conan-io
[question] SBOM Optional PURL fields
What is your question?
Hello Conan Team,
since we build for multiple architectures and operating systems I had a look into the new SBOM support and found the conan purl type definition.
There are optional qualifiers_definition like rrev and perv as well as examples for arch, os, aso.
How can I use or define them in the currently provided SBOM CyclonDX 1.6 function?
Also is there a option to extend the SBOM generator with fields defined in the CyclonDX 1.6 JSON Reference, other than manually extending/modifying the SBOM after the generation?
PS: Thank you very match for the work and effort which is going into the conan project.
Have you read the CONTRIBUTING guide?
- [x] I've read the CONTRIBUTING guide
Thank you for your issue, that’s a very good question. It’s possible that we should indeed expand the PURL to include both the rref and the pref, or maybe it would be better to use the pid instead. Let me talk with the team.
When you use PURLs, are you aiming to generate unique identifiers or rather to identify packages by architecture and OS?
When you use PURLs, are you aiming to generate unique identifiers or rather to identify packages by architecture and OS?
We need unique identifier for the different packages we are building.
The OS and architecture part would be more nice to have for readability reasons to identify it quicker in the purl since the rref and pref are not easy to associate without checking the repository. But it would be great to have a generic way in extending the purl with additional settings as described in the linked type definition.
There is a ticket in the purl-spec org to check with the experts there: https://github.com/package-url/purl-spec/issues/705
