Hi all, I recently started a discussion about pURLs as package identifier on the Tomcat mailing list and it was brought up, that this might be a broader topic to be discussed here.
Best regards Jan From: Thomas Hoffmann (Speed4Trade GmbH) <thomas.hoffm...@speed4trade.com.INVALID> Date: Monday, 15. April 2024 at 13:14 To: Tomcat Users List <users@tomcat.apache.org> Subject: AW: Package URLs for Apache Tomcat distributions [You don't often get email from thomas.hoffm...@speed4trade.com.invalid. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > On 11/04/2024 16:52, von Loewenstein, Jan wrote: > > Hi folks, > > > > I am part of the Paketo community, and we are providing Cloud Native > Buildpacks to create container images with – amongst other technologies – > Apache Tomcat and Apache TomEE as application runtimes. > > > > One of the features of Cloud Native Buildpacks is that images come with > Software-Bill-of-Material. When installing Apache Tomcat, we issue the > following CPE and pURL to the SBOM: > > > > 1. cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:* > > 2. pkg:generic/apache-tomcat@10.1.20 > > > > The former should be the right one for users to find relevant CVEs in > > e.g. the nvd.nist.gov. The latter however is made up and will likely > > not lead to any findings on e.g. > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fosv.dev%2F&data=05%7C02%7Cjan.von.loewenstein%40sap.com%7Cb85c9c7b0ef84a12888a08dc5d3d36f8%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638487764973925741%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=THsJsmmmf%2BYnOFsfX2ET%2B9qosC%2F3%2BTmn73piJBppidA%3D&reserved=0<https://osv.dev/> > > > > Now I am wondering if you report Tomcat vulnerabilities under any pURL and > which one that would be. > > We don't. > > > There is a > > proposal<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpackage-url%2Fpurl-&data=05%7C02%7Cjan.von.loewenstein%40sap.com%7Cb85c9c7b0ef84a12888a08dc5d3d36f8%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638487764973934423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=qob5tUw6pGi%2F3crVP%2BlA%2BSqiAo4I2vWTMArkC%2F4%2BtXc%3D&reserved=0 > spec/blob/master/PURL-TYPES.rst#other-candidate-types-to-define> to > introduce `pkg:apache` as a namespace, which would open up > `pkg:apache/tomcat@10.1.20` as a canonical pURL. > > That is a foundation wide decision and not one the Tomcat project can make > unilaterally. That is probably a topic for security- > disc...@community.apache.org where pURL has already been touched on this > thread: > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.apache.org%2Fthread%2F7hs5ooqhfozmhlvq24k5xztzn1nwp9yv&data=05%7C02%7Cjan.von.loewenstein%40sap.com%7Cb85c9c7b0ef84a12888a08dc5d3d36f8%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638487764973940781%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=GxRiFt2Dwk74ykwVxLf0rE9DItO2cnyg5u5nZ8%2Fr0%2Fs%3D&reserved=0<https://lists.apache.org/thread/7hs5ooqhfozmhlvq24k5xztzn1nwp9yv> > > Mark This topic might get even more important when the cyber resilience act of the European Union will be released. Software manufacturers will be obliged to provide an inventory / SBOM list. https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmedium.com%2F%40interlynkblog%2Feu-cra-and-sbom-5100c55752fa%23%3A~%3Atext%3DThe%2520CRA%2520text%2520implies%2520that%2Cregulators&data=05%7C02%7Cjan.von.loewenstein%40sap.com%7Cb85c9c7b0ef84a12888a08dc5d3d36f8%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638487764973945572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=3SaPhtmEDR1Dsf8l5f9zZo7UMfqCpelZIgC9Bl%2FgO9o%3D&reserved=0')%20and%20product%20manufacturers<https://medium.com/@interlynkblog/eu-cra-and-sbom-5100c55752fa#:~:text=The%20CRA%20text%20implies%20that,regulators>. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org