Hi folks, I am part of the Paketo community, and we are providing Cloud Native Buildpacks to create container images with – amongst other technologies – Apache Tomcat and Apache TomEE as application runtimes.
One of the features of Cloud Native Buildpacks is that images come with Software-Bill-of-Material. When installing Apache Tomcat, we issue the following CPE and pURL to the SBOM: 1. cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:* 2. pkg:generic/apache-tomcat@10.1.20 The former should be the right one for users to find relevant CVEs in e.g. the nvd.nist.gov. The latter however is made up and will likely not lead to any findings on e.g. https://osv.dev Now I am wondering if you report Tomcat vulnerabilities under any pURL and which one that would be. There is a proposal<https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#other-candidate-types-to-define> to introduce `pkg:apache` as a namespace, which would open up `pkg:apache/tomcat@10.1.20` as a canonical pURL. Thanks for the time to read this. Best regards Jan von Löwenstein
