I'd like to be able to generate my KBOM in SPDX format.

GO Version
go version go1.20.3 linux/amd64

OS
Red Hat Enterprise Linux 8.6 (Ootpa)

Command:
make build

Error:

runtime

../../.go/src/runtime/security_linux.go:14:9: undefined: secureMode
../../.go/src/runtime/security_unix.go:55:17: undefined: fcntl

The Scenario

Given a kbom (v0.2.4) generated bom file with a set of 'container' type components that include package URL (purl) fields reflecting, presumably, docker images that are resources in the kubernetes cluster.

The bom is CycloneDX json format. I am also using another open source tool: https://github.com/CycloneDX/cyclonedx-python-lib. Specifically, I am using the from_json() method available with the project's Bom class to deserialize from a CycloneDX JSON BOM (ie, the afore mentioned kbom bom file).

The Issue

At the point where the first purl in the bom is encountered, and exception is thrown.

PURL string supplied (pkg:registry.k8s.io/kube-scheduler:v1.26.1@sha256:af0292<snip>) does not parse!
  File "/some/path/venv/lib/python3.8/site-packages/cyclonedx/serialization/__init__.py", line 66, in deserialize
    return PackageURL.from_string(purl=str(o))
  File "/some/path/venv/lib/python3.8/site-packages/packageurl/__init__.py", line 512, in from_string
    raise ValueError(msg)
ValueError: Invalid purl 'pkg:registry.k8s.io/kube-scheduler:v1.26.1@sha256:af0292<snip>' cannot contain a "user:pass@host:port" URL Authority component: ''.

This exception is coming from cyclonedx-python-lib's usage of https://github.com/package-url/packageurl-python 's PackageURL.from_string().

That usage isn't arbitrary. The CycloneDX v1.5 specification for the 'purl' indicates a purl MUST be valid and conform to the specification defined at: https://github.com/package-url/purl-spec.

It appears that a portion of the kbom generated URL is being interpreted as a "URL Authority component" and those are not allowed. See bullet 3 of section "A purl is a URL" in the purl-spec.

The Ask

Do you agree that the format of purl fields currently generated by kbom do not adhere to the required format as prescribed by CycloneDX specificications?

It would be desirable to be able to interoperate with another emerging open source toolset like cyclonedx-python-lib.

Potential Format Changes

If the kbom generated purl is altered as follows, packageurl is happy. Note: sha shortened for brevity.

"pkg:docker/registry.k8s.io/kube-scheduler@sha256:af029?tag=v1.26.1"

In particular, from the seven components the purl-spec defines:

• scheme: pkg: - Per the spec, only pkg scheme defined.
• type: docker - Added this per the pkg type that spec defines.
• namespace: registry.k8s.io - not sure if this is best here or as a qualifier per the example in the spec.
• name: kube-scheduler - the image name
• version: the sha digest value - moved around a bit
• qualifier: tag=v1.26.1 - moved to a qualifier so as to not lose this information

I am uncertain on whether my qualifiers are good our not. It was an attempt to retain the tag.
I was attempting to craft a purl where all the information needed to pull the image was there, even if not available
in a direct copy/paste form. Not that there is a requirement for that perse, but it seems to me it would be potentially useful to the consumers of SBOMs (automated or otherwise). The docker image can still be pulled using 'docker pull registry.k8s.io/kube-scheduler@sha256:af0292c...' (not including qualifiers). Automations should be able to further parse and craft pull commands.

References

• https://cyclonedx.org/docs/1.5/json/#components_items_purl
• https://github.com/CycloneDX/cyclonedx-python-lib
• https://github.com/package-url/packageurl-python
• https://github.com/package-url/purl-spec
• https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst
• https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
• https://pypi.org/project/packageurl-python/

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update alpine Docker tag to v3.19.1
• Update golangci/golangci-lint-action action to v3.7.1
• Update kubernetes packages to v0.29.2 (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go)
• Update module github.com/CycloneDX/cyclonedx-go to v0.8.0
• Update module github.com/google/uuid to v1.6.0
• Update module github.com/rs/zerolog to v1.32.0
• Update module golang.org/x/term to v0.17.0
• Update golangci/golangci-lint-action action to v4
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository