Comments (24)
Thanks @pombredanne I'll review and leave comments early next week.
I don't think this changes the much for Grafeas - would just require the API implementation to handle and validate the revised formats.
from grafeas.
The container image referencing in the purl spec looks good to me
from grafeas.
I don't intend to derail purl adoption. I think I've articulated my hesitation, which seems to be a general problem and not exclusive to purl. package-url/purl-spec#29
from grafeas.
So I'm now learning the extent of the work that has gone into SWID ISO 19770-2, despite the pay-wall barrier. I'm very glad that purl-spec is more open, but we might should consider that many deployments may have requirements to use SWID over purl.
Purl-spec has a FAQ about this, https://github.com/package-url/purl-spec/wiki/FAQ#why-not-using-the-iso-19770-2-spec-for-swid-tags-instead-of-a-purl which I don't disagree with. Red Hat has participated in the SWID review, and is also a part urging/pressuring Tagvault to open the SWID spec up more.
from grafeas.
@R2wenD2 here we go as promised!
from grafeas.
Thanks!
I don't think this changes the much for Grafeas - would just require the API implementation to handle and validate the revised formats.
Indeed, and that's part of the intent.
FWIW there is a mention of a Go implementation in progress on the PR at package-url/purl-spec#1 (comment)
from grafeas.
Maven has a few more coordinates that can come into play in some instances: packaging and classifier. The typical ordering looks like this:
groupId:artifactId:(optional)packaging:(optional)classifier:version
While GAV may be sufficient for many cases, there will be times where some attestation needs to apply to one classifier and not another, or one package and not another. We should expand the spec to allow the optional inclusion of these extra fields.
ref: https://maven.apache.org/pom.html#Maven_Coordinates
from grafeas.
@brianf yes Maven has these and these are not the norm as you pointed out quite rightly. The current Grafeas README does not handle these at all. They also in most case derive from the same source, hence for these they would be treated as optional qualifiers
in https://github.com/package-url/purl-spec/tree/a21a9ecbab171fe06d1ac88843bc3721a42dbed0 and they would come as "query string" aka. purl qualifiers with this proposal:
maven for Maven JARs and related artifacts
- The default repository is maven.org
- The group id is the namespace and the artifact id is the name
- Known qualifiers keys are: classifier and packaging as defined in the POM documentation
- Examples:
`maven:org.apache.xmlgraphics/[email protected]`
`maven:org.apache.xmlgraphics/[email protected]?packaging=sources`
from grafeas.
@brianf It would be awesome if you want to chime in on the purl spec btw. The initial and a tad messy PR is there package-url/purl-spec#1 and received comments from dpkg, nuget, spak, npm and several important package format maintainers and many others. Going forward a ticket is better.
Having a JVM implementation is also needed!
from grafeas.
Is the intent of the purl spec to replace the one in the README? If not, how do they correlate?
from grafeas.
@brianf that's the intent of this ticket to propose a replacement for the one of the README alright
from grafeas.
The purl spec extends a bit beyond Grafeas as it also caters to other tools, DB and APIs such as libraries.io, victims, openshift analytics, aboutcode.org projects and a few more.
from grafeas.
@lizrice Thank you for the valuable feedback!
from grafeas.
I think everyone is happy with this proposal, we'll just need to add the verification to the reference implementation and documentation.
from grafeas.
woof this purl conversation has gone wild while I was out! So to be clear, https://github.com/package-url/purl-spec is a recent discussion and not a widely agreed-upon and implemented spec, right?
I can follow the table, just want to make sure that it's a wider conversation.
from grafeas.
from grafeas.
@vbatts Do you have reservations about purl? If so I'd love to hear them. We want some kind of standard format for grafeas, so I basically +1 everything that @brianf said above.
from grafeas.
from grafeas.
from grafeas.
No problem. I think its still something we want to do. At this point, I expect that purl adoption means updating docs as well as the API implementation to parse for it.
from grafeas.
Next steps here:
- Update docs
- Incorporate the purl checks into our reference implementation!
from grafeas.
@vbatts Just back from FOSDEM where I presented this https://fosdem.org/2018/schedule/event/purl/ (video and deck are there)
There was a clear preference from most everyone there to use a single scheme prefix eg. pkg:npm:[email protected]
such that this can be easily registered as an official RFC and many other good reasons so in this context we could have something like:
pkg:swid:<whatever is a swid>
OR have a proper SWID URI or URL separately alright.
I wished SWID would not have been these walled garden centralized scheme, but that's not my battle to fight ;) Let's make a ticket on the purl side to have this included alright
from grafeas.
I would like to attract your attention to this purl ticket package-url/purl-spec#9
... which eventually would mean that all purl would share a common pkg:
URL prefix for many good reasons including invaluable feedback from @annevk and @mnot
Some impact here: this would mean that existing grafeas resource URIs would not be quasi-purlesque as-is because of this added prefix BUT it also means more flexibility to use other identification strings such as swid, cpe, etc in the same spot. Food for thoughts!
from grafeas.
@pombredanne there is further conversation going regarding SWID. I am thinking that the prefixing may help. Further this FAQ really ought to be updated from "avoid this"-like language. As one [private] conversation included:
I can understand the sentiment, but it is wrong in many respects. First, the
ISO specification is not for proprietary software. How can anyone come to
that conclusion. The C programming language is governed by ISO/IEC 9899:2011.
Does that mean that gcc is a proprietary compiler? I think not.
Having this distinguished prefixes, it'll let SWID do what it's intended for of specifying files (not just whole software packages, regardless of proprietary or FOSS), and purl can map collections/packages of software.
Make sense?
from grafeas.
Related Issues (20)
- new Elasticsearch backend implementation - looking for feedback
- Running GET cURL for a valid occurrence ID but from the wrong project HOT 1
- json: cannot unmarshal object when trying to create in toto occurrence HOT 4
- [Question]: Getting started with Grafeas HOT 3
- [Question] process to contribute a new storage implementation HOT 2
- Diagram in the readme is unviewable in GH dark mode
- Update Note and Occurrence Protos to support SBOM (SPDX) data HOT 1
- Can't get any notes using python client HOT 1
- [Getting Started] SOS When I visit the grafeas-server, it shows 500
- Support git as one of the producers when sending data to Grafeas HOT 1
- Add support for CWE field in vulnerability proto message HOT 7
- Updating repeated fields is broken due to grpc-gateway bug HOT 1
- Unable to create any occurrence except kind: DEPLOYMENT with postgres backend HOT 1
- Release v0.2.1 HOT 1
- Use Grafeas v1 API HOT 1
- Note ID can be created with / in the id, but not queried HOT 1
- Security Policy violation Binary Artifacts HOT 2
- Enable Grafeas to store and retrieve Vex information
- Support SLSA v1.0 provenance format HOT 1
- possible SQL injection?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grafeas.