feat(sbom): add purl

ffontaine · ffontaine · commit 547b9a3cabe9 · 2025-04-14T21:28:38.000+02:00
Add purl to SBOM For binary checker, try to "guess" it through purl2cpe database Fix #3317 Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
diff --git a/cve_bin_tool/cvedb.py b/cve_bin_tool/cvedb.py
@@ -763,6 +763,34 @@ def update_vendors(self, cve_data):
 
         return updated_severity, updated_affected
 
+    def guess_purl(self, vendor, product, version):
+        query = """
+        SELECT
+            distinct purl
+        FROM purl2cpe
+        WHERE cpe like ?
+        """
+        cursor = self.db_open_and_get_cursor()
+        cursor.execute(query, ["%:" + vendor + ":" + product + ":%"])
+
+        # Prefer upstream purl (e.g., github, gitlab, sourceforge)
+        # over distribution specific purl (e.g. debian, ubuntu, fedora)
+        purl_entries = [x[0] for x in cursor.fetchall()]
+        preferred_upstream = [
+            vendor,
+            f"github/{vendor}",
+            f"gitlab/{vendor}",
+            f"sourceforge/{vendor}",
+            "github",
+            "gitlab",
+            "sourceforge",
+            "",
+        ]
+        for subs in preferred_upstream:
+            res = [i for i in purl_entries if f"pkg:{subs}" in i]
+            if res:
+                return res[0] + "@" + version
+
     def db_open_and_get_cursor(self) -> sqlite3.Cursor:
         """Opens connection to sqlite database, returns cursor object."""
 
diff --git a/cve_bin_tool/sbom_manager/generate.py b/cve_bin_tool/sbom_manager/generate.py
@@ -107,6 +107,8 @@ def generate_sbom(self) -> None:
                         else:
                             evidence = path
                         my_package.set_evidence(evidence)
+                if product_data.purl:
+                    my_package.set_purl(product_data.purl)
                 self.sbom_packages[
                     (
                         my_package.get_name(),
diff --git a/cve_bin_tool/version_scanner.py b/cve_bin_tool/version_scanner.py
@@ -269,8 +269,9 @@ def run_checkers(self, filename: str, lines: str) -> Iterator[ScanInfo]:
                             f"{file_path} matched {dummy_checker_name} {version} ({version_results.matched_filename=}, {version_results.matched_contains=})"
                         )
                         for vendor, product in checker.VENDOR_PRODUCT:
+                            purl = self.cve_db.guess_purl(vendor, product, version)
                             yield ScanInfo(
-                                ProductInfo(vendor, product, version),
+                                ProductInfo(vendor, product, version, purl),
                                 file_path,
                             )
 

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,8 @@ def generate_sbom(self) -> None:`
`107`	`107`	`else:`
`108`	`108`	`evidence = path`
`109`	`109`	`my_package.set_evidence(evidence)`
	`110`	`+ if product_data.purl:`
	`111`	`+ my_package.set_purl(product_data.purl)`
`110`	`112`	`self.sbom_packages[`
`111`	`113`	`(`
`112`	`114`	`my_package.get_name(),`
Original file line number	Diff line number	Diff line change
`@@ -269,8 +269,9 @@ def run_checkers(self, filename: str, lines: str) -> Iterator[ScanInfo]:`
`269`	`269`	`f"{file_path} matched {dummy_checker_name} {version} ({version_results.matched_filename=}, {version_results.matched_contains=})"`
`270`	`270`	`)`
`271`	`271`	`for vendor, product in checker.VENDOR_PRODUCT:`
	`272`	`+ purl = self.cve_db.guess_purl(vendor, product, version)`
`272`	`273`	`yield ScanInfo(`
`273`		`- ProductInfo(vendor, product, version),`
	`274`	`+ ProductInfo(vendor, product, version, purl),`
`274`	`275`	`file_path,`
`275`	`276`	`)`
`276`	`277`