Skip to content

adding enumeration to the namespace field; adding enums for deb/rpm #678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jacobcalvert wants to merge 10 commits into
base: main
Choose a base branch
from
+34 −2
Open

adding enumeration to the namespace field; adding enums for deb/rpm #678

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
277eab9
adding enumeration to the namespace field; adding enums for deb/rpm
jacobcalvert Sep 19, 2025
3339c86
moving from 'MUST' to 'SHOULD' in the description and changing to 'kn…
jacobcalvert Sep 19, 2025
b7044de
allowed -> known in metaschema
jacobcalvert Sep 19, 2025
d175521
Merge branch 'main' into jacobcalvert/add-rpm-and-deb-clarification
jacobcalvert Sep 22, 2025
3f775d6
Merge branch 'main' into jacobcalvert/add-rpm-and-deb-clarification
jacobcalvert Sep 26, 2025
3acbfa8
changing 'known' to 'registered' as requested
jacobcalvert Oct 1, 2025
cf00d85
Merge branch 'jacobcalvert/add-rpm-and-deb-clarification' of github.c…
jacobcalvert Oct 1, 2025
f95bd4a
Merge branch 'main' into jacobcalvert/add-rpm-and-deb-clarification
jacobcalvert Oct 1, 2025
f7aa78e
revert CPAN change
jacobcalvert Oct 1, 2025
5305e70
changing 'known' to 'registered' as requested
jacobcalvert Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions etc/scripts/purl_type_definition.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,3 +254,11 @@ class NamespaceDefinition(PurlComponentDefinition):
),
title="Namespace requirement",
)
valid_values: Optional[list[str]] = Field(
None,
description=(
"Optional set of allowed values for this namespace. If provided, the namespace value"
" MUST be one of these."
),
title="Valid values",
)
Copy link
Contributor

@matt-phylum matt-phylum Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need a set of known values rather than a set of valid values. If implementations are validating that they are receiving only the expected values then adding new values (eg adding Linux Mint) is a breaking change.

9 changes: 9 additions & 0 deletions schemas/purl-type-definition.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,15 @@
"$ref": "#/definitions/prohibited_requirement"
}
]
},
"valid_values": {
"title": "Valid values",
Copy link
Member

@pombredanne pombredanne Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we cannot really be exclusive, I would rather could this "known_values"

"description": "Optional set of allowed values for this namespace. If provided, the namespace value MUST be one of these.",
Copy link
Member

@pombredanne pombredanne Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MUST is a problem as I cannot enumerate ALL the known RPM-based distros at all times, so SHOULD would be better. We can also ensure in validation tests that we can return a warning as this would round up the thing nicely.

Copy link
Contributor

@gernot-h gernot-h Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another aspect to consider here are custom packages you add to an OS image/installation, say you build and install your own, patched version of the kernel. In my eyes, an ideal SBOM scanner should detect that the vendor for this package is not debian/opensuse/... and set the namespace accordingly to gernot-patched or unknown. Not sure if this should explicitly be mentioned in the spec or we simply leave it at SHOULD which would allow this degree of freedom?

"type": "array",
"items": {
"type": "string"
},
"uniqueItems": true
}
},
"allOf": [
Expand Down
2 changes: 1 addition & 1 deletion types-doc/cpan-definition.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ The structure of a PURL for this package type is:

- **Requirement:** Required
- **Native Label:** CPAN ID of the author/publisher
- **Note:** `It MUST be written uppercase and is required.`
- **Note:** `It MUST be written uppercase and is required`

## Name definition

Expand Down
6 changes: 5 additions & 1 deletion types/deb-definition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,11 @@
"native_name": "vendor",
"case_sensitive": false,
"note": "The namespace is the \"vendor\" name such as \"debian\" or \"ubuntu\". It is not case sensitive and must be lowercased.",
"requirement": "required"
"requirement": "required",
"valid_values": [
"debian",
"ubuntu"
]
},
"name_definition": {
"requirement": "required",
Expand Down
13 changes: 12 additions & 1 deletion types/rpm-definition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,18 @@
"case_sensitive": false,
"native_name": "vendor",
"note": "The namespace is the vendor such as Fedora or OpenSUSE. It is not case sensitive and must be lowercased.",
"requirement": "required"
"requirement": "required",
"valid_values": [
"redhat",
"centos",
"fedora",
"almalinux",
"rockylinux",
"opensuse",
"oraclelinux",
"amazonlinux",
"azurelinux"
]
},
"name_definition": {
"requirement": "required",
Expand Down