security-wg

security-wg copied to clipboard

Hi,

I wanted to let you know I created an implementation to detect OTP application and return Purl matching your spec in Syft (https://github.com/anchore/syft/pull/2403).

Here is an example of it in action in a custom build of RabbitMQ (built for the RabbitMQ Docker Official Image but with the custom scanner)

https://explore.ggcr.dev/?blob=laurentgoderre689/rabbitmq@sha256:3fee3016c2f207cfbd47eac190a3b3d3a89bfe8d00cb1178f3d8086e4d93f94d&mt=application%2Fvnd.in-toto%2Bjson&size=848381

(Search for pkg:otp/[email protected])

Shouldn’t accept use the hex type instead of otp?

https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#hex

https://github.com/erlef/security-wg/blob/master/docs/specs/otp_purl_type.md#relation-to-hex-purl-type

@maennchen I'm not sure. These are not installed from hex package manager so this might be more accurate

Interesting to see this being used. Did your needs match the "background" in the OTP Purl proposal?

Please note that this spec should be considered experimental: there was quite a bit of opposition at the time, hence this is marked as a "draft". I haven't heard any better ideas for tracking the contents of a release, for those things that don't come from Hex (in particular Erlang/Elixir standard library applications).

The use case I'm using it for is to document packages that are bundled with rabbitmq.