purl-spec
purl-spec copied to clipboard
Add OmniBOR (previously GitBOM) namespace identifier as a PURL Type
The GitBOM community is working to specify a URI Namespace Identifier for GitBOM Identifiers.
This issue proposes creating a new PURL Type for that GitBOM URI NID once the syntax has been determined in the GitBOM spec.
Aligning to PURL, the currently proposed syntax could be:
pkg:gitoid:${git object type}:${hash type}:${hashvalue}
PURL Type Example for GitBOMs:
pkg:gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c6
The proposed syntax would violate the purl spec.
From looking at it, you're proposing a purl type of gitoid. How do I locate a gitoid?
A purl or package URL is an attempt to standardize existing approaches to reliably identify and locate software packages.
The purl syntax is:
scheme:type/namespace/name@version?qualifiers#subpath
In purl, the namespace is optional, but the name is required. Do gitboms have a name?
Following up on this topic after our discussion today, @stevespringett. Thanks for the details :)
> In purl, the namespace is optional, but the name is required. Do gitboms have a name?
The GitBOM Artifact Identifier, a hash value commonly referred to as the gitoid
, would be placed in the Package URL name
field.
The complexity here is in aligning the GitBOM URI Scheme with the Package URL scheme. GitBOM has two Gitoid Identifier Types, gitoid:blob:sha1
and gitoid:blob:sha256
. I haven't found a way to keep compliant w/ the GitBOM URI scheme and maintain the complete Gitoid Identifier Type while dropping into the Package URL scheme. Breaking the syntax of the Gitoid Identifier Type by using different delimiters or separating components of the Gitoid Identifier Type seems to be required to be compatible with Package URL.
The options I've come up with are below. Please confirm if each option is or isn't formatted correctly wrt the PURL spec's syntax.
1.
PURL Syntax: scheme:type/namespace/name@version?qualifiers#subpath
- Part of the Gitoid Identifier Type, the
Git Object Type
and theGitBOM hash algorithm
would be placed in the Package URLtype
field with a colon (:
) in between. - The optional Package URL
namespace
field would be ignored. - The
GitBOM Artifact Identifier
would be placed in thename
field.
scheme:type/name
gitoid:{Git Object Type}:{GitBOM hash algorithm}/{GitBOM Artifact ID}
gitoid:blob:sha1/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c6
gitoid:blob:sha256/4d410e22102ec5f057c90cd18ffa0f191e3cd9272957e528ed772a52282e1fbb
If I'm interpreting the purl spec correctly, then I believe that this is an invalid syntax as PURL won't allow a colon (:
) as part of the type field.
2.
PURL Syntax: scheme:type/namespace/name@version?qualifiers#subpath
- Parts of the Gitoid Identifier Type, the
Git Object Type
, would be placed in the Package URLtype
field. - Part of the Gitoid Identifier Type, the
GitBOM hash algorithm
, would be placed in thenamespace
field. - The
GitBOM Artifact Identifier
would be placed in thename
field.
scheme:type/namespace/name
gitoid:{Git Object Type}/{GitBOM hash algorithm}/{GitBOM Artifact ID}
gitoid:blob/sha1/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c6
gitoid:blob/sha256/4d410e22102ec5f057c90cd18ffa0f191e3cd9272957e528ed772a52282e1fbb
3.
PURL Syntax: scheme:type/namespace/name@version?qualifiers#subpath
- Part of the Gitoid Identifier Type, the
GitBOM hash algorithm
would be placed in thetype
field. - The
GitBOM Artifact Identifier
would be placed in thename
field. - Part of the Gitoid Identifier Type, the
Git Object Type
would be placed in the Package URLqualifiers
field.
scheme:type/name?qualifiers
gitoid:{GitBOM hash algorithm}/{GitBOM Artifact ID}?{Git Object Type}
gitoid:sha1/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c6?git-object-type=blob
gitoid:sha256/4d410e22102ec5f057c90cd18ffa0f191e3cd9272957e528ed772a52282e1fbb?git-object-type=blob
How can someone locate the package (gitbom).
For example: gitoid:commit:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64
How do I know the VCS URL this commit is unique to?
I think GitBom could be represented in something as simple as:
pkg:gitoid/<git object type>/<hash value>
pkg:gitoid/blob/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64
I honestly don't think hash algorithm is necessary as the spec only supports sha1 and sha256, so a simple length comparison will tell you the algorithm used.
If you wanted to be explicit, the use of qualifiers could be used:
pkg:gitoid/blob/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64?alg=sha1
It makes sense to treat the object type as a namespace and the hash is the name of object within that namespace. Since changing the object would change its hash there is no need for a version which purl allows.
Given that other algorithms may show up in the future, I would lean towards explicitly including the algorithm. The oci
and docker
types incorporate it (into the version
but it's the same conceptually), so I would have a preference for that over qualifiers. This could be optional if there is a logical default.
This would give us:
pkg:gitoid/blob/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64
pkg:gitoid/blob/sha1%3A261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64
Does this seem reasonable @stevespringett and @jeff-schutt?
Yes. Reasonable @iamwillbar
@iamwillbar I discussed this with the GitBOM community and yes, this is reasonable. We agree with explicitly including the hash algorithm in the scheme, by using “%3A” encoding of the ":" separator:
pkg:gitoid/blob/sha1%3A261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64