ppkarwasz commented on issue #614: URL: https://github.com/apache/tooling-trusted-releases/issues/614#issuecomment-3907984312
The purpose of TEA is slightly different than the purpose of PURL: - Most PURLs allow you to find the download URL of **software** components (source code, JARs, binary distributions). These are **immutable** and strictly synchronized with releases. - The purpose of TEA is to distribute various kinds of **security-related** documents (somewhat confusingly called TEA Artifacts) like SBOMs, VDRs, VEXes, attestations. These might be generated or updated asynchronously (especially the VDRs/VEXes). There is obviously a large intersection between the two. In the case of software components, each TEA Component Release (see [schema](https://github.com/CycloneDX/transparency-exchange-api/blob/ca695e6fb201cd807b275c006030a5e71cdb3313/spec/openapi.yaml#L589-L690)) also lists all the binary files associated with that release. On the other hand, TEA also provides a list of security-related document attached to the TEA Component Release (see [TEA Collection Schema](https://github.com/CycloneDX/transparency-exchange-api/blob/ca695e6fb201cd807b275c006030a5e71cdb3313/spec/openapi.yaml#L811-L874)). It is therefore possible to implement a PURL type based on TEA, ## TEA-base PURL type Each software component has a TEA Component object. For Apache Tomcat, this could look like: ```json { "uuid": "0109bbc5-ae05-4033-b6f4-046009d7785b", "name": "Apache Tomcat", "identifiers": [ { "idType": "PURL", "idValue": "pkg:maven/org.apache.tomcat/tomcat" }, { "idType": "CPE", "idValue": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*" } ] } ``` If we know the UUID of the software component, we can get all its releases via `/component/{uuid}/releases`. This returns a TEA Component Release object like: ```json { "uuid": "605d0ecb-1057-40e4-9abf-c400b10f0345", "version": "11.0.7", "createdDate": "2025-05-07T18:08:00Z", "releaseDate": "2025-05-12T18:08:00Z", "identifiers": [ { "idType": "PURL", "idValue": "pkg:maven/org.apache.tomcat/[email protected]" } ], "distributions": [ { "distributionType": "zip", "description": "Core binary distribution, zip archive", "identifiers": [ { "idType": "PURL", "idValue": "pkg:maven/org.apache.tomcat/[email protected]?type=zip" } ], "checksums": [ { "algType": "SHA_256", "algValue": "9da736a1cdd27231e70187cbc67398d29ca0b714f885e7032da9f1fb247693c1" } ], "url": "https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat/11.0.7/tomcat-11.0.6.zip";, "signatureUrl": "https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat/11.0.7/tomcat-11.0.6.zip.asc"; }, { "distributionType": "tar.gz", "description": "Core binary distribution, tar.gz archive", "identifiers": [ { "idType": "PURL", "idValue": "pkg:maven/org.apache.tomcat/[email protected]?type=tar.gz" } ], "checksums": [ { "algType": "SHA_256", "algValue": "2fcece641c62ba1f28e1d7b257493151fc44f161fb391015ee6a95fa71632fb9" } ], "url": "https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat/11.0.7/tomcat-11.0.6.tar.gz";, "signatureUrl": "https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat/11.0.7/tomcat-11.0.6.tar.gz.asc"; }, { "distributionType": "windows-x64.zip", "description": "Core binary distribution, Windows x64 zip archive", "identifiers": [ { "idType": "PURL", "idValue": "pkg:maven/org.apache.tomcat/[email protected]?classifier=windows-x64&type=zip" } ], "checksums": [ { "algType": "SHA_256", "algValue": "62a5c358d87a8ef21d7ec1b3b63c9bbb577453dda9c00cbb522b16cee6c23fc4" } ], "url": "https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat/11.0.7/tomcat-11.0.6-windows-x64.zip";, "signatureUrl": "https://repo.maven.apache.org/maven2/org/apache/tomcat/tomcat/11.0.7/tomcat-11.0.6.zip.asc"; }, { "distributionType": "windows-x64.exe", "description": "Core binary distribution, Windows Service Installer (MSI)", "checksums": [ { "algType": "SHA_512", "algValue": "1d3824e7643c8aba455ab0bd9e67b14a60f2aaa6aa7775116bce40eb0579e8ced162a4f828051d3b867e96ee2858ec5da0cc654e83a83ba30823cbea0df4ff96" } ], "url": "https://dlcdn.apache.org/tomcat/tomcat-11/v11.0.7/bin/apache-tomcat-11.0.7.exe";, "signatureUrl": "https://downloads.apache.org/tomcat/tomcat-11/v11.0.7/bin/apache-tomcat-11.0.7.exe.asc"; } ] } ``` Therefore we could create a new PURL type like: ``` pkg:tea/apache.org/[email protected] ``` that will use the data from the TEA Component Release to locate the various artifacts. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
