[Buildroot] [PATCH 0/7] Add PURL support
Arnout Vandecappelle
arnout at rnout.be
Wed Apr 16 19:19:56 UTC 2025
On 16/04/2025 21:07, Peter Korsgaard wrote:
>>>>>> "Thomas" == Thomas Perale via buildroot <buildroot at buildroot.org> writes:
> > This patch series add support for the PURL.
> > https://github.com/package-url/purl-spec
>
> Nice!
>
> > PURL are a software identifier similar to CPE.
> > More information on PURL can be found in the first patch of the series.
>
> > After testing the usage of PURL with DependencyTrack and
> > https://ossindex.sonatype.org I can see that it improves the tracking
> > of CVEs and version bump
>
> Out of interest, how does it help (do you have an example?)
>
> Does a PURL match complicate anything if we add a local (security) patch
> to a package?
As long as the tool reports CVEs, the CVE exclusions still work. (Well, I
don't actually know for sure if the CVE exclusions really work in
DependencyTrack with our CycloneDX, IIUC it's complicated :-).
Of course, if the tool reports GHSA's, there's nothing we can do with that...
Regards,
Arnout
More information about the buildroot
mailing list