Hello, A challenge while sharing information about vulnerabilities is how to "identify"/name software components. Of course there is good old CPE[0], but a couple of file formats around security metadata, such as OSV[1], SPDX[2] and CycloneDX[3], allow identifying packages by their 'purl'[4], 'SWID'[5] and/or ecosystem-specific identifiers.
While the dust hasn't settled on which of those formats will 'take off', and we don't need to 'pick sides', it would be good to provide some guidance on how those ID's should be used - we've already seen one 3rd-party project[6] 'make up' identifiers in the apache namespace, which rather defeats the purpose. For purl, a purl identifier contains a 'type' (like 'deb' or 'apache'), a 'namespace' and a 'name', and optionally a version and qualifiers[7]. Each 'type' has its own rules on what those look like (for example "pkg:deb/debian/apache2@2.4.54-1~deb11u1?arch=i386&distro=jessie" for a Debian package). In Apache we already have a kind of hierarchy where a PMC covers multiple projects, and each project can publish a number of artifacts. At first glance it would make sense to document how to 'encode' that into the Purl format, but in practice that seems to lead to rather contrived names. I think it might be better to just have a small 'registry' of names under the Apache type, and allow each PMC/project to document their preferred identifiers there, validating against naming conflicts. This could be as simple as a JSON file in a git repository somewhere, making it relatively easy to integrate into our CVE tool, the upcoming artifact platform and 3rd-party tools. Does anyone have thoughts on this? Kind regards, Arnout [0] https://nvd.nist.gov/products/cpe [1] https://ossf.github.io/osv-schema/ [2] https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/ [3] https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.xsd#L319 [4] https://github.com/package-url/purl-spec [5] https://csrc.nist.gov/Projects/Software-Identification-SWID [6] https://public.vulnerablecode.io/vulnerabilities/VCID-xsdu-9jb4-aaas [7] https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
