adding enumerated namespaces for the most popular vendors for rpm and deb types

[jacobcalvert]

Description

Several tools are generating purls for packages in various Linux distributions. This change adds clarifications for the expected namespace for the most popular distributions using each package type.

[meljw]

Hi, wondering if this is relevant for you. I have seen different namespaces for Oracle Linux (mysql docker)

• Syft gives ol
• cdxgen gives oracle
• Docker Scout gives oraclelinux

[jacobcalvert]

Hi, wondering if this is relevant for you. I have seen different namespaces for Oracle Linux (mysql docker)

• Syft gives ol
• cdxgen gives oracle
• Docker Scout gives oraclelinux

Thanks!
I paused on adding these since I didn't find consensus among the different tools, but I think oracle or oraclelinux makes most sense; ol is a bit too short and ambiguous. If the spec maintainers agree, I'll update my PR to include one of those two as well in the definition list.

[giterlizzi]

If it can be useful for PR in my SecDB project (https://secdb.nttzen.cloud/pkg) support this several PURL namespaces for deb and rpm:

Type	Namespace
deb	debian
deb	ubuntu
rpm	almalinux
rpm	amazonlinux
rpm	azurelinux
rpm	cbl-mariner
rpm	centos
rpm	fedora
rpm	opensuse
rpm	oraclelinux
rpm	redhat
rpm	rockylinux
rpm	suse

[gernot-h]

Yes, such a clarification would be great and help avoid ambiguities like anchore/syft#2914.

[pombredanne]

If it can be useful for PR in my SecDB project (https://secdb.nttzen.cloud/pkg) support this several PURL namespaces for deb and rpm:
Type Namespace
deb debian
deb ubuntu
rpm almalinux
rpm amazonlinux
rpm azurelinux
rpm cbl-mariner
rpm centos
rpm fedora
rpm opensuse
rpm oraclelinux
rpm redhat
rpm rockylinux
rpm suse

@giterlizzi do you mind to suggest this as an update?
Or shall I add this directly?
or @ jacobcalvert do you want to add these?

[jacobcalvert]

If it can be useful for PR in my SecDB project (https://secdb.nttzen.cloud/pkg) support this several PURL namespaces for deb and rpm:
Type Namespace
deb debian
deb ubuntu
rpm almalinux
rpm amazonlinux
rpm azurelinux
rpm cbl-mariner
rpm centos
rpm fedora
rpm opensuse
rpm oraclelinux
rpm redhat
rpm rockylinux
rpm suse

@giterlizzi do you mind to suggest this as an update? Or shall I add this directly? or @ jacobcalvert do you want to add these?

I'm happy to add these to this PR. Will do that shortly, thanks for taking a look.

[giterlizzi]

If it can be useful for PR in my SecDB project (https://secdb.nttzen.cloud/pkg) support this several PURL namespaces for deb and rpm:
Type Namespace
deb debian
deb ubuntu
rpm almalinux
rpm amazonlinux
rpm azurelinux
rpm cbl-mariner
rpm centos
rpm fedora
rpm opensuse
rpm oraclelinux
rpm redhat
rpm rockylinux
rpm suse

@giterlizzi do you mind to suggest this as an update? Or shall I add this directly? or @ jacobcalvert do you want to add these?

I listed them only as a suggestion because they are the most common ones I have found in tools, SBOM files, etc.
The alternative is to use the ID field from the "os-release" file, but it does not always report the full name (e.g. for Oracle Linux it reports ol).

[pombredanne]

Thanks! See some nits for your consideration.
Also can you beat the bushes to get some input from folks involved with some of the distros to provide a quick ack or comment?

[pombredanne]

you mentioned rocklinux above but use rocky here.

Suggested change

	pkg:rpm/rocky/[email protected]?arch=x86_64&distro=rocky-8.6&upstream=acl-2.2.53-1.el8.1.src.rpm
	pkg:rpm/rockylinux/[email protected]?arch=x86_64&distro=rocky-8.6&upstream=acl-2.2.53-1.el8.1.src.rpm

[pombredanne]

Please keep an empty line there

[pombredanne]

Why do you introduce a new upstream qualifier? I get the intent but I am not sure this is not already entirely determined from the RPM tags.
In all cases, can you leave this out for another PR?

[mprpic]

LGTM!

[hroncok]

osv.dev says rocky-linux google/osv.dev#2939

[gernot-h]

If it can be useful for PR in my SecDB project (https://secdb.nttzen.cloud/pkg) support this several PURL namespaces for deb and rpm:
Type Namespace
[...]
rpm amazonlinux

@giterlizzi, do you have a reference for using amazonlinux? Just wanted to mention, yesterday, I got a trivy-generated SBOM which uses just rpm/amazon/glibc. If other common tools use amazonlinux, I'm fine with keeping it, didn't do a market survey. ;-)

[giterlizzi]

If it can be useful for PR in my SecDB project (https://secdb.nttzen.cloud/pkg) support this several PURL namespaces for deb and rpm:
Type Namespace
[...]
rpm amazonlinux

@giterlizzi, do you have a reference for using amazonlinux? Just wanted to mention, yesterday, I got a trivy-generated SBOM which uses just rpm/amazon/glibc. If other common tools use amazonlinux, I'm fine with keeping it, didn't do a market survey. ;-)

I confirm that there are several PURL variants for AmazonLinux:

• Trivy, as you said, uses pkg:rpm/amzn (I suppose because it reads it from /etc/os-release --> https://github.com/chef/os_release/blob/main/amazon_2022)
• Docker Scout's SBOM uses pkg:rpm/amazonlinux (it seems to be almost the same format used on docker.hub -- see example below)
• The endoflife.date project uses pkg:rpm/amzn (e.g. https://endoflife.date/python)
• Amazon Inspector seems to use pkg:rpm/amazon (https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/blob/main/entrypoint/tests/test_data/sboms/amazonlinux%3Alatest.json)

Docker Scout SBOM command output:

docker scout sbom amazonlinux:latest

    {
      "type": "rpm",
      "namespace": "amazonlinux",
      "name": "zstd",
      "version": "1.5.5-1.amzn2023.0.1",
      "purl": "pkg:rpm/amazonlinux/[email protected]?os_name=amazonlinux&os_version=2023",
      "size": 799606,
      "locations": [...],
      [...]
    }

[pombredanne]

We now have a more structured definition of types in JSON after the merge of PR #514 😇 - See #514

With the new approach... this PR would need to be updated. Could you look into this? Thanks for your understanding !

[jacobcalvert]

@pombredanne I'm looking at the purl-type-definition.schema.json and don't see a way to provide an enumeration of valid values in the namespace_definition field. Did you intend for my PR to add this enumeration ability to the base meta schema and then add it to the RPM schema or something else?

[jacobcalvert]

@pombredanne any thoughts on this? I don't want this set of clarifications to get lost as we need the clarity about proper PURL formats for various Linux distros.