Propose os candidate type
#161
Conversation
Based on discussion here: https://gitter.im/package-url/Lobby?at=61ea707f46529077f596ae70
|
Added more details, and some examples. |
Generally, no. I can see an argument for an OS as a container image, or an embedded OS build as a flashable image and in both cases I would reference them by digest with existing purl types. For looking up EOL information about an OS, I would accept CPE strings, User-Agent strings, relevant bits of the os-release specification, the strings tracked by Repology, the output of distro in popular tools like neofetch, facter, etc. I can also see how given a sufficiently big array of sufficiently specific purls, an API could determine those only exist in a given release of a certain OS and return the EOL status with some degree of confidence. For example feeding it the purl for base-files of a Debian based distro. I can perhaps think about WSL environments as analogous to a package. They have a Windows Store identifier string specified in their manifest. But that sounds a bit like a specific namespace, not unlike snap. My 2e-2. |
There was a problem hiding this comment.
@captn3m0 thanks! the update looks good to me!
Note that if this can be of some use I eventually amassed a large collection of /etc/os-release for testing in https://github.com/nexB/container-inspector/tree/main/tests/data/distro/os-release
They come from @natefoo , @zyga , @tas50 , @kmf and many others plus some extra additions. We could move this here to maintain and use as a reference?
See:
- https://github.com/nexB/container-inspector/blob/main/tests/data/distro/os-release-chef.ABOUT
- https://github.com/nexB/container-inspector/blob/main/tests/data/distro/os-release-zoo.ABOUT
- https://github.com/nexB/container-inspector/blob/main/tests/data/distro/os-release-chef.ABOUT
@bureado Thanks... your comments make sense. The notion of what's a package is a bit in the eye of the beholder, as basically "your product is a package to me" in a larger software supply sense. This is typical in material, physical BOMs to have assemblies sub-assemblies and there is a rich background to draw from there. I can see an OS as a big assembly and there are times when this could be a valuable shortcut to have as a purl.
The key tests here would be IMHO:
- is this useful?
- is this package type obvious and can it be easily inferred from looking at the code?
I would answer yes to both.
| @@ -337,11 +337,14 @@ os | |||
| - In case no CPE is available, the ``ID`` field from ``/etc/os-release`` can be used as both the namespace and name. | |||
| - The ``version`` field should be latest version (including patch) that the operating system has been updated to. This should closely match the ``VERSION_ID`` field in the ``/etc/os-release`` data. | |||
| - Both ``name`` and ``namespace`` are not case-sensitive and must be lowercased. | |||
| - For rolling or testing distributions, the ``version`` should be set to the rolling channel identifier or branch name. Such as ``edge`` for alpine, or ``sid`` for debian. In case no such identifier is available, it should not be set. | |||
| - For rolling or testing distributions, the ``version`` should be set to the rolling channel identifier or branch name. Such as ``edge`` for alpine, or ``sid`` for debian. In case no such identifier is available, no version should be set. | |||
| - For MacOS, the namespace should be set to ``apple`` and the name as ``macos``. The version string should match the ``ProductVersion`` returned by the ``sw_vers`` command. | |||
There was a problem hiding this comment.
Do you know on which OS versions are the sw_vers and winverutils available?
There was a problem hiding this comment.
Couldn't find the exact details, but both appear to be old (oldest references are around 2000 for sw_ver and much older for winver), and well-supported (availability in various windows variants for eg).
There was a problem hiding this comment.
Changing winver to ver, which is the text version, and reports the fields that are mentioned here.
There was a problem hiding this comment.
If the group decides to proceed with this also some updates to https://github.com/package-url/purl-spec need to be made. The description for type, namespace, name, version do not align with the proposed use. For example type's description includes the keyword required: "the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required." But in this proposal it is suggested an operating system is a package protocol? This is inconsistent and confusing, I am not sure encoding an operating system in the purl structure will improve comprehension of this specification?
There was a problem hiding this comment.
