nisha
I am interested in moving some projects to a known org: https://github.com/opensbom-generator/ particularly https://github.com/opensbom-generator/sbom-composer with maybe a rewrite.
@davaya Would this be covered by `ElementCollection` in the current model as of 2024-01-16?
- Maybe related: https://github.com/package-url/purl-spec/issues/239
For example: `pkg:docker/cassandra@latest`, `pkg:docker/cassandra@123456abcdef`, `pkg:docker/cassandra@sha256%123456abcdef`, `pkg:oci/cassandra@abcdef123456` and `pkg:oci/my/local/cas@abcdef123456` are all the same thing. The pURL has to be detailed enough for a person or tool to have high confidence that...
Another example: `pkg:deb/kdenlive` and `pkg:generic/kdenlive_etc_etc?download_url=` are the same package. The pURL tells you how the package was downloaded but doesn't indicate that it is the same package. My opinion is...
@pombredanne: A PURL is a locator and a **mostly** unique way to identify a package I understand PURL was never meant to be unique identifier. However, many tools and advisory...
@pombredanne Here's an example of the way OSV uses pURLs: https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38545.json I wonder if you have a recommendation of how the pURL `pkg:apk/alpine/curl?arch=source` can include `alpine:v3.15`, or even something from...