Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add package URL (purl) and CPE to SPDX SBOM files #1482

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

aristotelos
Copy link

Add a package URL to generated SBOM files so that vulnerability databases can start linking CVEs to vcpkg port versions.

Fixes microsoft/vcpkg#39254. See also package-url/purl-spec#217 that has not been resolved yet but should be resolved before this commit is merged.

Add a package URL and CPE to generated SBOM files so that vulnerability
databases can start linking CVEs to vcpkg port versions.

Fixes microsoft/vcpkg#39254.
See also package-url/purl-spec#217 that has
not been resolved yet but should be resolved before this commit is
merged.

See also https://nvd.nist.gov/products/cpe/search?namingFormat=2.3 for a
CPE database.
@aristotelos aristotelos changed the title Add package URL (purl) to SPDX SBOM files Add package URL (purl) and CPE to SPDX SBOM files Aug 28, 2024
@aristotelos
Copy link
Author

Because having something in this case is better than nothing, I'm moving this PR from Draft to Ready for review.

@aristotelos aristotelos marked this pull request as ready for review August 29, 2024 07:01
@alex1891
Copy link

any updates on this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Adding purl to generated SBOM
2 participants