Skip to content

fix: make PURLs use oci type / fixed SBOM component name #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 22, 2024
Merged

fix: make PURLs use oci type / fixed SBOM component name #11

merged 6 commits into from
Oct 22, 2024

Conversation

dervoeti
Copy link
Member

@dervoeti dervoeti commented Oct 17, 2024
edited
Loading

Same thing as stackabletech/operator-templating#448, but for our product images. It probably makes sense for the same person to review both this PR and the other.

Use OCI type for PURLs, according to https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#oci

This is more correct in general and most importantly makes the PURL equal to the one Trivy generates for our container images.

This PR is a bit more complicated than the one for operators, since I had to extract the product name (e.g. "kafka") and the architecture before generating the PURL.

I also added another small change to this PR:
The --source-name passed to Syft is now just the name of the image. Currently, it would be sdp/kafka. This change changes it to just kafka. The parameter ist reflected in .metadata.component.name in the SBOM and I think just kafka is the correct value here, it should not include the repository.

@dervoeti dervoeti requested a review from Techassi October 17, 2024 08:27
@dervoeti dervoeti changed the title fix: make PURLs use oci type fix: make PURLs use oci type / fixed SBOM component name Oct 18, 2024
@dervoeti dervoeti mentioned this pull request Oct 18, 2024
Merged
Techassi
Techassi previously requested changes Oct 21, 2024
View reviewed changes
@dervoeti dervoeti self-assigned this Oct 21, 2024
NickLarsenNZ
NickLarsenNZ reviewed Oct 21, 2024
View reviewed changes
@dervoeti dervoeti requested a review from NickLarsenNZ October 21, 2024 10:56
NickLarsenNZ
NickLarsenNZ previously approved these changes Oct 22, 2024
View reviewed changes
Copy link
Member

@NickLarsenNZ NickLarsenNZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

NickLarsenNZ
NickLarsenNZ requested changes Oct 22, 2024
View reviewed changes
Copy link
Member

@NickLarsenNZ NickLarsenNZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more change

@NickLarsenNZ NickLarsenNZ self-requested a review October 22, 2024 13:33
NickLarsenNZ
NickLarsenNZ approved these changes Oct 22, 2024
View reviewed changes
Copy link
Member

@NickLarsenNZ NickLarsenNZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dervoeti dervoeti dismissed Techassi’s stale review October 22, 2024 13:34

Fixed the mentioned issues

@dervoeti dervoeti merged commit 0c5dbc4 into main Oct 22, 2024
9 checks passed
@dervoeti dervoeti deleted the fix/oci-purls branch October 22, 2024 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NickLarsenNZ NickLarsenNZ NickLarsenNZ approved these changes

@Techassi Techassi Awaiting requested review from Techassi

Assignees

@dervoeti dervoeti

Labels
None yet
Projects
Stackable Engineering
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dervoeti @NickLarsenNZ @Techassi