PURL URIs and SBOM

Reply: Norman Gray : "Re: PURL URIs and SBOM"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Lucas Holt <luke_at_foolishgames.com>
Date: Thu, 27 Mar 2025 00:09:31 UTC

I know there's a project to work on SBOMs for the FreeBSD project, and 
perhaps things are far ahead there.

I recently started working on submitting a patch to a smaller SBOM 
generator to support FreeBSD with the plan to eventually add MidnightBSD 
also.

I ran into a snap when generating them.  There is a lot of validation on 
SBOM tools and the PURL spec also has validation. So they need to be 
submitted.

This brought up the need for a standard PURL pattern for BSDs. I'm not 
sure if it makes sense to be based on being a BSD or what primary 
package manager we all use.

I submitted a PR for a MidnightBSD PURL value and someone had mentioned 
the idea of doing something like

pkg:bsd/freebsd/pkgname@version?arch=i386&distro=freebsd/14.2 or 
something similar.

I was thinking of doing something based on the package manager though like
pkg:mport/midnightbsd/pkgname@version?arch=amd64&osrel=3.2
(these are generated by mport purl <pkgname> already)

but then it gets weird for freebsd
pkg:pkg/freebsd/pkgname@version?arch=amd64&osrel=14.2 ...

The PR is at https://github.com/package-url/purl-spec/issues/431

I'd appreciate input on this.

Thanks,

-- 
Lucas Holt
Luke@FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)