Use github purl type for RPM source archives with GitHub provenance#94
Use github purl type for RPM source archives with GitHub provenance#94jasinner wants to merge 2 commits into
github purl type for RPM source archives with GitHub provenance#94Conversation
|
Warning Review limit reached
More reviews will be available in 25 minutes and 21 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (12)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Extend the GitHub purl guidance from #93 to RPM source archives (
Source0,SourceN, upstream/midstream origin packages, and containerSource-origin), using the samegithubpurl type whendownloadLocationis agithub.comURL.Depends on: #93 — merge that PR first. It introduces GitHub purl handling for bundled RPM dependencies (
Provides(Bundled(...))); this PR applies the same pattern to source inputs declared in specSourceNlines and modeled as SRPM/container upstream packages.Changes
Documentation (
docs/sbom.md)downloadLocationis GitHub, emitpkg:github/<owner>/<repo>@<version>instead ofpkg:generic/...?download_url=https://github.com/....genericpurl when the only fetch URL is the same GitHub location (checksum stays in SPDXchecksums).pkg:generic/...?download_url=...is only for a separate non-GitHub fetch URL (same rule as bundled deps in Usegithubpurl type for bundled RPM deps with GitHub provenance #93).githubpurl.Example generator
sbom/examples/rpm/build/bundled_provides.pysource_purls()/source_purl()helpers (reuses_github_owner_repo()from Usegithubpurl type for bundled RPM deps with GitHub provenance #93).sbom/examples/rpm/build/from-koji.pysource_purls()when buildingSource0/ midstream origin packages instead of always emittingpkg:generic/...?download_url=....Examples
Update delve build and release SBOMs (
Source0fromhttps://github.com/go-delve/delve/archive/v1.7.2.tar.gz):externalRefs(SPDX)pkg:generic/delve@1.7.2?download_url=https://github.com/go-delve/delve/archive/...pkg:github/go-delve/delve@1.7.2purlpkg:generic/delve@1.7.2?download_url=...pkg:github/go-delve/delve@1.7.2Non-GitHub sources (e.g. OpenSSL from
openssl.org) remainpkg:generic/...?download_url=...&checksum=....Design notes
bundled(libvterm)Source0,Source-origin, midstream originpkg:github/owner/repo@ver(+ optional generic if non-GitHub URL also known)pkg:github/owner/repo@veronlypkg:generic/...?download_url=...checksumsfieldchecksumsfield (not duplicated ongithubpurl)Shared helper module: both features live in
bundled_provides.pybecause #93 adds the GitHub URL parsing infrastructure this PR builds on.Test plan
mainafter merge)docs/sbom.mdSource0SPDX has a singlepkg:github/go-delve/delve@1.7.2purl (no duplicate generic purl for the same GitHub URL)