feat(sbom): Include the distro qualifier as part of the APK PURL (#2078)

pdeslaur · web-flow · commit 955df03e8887 · 2025-07-23T17:33:31.000+01:00
* Include the distro qualifier

* Update e2e test data

* Don't be a double distrogit add .

* Don't set distro if unknown

* Fix test
diff --git a/examples/go-install.yaml b/examples/go-install.yaml
@@ -11,7 +11,7 @@
 # please see go-install.yaml in this directory.
 package:
   name: hello
-  version: v0.0.1
+  version: 0.0.1
   epoch: 0
   description: "A project that will greet the world infinitely"
 
@@ -26,4 +26,4 @@ pipeline:
   - uses: go/install
     with:
       package: github.com/puerco/hello
-      version: ${{package.version}}
+      version: v${{package.version}}
diff --git a/pkg/build/testdata/goldenfiles/sboms/7zip-two-fetches-2301-r3.spdx.json b/pkg/build/testdata/goldenfiles/sboms/7zip-two-fetches-2301-r3.spdx.json
@@ -41,7 +41,7 @@
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referenceLocator": "pkg:apk/wolfi/7zip-two-fetches@2301-r3?arch=x86_64",
+          "referenceLocator": "pkg:apk/wolfi/7zip-two-fetches@2301-r3?arch=x86_64\u0026distro=wolfi",
           "referenceType": "purl"
         }
       ]
diff --git a/pkg/build/testdata/goldenfiles/sboms/crane-0.20.2-r1.spdx.json b/pkg/build/testdata/goldenfiles/sboms/crane-0.20.2-r1.spdx.json
@@ -41,7 +41,7 @@
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referenceLocator": "pkg:apk/wolfi/crane@0.20.2-r1?arch=x86_64",
+          "referenceLocator": "pkg:apk/wolfi/crane@0.20.2-r1?arch=x86_64\u0026distro=wolfi",
           "referenceType": "purl"
         }
       ]
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -266,6 +266,13 @@ func newAPKPackageURL(distro, name, version, arch string) *purl.PackageURL {
 		Version:   version,
 	}
 
+	if distro != "unknown" {
+		u.Qualifiers = append(u.Qualifiers, purl.Qualifier{
+			Key:   "distro",
+			Value: distro,
+		})
+	}
+
 	if arch != "" {
 		u.Qualifiers = append(u.Qualifiers, purl.Qualifier{
 			Key:   "arch",
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -1289,3 +1289,100 @@ func TestSetCapability(t *testing.T) {
 		})
 	}
 }
+
+func TestPackageURL(t *testing.T) {
+	tests := []struct {
+		name     string
+		pkg      Package
+		distro   string
+		arch     string
+		expected string
+	}{
+		{
+			name: "basic package URL",
+			pkg: Package{
+				Name:    "test-package",
+				Version: "1.0.0",
+				Epoch:   0,
+			},
+			distro:   "alpine",
+			arch:     "x86_64",
+			expected: "pkg:apk/alpine/test-package@1.0.0-r0?arch=x86_64&distro=alpine",
+		},
+		{
+			name: "package with epoch",
+			pkg: Package{
+				Name:    "test-package",
+				Version: "2.1.3",
+				Epoch:   5,
+			},
+			distro:   "wolfi",
+			arch:     "aarch64",
+			expected: "pkg:apk/wolfi/test-package@2.1.3-r5?arch=aarch64&distro=wolfi",
+		},
+		{
+			name: "package without architecture",
+			pkg: Package{
+				Name:    "test-package",
+				Version: "1.0.0",
+				Epoch:   0,
+			},
+			distro:   "alpine",
+			arch:     "",
+			expected: "pkg:apk/alpine/test-package@1.0.0-r0?distro=alpine",
+		},
+		{
+			name: "package with complex version",
+			pkg: Package{
+				Name:    "complex-package",
+				Version: "1.2.3-alpha.1",
+				Epoch:   10,
+			},
+			distro:   "chainguard",
+			arch:     "x86_64",
+			expected: "pkg:apk/chainguard/complex-package@1.2.3-alpha.1-r10?arch=x86_64&distro=chainguard",
+		},
+		{
+			name: "package with special characters in name",
+			pkg: Package{
+				Name:    "lib-test_package.so",
+				Version: "0.1.0",
+				Epoch:   1,
+			},
+			distro:   "alpine",
+			arch:     "arm64",
+			expected: "pkg:apk/alpine/lib-test_package.so@0.1.0-r1?arch=arm64&distro=alpine",
+		},
+		{
+			name: "package with unknown distro",
+			pkg: Package{
+				Name:    "lib-test_package.so",
+				Version: "0.1.0",
+				Epoch:   1,
+			},
+			distro:   "unknown",
+			arch:     "arm64",
+			expected: "pkg:apk/unknown/lib-test_package.so@0.1.0-r1?arch=arm64",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			packageURL := tt.pkg.PackageURL(tt.distro, tt.arch)
+			require.NotNil(t, packageURL)
+
+			actualURL := packageURL.String()
+			require.Equal(t, tt.expected, actualURL, "PackageURL string representation should match expected format")
+
+			// Verify the PackageURL can be parsed back
+			parsed, err := purl.FromString(actualURL)
+			require.NoError(t, err, "Generated PackageURL should be parseable")
+
+			// Verify components
+			require.Equal(t, purlTypeAPK, parsed.Type)
+			require.Equal(t, tt.distro, parsed.Namespace)
+			require.Equal(t, tt.pkg.Name, parsed.Name)
+			require.Equal(t, tt.pkg.FullVersion(), parsed.Version)
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@`
`41`	`41`	`"externalRefs": [`
`42`	`42`	`{`
`43`	`43`	`"referenceCategory": "PACKAGE-MANAGER",`
`44`		`- "referenceLocator": "pkg:apk/wolfi/7zip-two-fetches@2301-r3?arch=x86_64",`
	`44`	`+ "referenceLocator": "pkg:apk/wolfi/7zip-two-fetches@2301-r3?arch=x86_64\u0026distro=wolfi",`
`45`	`45`	`"referenceType": "purl"`
`46`	`46`	`}`
`47`	`47`	`]`