The file /etc/os-release is not universally supported by Unix-flavors. Even for Linux it appears to have been introduced initially only by those distros supporting systemd. Perhaps this should be recognized in the text?
There was a problem hiding this comment.
Made a change for /etc/os-release alternative. I don't think the spec can be 100% exhaustive to cover all possible operating systems, the best we can do is cover the majority of cases, and offer guidance as to what goes in each field.
I'm unsure about how the description for fields can be aligned.
There was a problem hiding this comment.
We believe that clarity of the specifications helps its adoption and bug-free implementation.
This is very helpful - going to use this to guide the endoflife.date API reporting. Thanks 💯! |
|
@pombredanne Thanks for bringing up physical BOM. It helped me expand my perspective on this. I don't know how purveyors of physical BOMs encode operating system in their BOMs today. My intuition tells me it'd be via firmware images, and they won't really meet the level of detail of an os-release string, e.g., they'll likely read either like a platform string or be a firmware reference that Conceptually I could see an argument for Reading SWID and SWIMA got me thinking about IT inventory. I wonder if operating system is encoded flat, next to installed MSIs or rpm packages, or if it's an attribute of a parent Asset. In general, I think the upkeep and maintenance for purl to norm these strings is significant (see the examples with Windows) and that means backwards compatibility considerations. Another unforeseen future scenario that worries me the most is one where, for example, a vulnerability scanner makes a determination using the operating system release as a shortcut: imagine an SBOM for a Debian system with 1.5K components, but I only pick the Of course |
|
There's lots of ways SBOM tooling can make mistakes around distro vulnerabilities and lots of them are true today already (such as scanners missing vulnerabilities in older distros because the distribution never released an advisory). The existence of a os PURL will atleast make it easy to track these between various tools. Mistakes will still happen, but I don't think we can ascribe them to an OS type. I'm very cognisant of distro v/s upstream support (wrt EOL) in particular, and I think any tooling that tries to determine this will have to take similar care - you just get useless results otherwise. Tooling today already reports os versions in SBOMs (Syft atleast does), but the non-standard nature of it (no PURL) makes it inaccessible to the rest of the ecosystem. |
Not sure I agree with this part. Some of the reporting is encoding for internal purposes (producer and consumer already have a contract) and some use cases for this will have nothing to do with SBOM. There is an ecosystem out there that goes from a regex on uname, a grep on neofetch and most notably CPEs. But that doesn’t mean it can’t be improved! Thanks for this discussion, I hope it can at least help downstream implementers as a reference. |
|
I think it’s also important to mention that distros not releasing an advisory, tools that only lookup NVD without looking at project security trackers and scanners that lack contextual assertions such as exploitability or reachability are real problems that are orthogonal to standardized component naming. What I referred to earlier is less about using distro:release as a shortcut but about facilitating this in a purl namespace next to the other components, potentially teeing up an antipattern. It’s speculative but meant to be cautionary. As a purl enthusiast I’m mostly excited that we get to consider and accommodate scenarios like this! |
|
Thanks for all the feedback, think this should be good to merge now. |
|
It seemed like there was consensus here, is there anything blocking a merge? Would love to implement Thank you 🙏 |
|
I would rather NOT accept this PR. Reasons:
Of interest to the Gitter post mentioned by @captn3m0, I think the guidance provided by the SBOM Forum should be taken into consideration for your project. |
|
going to close this PR, but noting that this is not really avoided this easily:
There's already multiple types in the purl spec, that require vendor naming to some degree via qualifiers, or namespaces:
Different applications might use different |
|
@captn3m0 I think the point being made is that this information is being maintained somewhere, but that somewhere is not You're right, though, that since "somewhere" isn't defined then the exercise is left to the user. The question then becomes whether that's by design, or a negative thing. I'm eager to discuss this further, maybe in #214, because I think there is a middle ground, other can keep the actual data but purl can help with conventions. I see this particular PR as slightly orthogonal and more of a scope question on whether |
This was proposed and rejected package-url/purl-spec#161
Based on discussion here: https://gitter.im/package-url/Lobby?at=61ea707f46529077f596ae70