Add 'file_name' qualifier to PURL

Author: sethmlarson

src/auditwheel/repair.py

@@ -6,7 +6,6 @@
 import logging
 import os
 import platform
-import re
 import shutil
 import stat
 from collections.abc import Iterable
@@ -23,17 +22,10 @@
 from .policy import get_replace_platforms
 from .tools import is_subdir, unique_by_index
 from .wheel_abi import WheelAbIInfo
-from .wheeltools import InWheelCtx, add_platforms
+from .wheeltools import WHEEL_INFO_RE, InWheelCtx, add_platforms
 
 logger = logging.getLogger(__name__)
 
-# Copied from wheel 0.31.1
-WHEEL_INFO_RE = re.compile(
-    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>\d.*?))(-(?P<build>\d.*?))?
-     -(?P<pyver>[a-z].+?)-(?P<abi>.+?)-(?P<plat>.+?)(\.whl|\.dist-info)$""",
-    re.VERBOSE,
-).match
-
 
 def repair_wheel(
     wheel_abi: WheelAbIInfo,

src/auditwheel/sboms.py

@@ -7,6 +7,7 @@
 from urllib.parse import quote
 
 from auditwheel._vendor.whichprovides import whichprovides
+from auditwheel.wheeltools import WHEEL_INFO_RE
 
 
 def create_sbom_for_wheel(
@@ -26,10 +27,15 @@ def create_sbom_for_wheel(
     # from the wheel filename. This segment doesn't
     # change even after "repairing", so we don't have
     # to worry about it changing.
-    wheel_name, wheel_version, *_ = wheel_fname.split("-", 2)
-    wheel_name = wheel_name.lower()
+    match = WHEEL_INFO_RE(wheel_fname)
+    if not match:
+        msg = f"Failed to parse wheel file name: {wheel_fname}"
+        raise ValueError(msg)
+    wheel_name = match.group("name")
+    wheel_version = match.group("ver")
     wheel_purl = (
         f"pkg:pypi/{quote(wheel_name, safe='')}@{quote(wheel_version, safe='')}"
+        f"?file_name={quote(wheel_fname, safe='')}"
     )
 
     sbom_components: list[dict[str, typing.Any]] = [

src/auditwheel/wheeltools.py

@@ -9,6 +9,7 @@
 import hashlib
 import logging
 import os
+import re
 import zlib
 from base64 import urlsafe_b64encode
 from collections.abc import Generator, Iterable
@@ -30,6 +31,14 @@
 logger = logging.getLogger(__name__)
 
 
+# Copied from wheel 0.31.1
+WHEEL_INFO_RE = re.compile(
+    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>\d.*?))(-(?P<build>\d.*?))?
+     -(?P<pyver>[a-z].+?)-(?P<abi>.+?)-(?P<plat>.+?)(\.whl|\.dist-info)$""",
+    re.VERBOSE,
+).match
+
+
 def _dist_info_dir(bdist_dir: Path) -> Path:
     """Get the .dist-info directory from an unpacked wheel
 

tests/integration/test_manylinux.py

@@ -15,6 +15,7 @@
 from typing import Any
 
 import docker
+import packaging.tags
 import pytest
 from docker.models.containers import Container
 from elftools.elf.elffile import ELFFile
@@ -549,17 +550,21 @@ def test_numpy_sbom(
         sbom_components = sbom.pop("components")
         sbom_dependencies = sbom.pop("dependencies")
 
+        expected_tag = (
+            f"{packaging.tags.interpreter_name()}{packaging.tags.interpreter_version()}"
+        )
+        expected_numpy_purl = f"pkg:pypi/numpy@{NUMPY_VERSION}?file_name=numpy-{NUMPY_VERSION}-{expected_tag}-{expected_tag}-{policy}.whl"
         assert sbom == {
             "bomFormat": "CycloneDX",
             "specVersion": "1.4",
             "version": 1,
             "metadata": {
                 "component": {
                     "type": "library",
-                    "bom-ref": f"pkg:pypi/numpy@{NUMPY_VERSION}",
+                    "bom-ref": expected_numpy_purl,
                     "name": "numpy",
                     "version": NUMPY_VERSION,
-                    "purl": f"pkg:pypi/numpy@{NUMPY_VERSION}",
+                    "purl": expected_numpy_purl,
                 },
                 # "tools": [{...}, ...],
             },
@@ -572,9 +577,9 @@ def test_numpy_sbom(
         assert "version" in sbom_tools[0]
 
         assert sbom_components[0] == {
-            "bom-ref": f"pkg:pypi/numpy@{NUMPY_VERSION}",
+            "bom-ref": expected_numpy_purl,
             "name": "numpy",
-            "purl": f"pkg:pypi/numpy@{NUMPY_VERSION}",
+            "purl": expected_numpy_purl,
             "type": "library",
             "version": NUMPY_VERSION,
         }