Skip to content

Commit

Permalink
Merge pull request #11 from RedHatProductSecurity/fix-rpm-purls
Browse files Browse the repository at this point in the history
Fix rpm purls in the RPM examples
  • Loading branch information
mprpic authored Aug 16, 2024
2 parents 8a61c52 + 2eb904f commit 107302c
Show file tree
Hide file tree
Showing 16 changed files with 4,014 additions and 280 deletions.
11 changes: 5 additions & 6 deletions docs/purl.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,25 +40,24 @@ to not only identify a particular package (the file name already does that) but
package can be accessed. The emacs package example above can be represented using the following purl:

```
pkg:rpm/redhat/[email protected]?arch=x86_64&repository_id=rhel-9-for-x86_64-appstream-rpms&checksum=sha256:abcd1234
pkg:rpm/redhat/[email protected]?arch=x86_64&repository_id=rhel-9-for-x86_64-appstream-rpms
```

The namespace value of `redhat` signifies this as an RPM package produced and distributed by Red Hat.
The namespace value of `redhat` signifies this as an RPM package produced and distributed by Red Hat. This value
also differentiates packages available in Red Hat repositories from those that could potentially share the same name,
version, and repository name but were provided by a different vendor.

If a purl identifies a Source RPM (SRPM, a package containing source code files that are used to build one or more
RPMs containing binary artifacts), the `arch` qualifier must use the special value `src`. In the NEVRA file name
pattern, SRPM packages use a `.src.rpm` suffix. Packages that are not architecture-specific must use the special
`noarch` value in the arch qualifier.

The value in the `checksum` qualifier represents the checksum digest of a given RPM file identified by the purl
string. Note that unsigned and signed versions of these files will have different checksum values.

An RPM package may also include an epoch number; if not present, it is assumed to be `0`. In a purl, epoch is
not part of the version field, but instead is specified using the `epoch` qualifier (e.g. `epoch=1`).
If the package version includes a non-zero epoch value, it must be specified using its own epoch qualifier:

```
pkg:rpm/redhat/[email protected]?epoch=1&arch=src&repository_id=rhel-9-for-x86_64-appstream-rpms&checksum=sha256:abcd1234
pkg:rpm/redhat/[email protected]?epoch=1&arch=src&repository_id=rhel-9-for-x86_64-appstream-rpms
```

The `rpm` purl type suggests the use of the `repository_url` qualifier to point to the base URL of the RPM
Expand Down
12 changes: 10 additions & 2 deletions sbom/examples/container_image/from_catalog.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import json
import itertools
import secrets
import sys

import requests
Expand Down Expand Up @@ -165,7 +166,7 @@ def generate_sboms_for_image(image_nvr):
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": image_digest,
"checksumValue": image_digest.lstrip("sha256:"),
}
],
}
Expand Down Expand Up @@ -206,7 +207,14 @@ def generate_sboms_for_image(image_nvr):
"referenceLocator": rpm_purl,
},
],
# We don't have data on a checksum for binary RPMs included in images; should we?
# We don't have checksums available from Pyxis, but they should be available
# during the build process. For example purposes, we'll use a mock value.
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": f"abcd1234{secrets.token_hex(28)}",
}
],
}
packages.append(rpm_pkg)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "sha256:ed976a0ba418a498b05a56cb05afa0cb36a65e750771f3840b12e9bae3afb22d"
"checksumValue": "ed976a0ba418a498b05a56cb05afa0cb36a65e750771f3840b12e9bae3afb22d"
}
]
},
Expand All @@ -70,7 +70,7 @@
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "sha256:9e74a91f532b7550ee909c6ce1636122982a5c5e32859c40c3bfe68231d31100"
"checksumValue": "9e74a91f532b7550ee909c6ce1636122982a5c5e32859c40c3bfe68231d31100"
}
]
},
Expand All @@ -91,7 +91,7 @@
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "sha256:32a9929e6f11dfefb7a339d6767d1050cec2b24d397856cbd9b46a1bbc3f8827"
"checksumValue": "32a9929e6f11dfefb7a339d6767d1050cec2b24d397856cbd9b46a1bbc3f8827"
}
]
}
Expand Down
Loading

0 comments on commit 107302c

Please sign in to comment.