Skip to content

Use github purl type for RPM source archives with GitHub provenance#94

Open
jasinner wants to merge 2 commits into
RedHatProductSecurity:mainfrom
jasinner:github-in-source-purls
Open

Use github purl type for RPM source archives with GitHub provenance#94
jasinner wants to merge 2 commits into
RedHatProductSecurity:mainfrom
jasinner:github-in-source-purls

Conversation

@jasinner

Copy link
Copy Markdown
Contributor

Summary

Extend the GitHub purl guidance from #93 to RPM source archives (Source0, SourceN, upstream/midstream origin packages, and container Source-origin), using the same github purl type when downloadLocation is a github.com URL.

Depends on: #93 — merge that PR first. It introduces GitHub purl handling for bundled RPM dependencies (Provides(Bundled(...))); this PR applies the same pattern to source inputs declared in spec SourceN lines and modeled as SRPM/container upstream packages.

Changes

Documentation (docs/sbom.md)

  • Extend RPM source archive purl guidance: when downloadLocation is GitHub, emit pkg:github/<owner>/<repo>@<version> instead of pkg:generic/...?download_url=https://github.com/....
  • Do not add a redundant secondary generic purl when the only fetch URL is the same GitHub location (checksum stays in SPDX checksums).
  • A secondary pkg:generic/...?download_url=... is only for a separate non-GitHub fetch URL (same rule as bundled deps in Use github purl type for bundled RPM deps with GitHub provenance #93).
  • Update the container Source-origin example to use a github purl.

Example generator

sbom/examples/rpm/build/bundled_provides.py

sbom/examples/rpm/build/from-koji.py

  • Use source_purls() when building Source0 / midstream origin packages instead of always emitting pkg:generic/...?download_url=....

Examples

Update delve build and release SBOMs (Source0 from https://github.com/go-delve/delve/archive/v1.7.2.tar.gz):

Field Before After
externalRefs (SPDX) pkg:generic/delve@1.7.2?download_url=https://github.com/go-delve/delve/archive/... pkg:github/go-delve/delve@1.7.2
CycloneDX purl pkg:generic/delve@1.7.2?download_url=... pkg:github/go-delve/delve@1.7.2

Non-GitHub sources (e.g. OpenSSL from openssl.org) remain pkg:generic/...?download_url=...&checksum=....

Design notes

Object #93 (bundled) This PR (sources)
SPDX package bundled(libvterm) Source0, Source-origin, midstream origin
GitHub-only URL pkg:github/owner/repo@ver (+ optional generic if non-GitHub URL also known) pkg:github/owner/repo@ver only
Non-GitHub URL pkg:generic/...?download_url=... Same
Checksum SPDX checksums field SPDX checksums field (not duplicated on github purl)

Shared helper module: both features live in bundled_provides.py because #93 adds the GitHub URL parsing infrastructure this PR builds on.

Test plan

  • Confirm #93 is merged (or rebase this branch onto main after merge)
  • Review updated source-archive section in docs/sbom.md
  • Confirm delve Source0 SPDX has a single pkg:github/go-delve/delve@1.7.2 purl (no duplicate generic purl for the same GitHub URL)
  • Sanity-check helpers:
cd sbom/examples/rpm/build
python3 -c "
from bundled_provides import source_purls
assert source_purls('delve', '1.7.2', 'https://github.com/go-delve/delve/archive/v1.7.2.tar.gz') == ['pkg:github/go-delve/delve@1.7.2']
assert source_purls('openssl', '3.0.7', 'https://openssl.org/source/openssl-3.0.7.tar.gz', checksum='sha256:abc')[0].startswith('pkg:generic/openssl@3.0.7?')
print('ok')
"

@coderabbitai

coderabbitai Bot commented May 29, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@jasinner, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 25 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 54b50bd8-05d6-4464-abf1-a27b9c4277a4

📥 Commits

Reviewing files that changed from the base of the PR and between b1abb59 and f7d7ea0.

📒 Files selected for processing (12)
  • docs/sbom.md
  • sbom/examples/rpm/build/README.md
  • sbom/examples/rpm/build/bundled_provides.py
  • sbom/examples/rpm/build/delve-1.7.2-1.module+el8.6.0+12972+ebab5911.cdx.json
  • sbom/examples/rpm/build/delve-1.7.2-1.module+el8.6.0+12972+ebab5911.spdx.json
  • sbom/examples/rpm/build/from-koji.py
  • sbom/examples/rpm/build/vim-9.1.083-5.el10.cdx.json
  • sbom/examples/rpm/build/vim-9.1.083-5.el10.spdx.json
  • sbom/examples/rpm/release/delve-1.7.2-1.module+el8.6.0+12972+ebab5911.cdx.json
  • sbom/examples/rpm/release/delve-1.7.2-1.module+el8.6.0+12972+ebab5911.spdx.json
  • sbom/examples/rpm/release/vim-9.1.083-5.el10.cdx.json
  • sbom/examples/rpm/release/vim-9.1.083-5.el10.spdx.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant