cyclonedx-dotnet-library icon indicating copy to clipboard operation
cyclonedx-dotnet-library copied to clipboard
verified publisher icon CycloneDX

Convert a SPDX purl externalReference into the item level purl field

Open dgl opened this issue 5 months ago • 5 comments

This (partly, depending if the request for cpe in a comment is considered) addresses https://github.com/CycloneDX/cyclonedx-cli/issues/424.

dgl avatar Jul 18 '25 06:07 dgl

SPDX supports multiple CPEs and PURLs for a package. But doesn't support specifying if any are a component identifier.

Can you comment on this (and in particular the current state)?

In SPDX 2 it is true that external ref is the only way to represent a PURL, but it is common for there to only be one purl (although I don't have a massive sample of SPDX files to confirm that). In SPDX 3 there is support for using a purl as an identifier: https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/Package/#properties (extra PURLs can now be specified in ExternalIdentifier). Given there is a future where this can be correctly encoded (ecosystem support for SPDX 3 is still mostly being worked on), it seems like a simple heuristic like taking the first package URL in external refs works for SPDX 2.

dgl avatar Jul 21 '25 00:07 dgl

I’d mostly go with Andreas' judgment regarding this PR

mtsfoni avatar Jul 21 '25 20:07 mtsfoni

However, we should document this in the readme.

@dgl could you document this in the readme as suggested @andreas-hilti ?

mtsfoni avatar Jul 27 '25 12:07 mtsfoni

@dgl quick bump - one tiny thing left before we can merge 👍

mtsfoni avatar Aug 10 '25 15:08 mtsfoni

@dgl @mtsfoni This would be may proposal for the readme update: https://github.com/dgl/cyclonedx-dotnet-library/pull/1

andreas-hilti avatar Sep 27 '25 11:09 andreas-hilti