Add otp Type
#472
Add otp Type
#472
Conversation
|
For added context, this purl type proposal has been discussed in the Erlang Ecosystem Foundation for a long time. With the EEF becoming the official CNA for CVEs that affect the Erlang/OTP ecosystem, we will now have more control over how affected versions are expressed in CVE Records. The OTP purl type is an important part of our plans to improve CVE accuracy and the ability for automated tooling to reliably identify affected components in e.g. SBOMs. |
|
The purl type has now also been used in a first CVE disclosure: |
pombredanne
left a comment
pombredanne
left a comment
There was a problem hiding this comment.
Thanks! See some some nitpickings for your consideration.
Also do you mind to remove the bolding to stay consistent with the style of other types?
|
After the merge of PR #514, PURL types and tests are now defined in JSON: 😇 😁 With the new approach... this PR needs to be updated. Could you look into this? Thanks for your understanding and sorry for the churn! |
|
@pombredanne Rebased. FYI, there's a few tiny issues with the new setup:
|
|
@mjherzog / @pombredanne This type is already used extensively in the wild. (in CVE's, OpenVEX, SBoM, GH Dependency Submission etc.) Is there any chance we can get this merged sometime soon? |
mjherzog
dismissed
pombredanne’s stale review
The July 1 requested change is moot with the migration from the RST file to JSON files for adding a PURL type.
|
@maennchen I reviewed the PR and see one problem which is that URLs in a qualifier must/shall be encoded. |
maennchen
force-pushed
the
jm/otp_type
branch
3 times, most recently
from
c635a52 to
96f25b0
Compare
|
@mjherzog Updated 👍 |
pombredanne
left a comment
pombredanne
left a comment
There was a problem hiding this comment.
Thanks for all the updates. This is essentially merge ready with only a few nits for your review!
maennchen
force-pushed
the
jm/otp_type
branch
from
96f25b0 to
5e40c3c
Compare
pombredanne
left a comment
pombredanne
left a comment
There was a problem hiding this comment.
Thanks! Let's merge this puppy! 🐶
maennchen
force-pushed
the
jm/otp_type
branch
from
21ad11e to
d1125d5
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
mjherzog
left a comment
mjherzog
left a comment
There was a problem hiding this comment.
@maennchen We are still unfortunately in a mostly manual mode for reviewing test cases, but we found additional test case errors from a second review by @johnmhoran.
maennchen
force-pushed
the
jm/otp_type
branch
from
d1125d5 to
57d76ac
Compare
maennchen
force-pushed
the
jm/otp_type
branch
from
57d76ac to
4f03a27
Compare
|
@mjherzog @johnmhoran good catches 🙇 ... are we all set now? |
mjherzog
left a comment
mjherzog
left a comment
There was a problem hiding this comment.
Updates resolve the review items.
|
@maennchen Thank you for your patience and quick response to the issues raised. |
|
🎉 |
|
Thanks for getting this in and being patient with the issues :) |
|
@maennchen You are most welcome. We still have a lot of work to do to make it more straightforward to register a PURL type. BTW - Do you have a suggestion for an OTP icon to add to the packageurl.org website? |
|
I guess you could use the Erlang "E" Logo. But that would likely require talking to the OTP team for permission. |
6 participants
Motivation
BEAM projects regularly depend on OTP applications that are themselves missing from any package manager:
hexpurl; nor can it be a distro purl such asdeb,rpm,alpm.Today we have to fall back to a generic or VCS purl, which loses precision versioned app vs. tag/commit, selective patching, etc.).
The
otppurl type fills this gap.Decision flow
When a tool can emit only one purl per package (e.g. GitHub Dependency Graph), follow this flowchart:
flowchart TD PM{"From Package Manager? rebar3 / mix"} OSPM{"From OS Package Manager?"} SCM{"Source (SCM)?"} GH["pkg:github/{owner}/{repo}"] BB["pkg:bitbucket/{owner}/{repo}"] Specific["pkg:{type}..."] PossiblyOtp{"OTP App?"} OTP["pkg:otp/{name}@{version}?vcs_url=git+https://{git}"] Generic["pkg:generic/...?vcs_url=git+https://{git}"] Hex["pkg:hex/{name}@{version}"] Git["Git"] OS["pkg:{alpm|deb|rpm}/..."] PM -- Yes --> SCM PM -- No --> OSPM OSPM -- No --> Git OSPM -- Yes --> OS SCM -- Hex.SCM --> Hex SCM -- Mix.SCM.Git --> Git Git -- GitHub --> GH Git -- Bitbucket --> BB Git -- Other Specific --> Specific Git -- None --> PossiblyOtp SCM -- Mix.SCM.Path --> PossiblyOtp PossiblyOtp -- No --> Generic PossiblyOtp -- Yes --> OTPWhen multiple purls can be recorded (e.g. SPDX, CycloneDX) you may attach the
otppurl and an additional purl (Git, GitHub, checksum, …) for maximum traceability.Summary of the new type
otp.app), lower‑casedvsn)platform,arch, plus generic qualifiers (repository_url, …)Concrete examples