> On 11/04/2024 16:52, von Loewenstein, Jan wrote: > > Hi folks, > > > > I am part of the Paketo community, and we are providing Cloud Native > Buildpacks to create container images with – amongst other technologies – > Apache Tomcat and Apache TomEE as application runtimes. > > > > One of the features of Cloud Native Buildpacks is that images come with > Software-Bill-of-Material. When installing Apache Tomcat, we issue the > following CPE and pURL to the SBOM: > > > > 1. cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:* > > 2. pkg:generic/apache-tomcat@10.1.20 > > > > The former should be the right one for users to find relevant CVEs in > > e.g. the nvd.nist.gov. The latter however is made up and will likely > > not lead to any findings on e.g. https://osv.dev > > > > Now I am wondering if you report Tomcat vulnerabilities under any pURL and > which one that would be. > > We don't. > > > There is a proposal<https://github.com/package-url/purl- > spec/blob/master/PURL-TYPES.rst#other-candidate-types-to-define> to > introduce `pkg:apache` as a namespace, which would open up > `pkg:apache/tomcat@10.1.20` as a canonical pURL. > > That is a foundation wide decision and not one the Tomcat project can make > unilaterally. That is probably a topic for security- > disc...@community.apache.org where pURL has already been touched on this > thread: > https://lists.apache.org/thread/7hs5ooqhfozmhlvq24k5xztzn1nwp9yv > > Mark
This topic might get even more important when the cyber resilience act of the European Union will be released. Software manufacturers will be obliged to provide an inventory / SBOM list. https://medium.com/@interlynkblog/eu-cra-and-sbom-5100c55752fa#:~:text=The%20CRA%20text%20implies%20that,regulators')%20and%20product%20manufacturers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org