On 11/04/2024 16:52, von Loewenstein, Jan wrote:
Hi folks,
I am part of the Paketo community, and we are providing Cloud Native Buildpacks
to create container images with – amongst other technologies – Apache Tomcat
and Apache TomEE as application runtimes.
One of the features of Cloud Native Buildpacks is that images come with
Software-Bill-of-Material. When installing Apache Tomcat, we issue the
following CPE and pURL to the SBOM:
1. cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:*
2. pkg:generic/apache-tomcat@10.1.20
The former should be the right one for users to find relevant CVEs in e.g. the
nvd.nist.gov. The latter however is made up and will likely not lead to any
findings on e.g. https://osv.dev
Now I am wondering if you report Tomcat vulnerabilities under any pURL and
which one that would be.
We don't.
There is a
proposal<https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#other-candidate-types-to-define>
to introduce `pkg:apache` as a namespace, which would open up
`pkg:apache/tomcat@10.1.20` as a canonical pURL.
That is a foundation wide decision and not one the Tomcat project can
make unilaterally. That is probably a topic for
security-disc...@community.apache.org where pURL has already been
touched on this thread:
https://lists.apache.org/thread/7hs5ooqhfozmhlvq24k5xztzn1nwp9yv
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
