Skip to content

feat: Add PURL list input/output format#3853

Merged
kzantow merged 15 commits intoanchore:mainfrom
kzantow-anchore:feat/purl-list
May 12, 2025
Merged

feat: Add PURL list input/output format#3853
kzantow merged 15 commits intoanchore:mainfrom
kzantow-anchore:feat/purl-list

Conversation

@kzantow
Copy link
Copy Markdown
Contributor

@kzantow kzantow commented May 5, 2025
edited by wagoodman
Loading

Description

This PR adds a purls format (with aliases: purl). This allows a user to export and by association convert to and from a list of PURLs:

# instead of an SBOM, get a list of PURLs
$ syft -q alpine:latest -o purl 

pkg:apk/alpine/alpine-baselayout@3.6.8-r1?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/alpine-baselayout-data@3.6.8-r1?arch=aarch64&distro=alpine-3.21.3&upstream=alpine-baselayout
pkg:apk/alpine/alpine-keys@2.5-r0?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/alpine-release@3.21.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=alpine-base
pkg:apk/alpine/apk-tools@2.14.6-r3?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/busybox@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/busybox-binsh@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3&upstream=busybox
pkg:apk/alpine/ca-certificates-bundle@20241121-r1?arch=aarch64&distro=alpine-3.21.3&upstream=ca-certificates
pkg:apk/alpine/libcrypto3@3.3.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=openssl
pkg:apk/alpine/libssl3@3.3.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=openssl
pkg:apk/alpine/musl@1.2.5-r9?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/musl-utils@1.2.5-r9?arch=aarch64&distro=alpine-3.21.3&upstream=musl
pkg:apk/alpine/scanelf@1.3.8-r1?arch=aarch64&distro=alpine-3.21.3&upstream=pax-utils
pkg:apk/alpine/ssl_client@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3&upstream=busybox
pkg:apk/alpine/zlib@1.3.1-r2?arch=aarch64&distro=alpine-3.21.3
# converting from SPDX json to a list of PURLs
$ syft -q convert alpine.spdx.json -o purl 

pkg:apk/alpine/alpine-baselayout@3.6.8-r1?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/alpine-baselayout-data@3.6.8-r1?arch=aarch64&distro=alpine-3.21.3&upstream=alpine-baselayout
pkg:apk/alpine/alpine-keys@2.5-r0?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/alpine-release@3.21.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=alpine-base
pkg:apk/alpine/apk-tools@2.14.6-r3?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/busybox@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/busybox-binsh@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3&upstream=busybox
pkg:apk/alpine/ca-certificates-bundle@20241121-r1?arch=aarch64&distro=alpine-3.21.3&upstream=ca-certificates
pkg:apk/alpine/libcrypto3@3.3.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=openssl
pkg:apk/alpine/libssl3@3.3.3-r0?arch=aarch64&distro=alpine-3.21.3&upstream=openssl
pkg:apk/alpine/musl@1.2.5-r9?arch=aarch64&distro=alpine-3.21.3
pkg:apk/alpine/musl-utils@1.2.5-r9?arch=aarch64&distro=alpine-3.21.3&upstream=musl
pkg:apk/alpine/scanelf@1.3.8-r1?arch=aarch64&distro=alpine-3.21.3&upstream=pax-utils
pkg:apk/alpine/ssl_client@1.37.0-r12?arch=aarch64&distro=alpine-3.21.3&upstream=busybox
pkg:apk/alpine/zlib@1.3.1-r2?arch=aarch64&distro=alpine-3.21.3

Additionally, after reading an SBOM, formats are able to "enhance" Syft package data from information in the PURL if the data isn't present in the package. For example: a maven PURL includes the GroupID, something like: pkg:maven/org.apache/something, but this GroupID was not being mapped to the internal data location for GroupID which could result in false positives in Grype. This happens for PURL input as well as other formats including SPDX and CycloneDX in order to improve support for SBOMs created with tools other than Syft.

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@wagoodman wagoodman added this to OSS May 7, 2025
@wagoodman wagoodman moved this to In Progress in OSS May 7, 2025
@kzantow kzantow changed the title feat: purl-list format feat: purl list format May 7, 2025
kzantow added 4 commits May 7, 2025 12:28
@kzantow
chore: rename purl-list purls
a8bbb12 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: fixes and update tests
9bf1245 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: backfill syft format
f0d469f 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: correct backfill epoch handling
9ddd3e6 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow mentioned this pull request May 7, 2025
Merged
@kzantow
chore: cleanup
46c235a 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@wagoodman wagoodman moved this from In Progress to In Review in OSS May 7, 2025
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
Comment thread syft/format/internal/backfill.go
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
Comment thread syft/format/internal/stream/seekable_reader.go
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
Comment thread syft/format/internal/stream/seekable_reader.go Outdated
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
Comment thread syft/format/purls/decoder.go Outdated
wagoodman
wagoodman reviewed May 7, 2025
View reviewed changes
Comment thread syft/pkg/url.go
wagoodman
wagoodman approved these changes May 7, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a few comments, but crosses the threshold of mergable for me 👍

@wagoodman wagoodman added the enhancement New feature or request label May 8, 2025
@wagoodman wagoodman changed the title feat: purl list format feat: Add PURL list input/output format May 8, 2025
@wagoodman wagoodman mentioned this pull request May 8, 2025
Closed
@kzantow kzantow merged commit 621d21e into anchore:main May 12, 2025
13 checks passed
@kzantow kzantow deleted the feat/purl-list branch May 12, 2025 17:33
@github-project-automation github-project-automation Bot moved this from In Review to Done in OSS May 12, 2025
spiffcs added a commit that referenced this pull request May 13, 2025
@spiffcs
Merge branch 'main' into 3088-new-license-ctx-scaner
a1a046b 
* main:
  Translate Portage license strings to SPDX expressions (#1763)
  fix: stop emitting redis redis CPE for PHP PECL redis (#3881)
  feat: Add PURL list input/output format (#3853)
  chore(deps): update CPE dictionary index (#3877)
  chore(deps): update tools to latest versions (#3878)
  do not search binary contents for version for go package (#3874)
  fix: remove race when writing errors in generic cataloger (#3875)
  clear devel version for go packages (#3873)

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@BrewTestBot BrewTestBot mentioned this pull request May 14, 2025
Merged
@wagoodman wagoodman mentioned this pull request May 20, 2025
Merged
4 tasks
@chovanecadam chovanecadam mentioned this pull request Aug 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@kzantow kzantow

Labels

enhancement New feature or request

Projects

OSS
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CycloneDX group field not symmetrically handled by encoder/decoders

2 participants

@kzantow @wagoodman