diff mbox series

[RFC,1/5] package/pkg-generic.mk: add PURL package variable

Message ID 20240404124329.768546-2-thomas.perale@mind.be
State New
Headers show
Series Support SBOM in CycloneDX format | expand

Commit Message

Thomas Perale April 4, 2024, 12:43 p.m. UTC 
PURL stands for 'package URL', it's a specification that standardize
how packages are identified and located.

PURL is used to reference the same package across different package
manager, tracking tools, API and databases.

A purl is a URL composed of seven components:

  scheme:type/namespace/name@version?qualifiers#subpath

  - scheme: always 'pkg' (required)
  - type: package manager used to install the package, download origin,
          type of package (required)
  - namespace: name prefix, type specific additional information (optional)
  - name: package name (required)
  - version: package version (optional)
  - qualifiers: extra information (optional)
  - subpath: extra subpath relative to package root (optional)

A PURL for the purl-spec repository looks like this:

  pkg:github/package-url/purl-spec@346589846130317464b677bc4eab30bf5040183a

It contains information like the provenance (github), organization
(package-url), name (purl-spec) and version (34658984...).

This patch introduces an auto-generated PURL for non internal packages
(packages with a `<pkg>_SOURCE` variable), with the possibility for each
package to define their own PURL by defining the following variable:

  <pkg>_PURL

If the variable is not defined it will be generated as follows:

  $(2)_PURL = pkg:generic/$$($(2)_RAWNAME)@$$($(2)_VERSION)

The type 'generic' is used by default but can be extended in the future
to support github, gitlab, etc ...

For more information, see https://github.com/package-url/purl-spec

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/pkg-generic.mk | 12 ++++++++++++
 1 file changed, 12 insertions(+)

--
2.44.0
diff mbox series

Patch

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 577a148c1e..0966b714ff 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -754,6 +754,18 @@  ifeq ($$($(2)_CPE_ID_VALID),YES)
  $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_PRODUCT):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_UPDATE):*:*:*:*:*:*
 endif # ifeq ($$($(2)_CPE_ID_VALID),YES)

+# If no package url (purl) is set, a generic purl is created for non internal
+# packages.
+# see https://github.com/package-url/purl-spec
+ifndef $(2)_PURL
+ ifdef $(3)_PURL
+  $(2)_PURL = $$($(3)_PURL)
+ endif
+ ifdef $(2)_SOURCE
+   $(2)_PURL = pkg:generic/$$($(2)_RAWNAME)@$$($(2)_VERSION)
+ endif
+endif
+
 # When a target package is a toolchain dependency set this variable to
 # 'NO' so the 'toolchain' dependency is not added to prevent a circular
 # dependency.