Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'component' metadata claims Airflow is an npm or application #44178

Open
1 of 2 tasks
raboof opened this issue Nov 19, 2024 · 2 comments
Open
1 of 2 tasks

'component' metadata claims Airflow is an npm or application #44178

raboof opened this issue Nov 19, 2024 · 2 comments
Labels
area:core kind:bug This is a clearly a bug needs-triage label for new issues that we didn't triage yet

Comments

@raboof
Copy link
Member

raboof commented Nov 19, 2024

Apache Airflow version

2.10.3

If "Other Airflow 2 version" selected, which one?

No response

What happened?

Looking at Airflow SBOMs such as apache-airflow-sbom-2.10.3-python3.12.json and apache-airflow-sbom-2.10.3-python3.12-python-only.json, it identifies the artifact being described by those SBOMs as pkg:npm/[email protected] and pkg:application/[email protected]. These are Purls, but I'm pretty sure Airflow is not an npm package, and application does not exist as purl type entirely.

What you think should happen instead?

  • describe 'exactly what' is being described by this SBOM. Does it describe a particular artifact, such as https://pypi.org/project/apache-airflow/ ? Then it should probably use the pypi Purl type. If it described Airflow more 'in the abstract', perhaps we should use the generic Purl type or introduce an asf purl type

How to reproduce

Generate the SBOMs

Operating System

n/a

Versions of Apache Airflow Providers

No response

Deployment

Other

Deployment details

No response

Anything else?

Part of this may be an upstream issue in https://github.com/CycloneDX/cdxgen , but I figured it would be good to first determine what we want to achieve 'concretely' here, and only look at what changes we may or may not need to generalize in upstream tooling after that.

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

@raboof raboof added area:core kind:bug This is a clearly a bug needs-triage label for new issues that we didn't triage yet labels Nov 19, 2024
Copy link

boring-cyborg bot commented Nov 19, 2024

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

@potiuk
Copy link
Member

potiuk commented Dec 29, 2024

It looks like it's the way how cyclonedx generates it:

  • when you use "python-only" sboms - it's pkg:application/[email protected] - which is more correct, even if it's not PyPI URL
  • when you use "both npm + python" - it's pkg:npm/[email protected]

I will take a look shortly on the generation process and we should likely set it to pkg:pypi/[email protected].

The good news is that it's only the "top" level Purl. All the other dependencies - including our providers - are good: "pkg:pypi/[email protected]"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:core kind:bug This is a clearly a bug needs-triage label for new issues that we didn't triage yet
Projects
None yet
Development

No branches or pull requests

2 participants