Merge pull request #1309 from tschmidtb51/purl-updates

PURL updates

Author: tschmidtb51

csaf_2.0/known_issues.md

@@ -37,3 +37,5 @@
 - The last informative comment in [test 6.2.18](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#6218-product-version-range-without-vers)
   contains a typo, stating `vsl` instead of `vls`.
   See [#1265](https://github.com/oasis-tcs/csaf/issues/1265).
+- Confusion could occur around the depth of PURL checking in test [6.1.13](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#6113-purl).
+  See [#1303](https://github.com/oasis-tcs/csaf/issues/1303).

csaf_2.1/json_schema/csaf.json

@@ -252,17 +252,17 @@
               }
             },
             "purls": {
-              "title": "List of package URLs",
-              "description": "Contains a list of package URLs (purl).",
+              "title": "List of PURLs",
+              "description": "Contains a list of Package-URLs (PURL).",
               "type": "array",
               "minItems": 1,
               "uniqueItems": true,
               "items": {
-                "title": "package URL representation",
-                "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
+                "title": "Package-URL representation",
+                "description": "The Package-URL (PURL) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
                 "type": "string",
                 "format": "uri",
-                "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
+                "pattern": "^pkg:[a-z][a-z0-9\\.\\-]*\\/.+",
                 "minLength": 7
               }
             },

csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md

@@ -41,6 +41,8 @@ Delegation to industry best practices technologies is used in referencing schema
     * Default Definition: https://www.first.org/tlp/
 * Exploit Prediction
   * Exploit Prediction Scoring System (EPSS) [cite](#EPSS)
+* Package Data
+  * Package-URL (PURL) [cite](#ECMA-427)
 * Platform Data
   * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
 * Vulnerability Categorization

csaf_2.1/prose/edit/src/introduction-04-informative-references.md

@@ -54,6 +54,9 @@ CWE-A
 CYCLONEDX161
 :    _CycloneDX Software Bill-of-Material Specification JSON schema version 1.6.1_, cyclonedx.org, November 7, 2024, https://github.com/CycloneDX/specification/blob/1.6.1/schema/bom-1.6.schema.json.
 
+ECMA-427
+:    _Package-URL (PURL) specification_, EMCA-427, 1st Edition, December 2025, <https://ecma-international.org/wp-content/uploads/ECMA-427_1st_edition_december_2025.pdf>
+
 EPSS
 :    _Exploit Prediction Scoring System (EPSS)_,  FIRST.Org, Inc., https://www.first.org/epss/
 
@@ -76,7 +79,7 @@ OPENSSL
 :    _GTLS/SSL and crypto library_, OpenSSL Software Foundation, https://www.openssl.org/.
 
 PURL
-:    _Package URL (purl)_, GitHub Project, https://github.com/package-url/purl-spec.
+:    _Package URL (PURL)_, GitHub Project, <https://github.com/package-url/purl-spec>.
 
 RFC3552
 :    Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, <https://www.rfc-editor.org/info/rfc3552>.

csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md

@@ -261,9 +261,9 @@ As part of the model number, the special characters `?`, `*` and `\` MUST be esc
     IC25T060ATCS05-0
 ```
 
-##### Full Product Name Type - Product Identification Helper - purls
+##### Full Product Name Type - Product Identification Helper - PURLs
 
-List of purls (`purls`) of value type `array` with `1` or more unique items contains a list of package URL (purl) identifiers.
+List of PURLs (`purls`) of value type `array` with `1` or more unique items contains a list of Package-URL (PURL) identifiers.
 
 ```
     "purls": {
@@ -274,22 +274,22 @@ List of purls (`purls`) of value type `array` with `1` or more unique items cont
     },
 ```
 
-A package URL representation has value type `string` of `7` or more characters with `pattern` (regular expression):
+A Package-URL representation has value type `string` of `7` or more characters with `pattern` (regular expression):
 
 ```
-    ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+
+    ^pkg:[a-z][a-z0-9\\.\\-]*\\/.+
 ```
 
-> The given pattern does not completely evaluate whether a purl is valid according to the [cite](#PURL) specification.
+> The given pattern does not completely evaluate whether a PURL is valid according to the [cite](#ECMA-427) specification.
 > It provides a more generic approach and general guidance to enable forward compatibility.
-> CSAF uses only the canonical form of purl to conform with section 3.3 of [cite](#RFC3986).
+> CSAF uses only the canonical form of PURL to conform with section 3.3 of [cite](#RFC3986).
 > Therefore, URLs starting with `pkg://` are considered invalid.
 
-The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.
-See [cite](#PURL) for details.
-Multiple purls can be specified to allow for identifiers to locate identical components in different locations.
+The PURL attribute refers to a method for reliably identifying and locating software packages external to this specification.
+See [cite](#ECMA-427) and [cite](#PURL) for details.
+Multiple PURLs can be specified to allow for identifiers to locate identical components in different locations.
 
-If multiple purls are specified, they SHALL only differ in their qualifiers.
+If multiple PURLs are specified, they SHALL only differ in their qualifiers.
 Otherwise, separate product branches SHOULD be used to differentiate between the components.
 
 ##### Full Product Name Type - Product Identification Helper - SBOM URLs

csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md

@@ -1,6 +1,10 @@
-### purl
+### PURL
 
-It MUST be tested that all given purls are valid.
+It MUST be tested that all given PURLs are valid.
+
+> It is not sufficient to just test against the `pattern` provided in section [sec](#full-product-name-type-product-identification-helper-purls).
+> The PURL must be validated against the requirements in the [cite](#ECMA-427) specification and the additional constraints given in
+> section [sec](#full-product-name-type-product-identification-helper-purls).
 
 The relevant paths for this test are:
 
@@ -28,4 +32,4 @@ The relevant paths for this test are:
   }
 ```
 
-> Any valid purl has a name component.
+> Any valid PURL has a name component.

csaf_2.1/prose/edit/src/tests-01-mndtr-42-purl-qualifiers.md

@@ -1,6 +1,6 @@
-### purl Qualifiers
+### PURL Qualifiers
 
-For each `product_identification_helper` object containing multiple purls it MUST be tested that the purls only differ in their qualifiers.
+For each `product_identification_helper` object containing multiple PURLs it MUST be tested that the PURLs only differ in their qualifiers.
 
 The relevant paths for this test are:
 
@@ -29,4 +29,4 @@ The relevant paths for this test are:
   }
 ```
 
-> The two purls differ in the name component.
+> The two PURLs differ in the name component.