Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding purl to generated SBOM #39254

Open
KUGA2 opened this issue Jun 12, 2024 · 2 comments · May be fixed by microsoft/vcpkg-tool#1482
Open

Adding purl to generated SBOM #39254

KUGA2 opened this issue Jun 12, 2024 · 2 comments · May be fixed by microsoft/vcpkg-tool#1482
Assignees
@LilyWangLL
Labels
category:port-feature The issue is with a library, which is requesting new capabilities that didn’t exist

Comments

@KUGA2
Copy link
Contributor

KUGA2 commented Jun 12, 2024

Is your feature request related to a problem? Please describe.

We use Black Duck for license and vulnerability scanning. I can upload a vcpkg-generated SBOM there, but it does not find any match. I am told, this is because vcpkgs SBOM are missing a purl element.

Proposed solution

Finish up this ongoing purl definition #32732 (or package-url/purl-spec#245) then add it to the generated SBOMs.

Describe alternatives you've considered

We have also contacted Synopsis. Maybe they can do something to support vcpkgs SBOMS without purl.
This suggestion (#30461) might also work, but I am not sure.

Additional context

No response
@KUGA2 KUGA2 added the category:port-feature The issue is with a library, which is requesting new capabilities that didn’t exist label Jun 12, 2024
@LilyWangLL LilyWangLL self-assigned this Jun 13, 2024
@KUGA2 KUGA2 mentioned this issue Jul 16, 2024
Closed
@aristotelos
Copy link
Contributor

@KUGA2 You have added the category port-feature, but this is not related to any port. So shouldn't it have the category vcpkg-feature?

aristotelos added a commit to aristotelos/vcpkg-tool that referenced this issue Aug 27, 2024
@aristotelos
Add package URL (purl) to SPDX SBOM files
08abaaf 
Add a package URL to generated SBOM files so that vulnerability
databases can start linking CVEs to vcpkg port versions.

Fixes microsoft/vcpkg#39254.
See also package-url/purl-spec#217 that has
not been resolved yet but should be resolved before this commit is
merged.
@aristotelos aristotelos linked a pull request Aug 27, 2024 that will close this issue
Open
aristotelos added a commit to aristotelos/vcpkg-tool that referenced this issue Aug 28, 2024
@aristotelos
Add package URL (purl) and CPE to SPDX SBOM files
483b6c1 
Add a package URL and CPE to generated SBOM files so that vulnerability
databases can start linking CVEs to vcpkg port versions.

Fixes microsoft/vcpkg#39254.
See also package-url/purl-spec#217 that has
not been resolved yet but should be resolved before this commit is
merged.

See also https://nvd.nist.gov/products/cpe/search?namingFormat=2.3 for a
CPE database.
@KUGA2
Copy link
Contributor Author

KUGA2 commented Sep 2, 2024

Correct. But I do not know how to change that 🤷

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LilyWangLL LilyWangLL

Labels
category:port-feature The issue is with a library, which is requesting new capabilities that didn’t exist
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add package URL (purl) and CPE to SPDX SBOM files aristotelos/vcpkg-tool
3 participants
@aristotelos @KUGA2 @LilyWangLL