referenceLocator purl does not include upstream information about system packages

[beltran-rubo]

Description

The purl information does not include the upstream package that a specific OS package is coming from. For instance:

$ trivy image --format spdx-json debian:latest > debian.json

The package libssl1.1 includes this information "referenceLocator": "pkg:deb/debian/libssl1.1@1.1.1n-0+deb11u4?distro=debian-11.6". The issue of not including the upstream information from the package into the purl is there is no way to detect CVEs based on that information as those ones are linked to the upstream package.

The correct information should be "referenceLocator": "pkg:deb/debian/libssl1.1@1.1.1n-0+deb11u4?upstream=openssl&distro=debian-11.6".

Into the CycloneDX sBOM it already exists that metadata but not as part of the purl.

{
   "name": "aquasecurity:trivy:SrcName",
   "value": "openssl"
},

What did you expect to happen?

Include the upstream information from the OS packages metadata as part of the sBOM. It does not appear into the SPDX or CycloneDX purl.

What happened instead?

No upstream information as part of the purl.

Output of trivy -v:

Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-31 06:17:32.691408303 +0000 UTC
  NextUpdate: 2023-03-31 12:17:32.691407903 +0000 UTC
  DownloadedAt: 2023-03-31 06:53:06.842877 +0000 UTC

[DmitriyLewen]

Hello @beltran-rubo
Thanks for your report!

We created #3971 to add upstream to purl.

Regards, Dmitriy

[knqyf263]

@beltran-rubo Thanks for raising the issue. I didn't find the specification. Could you share a link that we should reference?
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#deb
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#rpm

[beltran-rubo]

That is right, still not there but there are other tools following that convention. See #3485 that Syft already includes that information as part of the purl. There is also an interesting discussion why adding upstream is needed as part of the purl anchore/syft#1700 (comment). The key part is the CVEs for the Linux distributions tend to be written against the source package and not downstream packages. That solution looks simple to be adopted it and does not require changes to the current CycloneDX spec.

[knqyf263]

I'm not sure upstream is the best solution here. We include the source information in custom properties of SPDX and CycloneDX. It seemes to be Syft-specific design yet. Syft can follow our approach. We should discuss and define it in PURL.

[beltran-rubo]

In the case of SPDX the source information is a plain string that would be difficult to parse it to get the package name, e.g.
"sourceInfo": "built package from: nghttp2 1.43.0-5.el9" when the useful part would be nghttp2-1.43.0-5.el9.src.rpm to get the vulnerabilities associated to the source package.