and you do not care how it was built, because you only ever consume the build artifact (neglecting nasty edge cases like build extensions). For a vcpkg port like libcurl or ffmpeg, this concept is questionable; depending on the chosen features, you have completely different software. You can partially overcome this problem by adding (lots of) qualifiers. My only problem here is: What for?
I think my personal recommendation from these thoughts would be not to spend too much effort on trying to construct a good unique identifier at the current state of affairs. Instead, reserve the ability to extend the PURL specification, and focus on those attributes that are likely to be relevant. |
This would address Issue #217. It is also being tracked on the vcpkg side in this discussion. microsoft/vcpkg#32732