-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatic PURL generation from existing CPE or CSAF #331
Comments
I'm aware of crosswalks like https://github.com/scanoss/purl2cpe and https://github.com/aboutcode-org/vulnerablecode-purl2cpe but not quite a library. Edit: putting together a few other resources in case they're helpful:
All from different moments in time, all provide interesting perspectives to the problem. |
Thanks a lot @bureado for the exhaustive list. Just wondering about the direction, it's mainly from purl to CPE but not the reverse. Is there a specific reason to that ? |
@adulau for both projects I referenced above, it should be possible to get an array of purls given a CPE. But the question you bring up is, I think, very central to the broader problem. Here's an example: the software entity that humans know as "nginx", more precisely the web server typically called "nginx", is recognized in scanoss/purl2cpe as We also know that binary Note that once you've bridged to source world, then searches like https://whatsrc.org/search?q=nginx point to how the problem gets a bit more complicated, but also gives a more complete picture. Even more complete with things like SWHIDs, and a couple more that I'd like to add at this time: Plus an approach that uses WikiData's ontology:
I'm eager to collaborate in this space; sorry my comments have distracted from your original question, but I truly think there are a few efforts that could potentially cross-pollinate towards this goal. /cc @kpcyrd @dpp and others. |
Greetings! From my adventures in this space, particularly across project boundaries, I've found it's rather important to level-set on the language of CPE, because it means different things to different people and some of it's dependent on what you're actually trying to achieve. From CVEProject/quality-workgroup#12 (comment), there is a good enumeration (no pun intended) of the various different "types" of CPEs and how they're able to be used. So, @adulau when you say:
stepping back for a moment, could you drop in a few worked examples of the desired inputs and outputs? |
@adulau 👋 re:
Any automatic PURL generation from existing CPE is IMHO a lost cause (unless we add a cpe PURL type, but that would just move the problem without resolving it). It needs a proper mapping. And a library could then use the mapping. It makes sense to maintain here a reference an open PURL <-> CPE mapping and I see it being a useful community asset. But it needs to be curated by humans to have any value. Or quoting @andrewpollock we need this:
( @andrewpollock side note for the "Purls and canonical Git repositories" part, I have some WIP with PurlDB towards publishing and unlocking all that data) |
Ooh please keep me posted! |
Thanks to all for the detailed feedback. Quick question following @pombredanne feedback.
What is the exact definition of "proper mapping"? I mean we discussed internally to go further by either providing an actual improved directory of combined CPE. Especially allowing vendor and products to have aliases or following names as software and vendor names change regularly. It also seems we cannot reference a software without a package in purl. We will work on improving the actual CPE directory and see how we link the associated packages to PURL in vulnerability-lookup. I'll close the issue for the time being until we implement the PURL part in vulnerability-lookup. |
@adulau FYI, I have been invited by a CVE.org quality working group to present PURL sometimes in January 2025 as they would be interested to have it as a main id in the next CVE schema. To be continued... |
We wanted to add an automatic PURL generation from existing CPE or CSAF in vulnerability-lookup. Is there a library for doing this?
The text was updated successfully, but these errors were encountered: