raboof opened a new issue, #44178: URL: https://github.com/apache/airflow/issues/44178
### Apache Airflow version 2.10.3 ### If "Other Airflow 2 version" selected, which one? _No response_ ### What happened? Looking at Airflow SBOMs such as `apache-airflow-sbom-2.10.3-python3.12.json` and `apache-airflow-sbom-2.10.3-python3.12-python-only.json`, it identifies the artifact being described by those SBOMs as `pkg:npm/[email protected]` and `pkg:application/[email protected]`. These are [Purls](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst), but I'm pretty sure Airflow is not an npm package, and `application` does not exist as purl type entirely. ### What you think should happen instead? * describe 'exactly what' is being described by this SBOM. Does it describe a particular artifact, such as https://pypi.org/project/apache-airflow/ ? Then it should probably use the `pypi` Purl type. If it described Airflow more 'in the abstract', perhaps we should use the `generic` Purl type or introduce an [`asf` purl type](https://github.com/package-url/purl-spec/issues/305) ### How to reproduce Generate the SBOMs ### Operating System n/a ### Versions of Apache Airflow Providers _No response_ ### Deployment Other ### Deployment details _No response_ ### Anything else? Part of this may be an upstream issue in https://github.com/CycloneDX/cdxgen , but I figured it would be good to first determine what we want to achieve 'concretely' here, and only look at what changes we may or may not need to generalize in upstream tooling after that. ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
