Merge branch 'main' into add-generic-purl-type

Author: mprpic

docs/cpe.md

@@ -0,0 +1,49 @@
+# Identifying Red Hat components using CPEs
+Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications,
+operating systems, and hardware devices present among an enterprise's computing assets.
+
+Red Hat uses CPEs to uniquely identify each product and version, following the CPE 2.2 schema.
+
+## RHEL 10 CPEs
+Starting with  RHEL 10, we will change the way CPEs are assigned to RHEL:
+
+* Minor versions will be used in CPEs for mainstream RHEL versions
+* The `cpe:/o` prefix will be used instead of mixed usage of `cpe:/o` and `cpe:/a` for all RHEL variants
+* The channel specifiers are being dropped
+
+
+### Minor Version CPEs
+Previously, for RHEL 9 and earlier we assigned generic CPEs like `cpe:/o:redhat:enterprise_linux:9` for the entire 
+lifetime of a major release. Minor versions were only reflected in xUS CPEs (e.g., `cpe:/a:redhat:rhel_eus:9.2::appstream`).
+
+Starting with RHEL 10 and all following versions of RHEL, we will use minor versions in mainstream CPEs, 
+e.g., `cpe:/o:redhat:enterprise_linux:10.0`, incrementing with each subsequent minor release. This will apply to the 
+MAIN, GA, and MAIN.EUS variants. This makes it easier to determine which version of RHEL an advisory was released for 
+without consulting ET product configuration. This also improves our way of tracking releases and which sets of 
+advisories they shipped. More granular minor versions also allow for the use of version ranges later on, which can be 
+used to sets of versions (without having to enumerate them all) where the security status such as "fixed" is applicable.
+
+### CPE Type Standardization
+Previously, we used a mix of `cpe:/o` (operating system) and `cpe:/a` (application) for different variants of RHEL 
+(for example, base OS used o and Appstream used a). It is unclear why we decided on this different usage and we've 
+encountered various issues in our security data files where consumers have to account for both prefixes even though 
+they identify the same products.
+
+Starting with RHEL 10 and all following versions of RHEL, we will standardize on `cpe:/o` for all RHEL-related components
+(those shipped under the RHEL product in Errata Tool). EUS CPEs will also transition from `cpe:/a` to `cpe:/o`, for example:
+Base OS: `cpe:/o:redhat:enterprise_linux_eus:10.2`
+AppStream: `cpe:/o:redhat:enterprise_linux_eus:10.2`
+
+### Removal of channel specifiers and consistent naming of EUS CPEs
+CPEs for RHEL 9 and earlier used channel specifiers such as `::appstream` and `::baseos` to differentiate between different
+Errata Tool Variants and pin a specific CPE to a set of RPM repositories. These specifiers were never used externally
+by any vendor or any of our external documents for any reason other than arbitrary differentiation between groups of
+content. Starting with RHEL 10, we will drop the use of channel specifiers for RHEL. We will continue using them for
+layered products to distinguish their base RHEL version if known.
+
+Extended streams such as EUS, AUS or TUS always used the name rhel instead of enterprise_linux in the CPE name.
+Starting with RHEL 10, we will use enterprise_linux only for increased consistency.
+
+
+
+

mkdocs.yml

@@ -36,10 +36,11 @@ theme:
 
 nav:
   - Home: "index.md"
-  - SBOM: "sbom.md"
-  - purl: "purl.md"
+  - CPE: "cpe.md"
   - CSAF/VEX: "csaf-vex.md"
-
+  - purl: "purl.md"
+  - SBOM: "sbom.md"
+  
 plugins:
   - social
   - search

sbom/examples/product/rhel-9.2-eus.cdx.json

@@ -5,7 +5,6 @@
   "serialNumber": "urn:uuid:337d9115-4e7c-4e76-b389-51f7aed6eba8",
   "metadata": {
     "component": {
-      "bom-ref": "cpe:/a:redhat:rhel_eus:9.2::baseos",
       "type": "operating-system",
       "name": "Red Hat Enterprise Linux",
       "version": "9.2 EUS",

sbom/examples/product/rhel-9.2-main+eus.cdx.json

@@ -5,7 +5,6 @@
   "serialNumber": "urn:uuid:337d9115-4e7c-4e76-b389-51f7aed6eba8",
   "metadata": {
     "component": {
-      "bom-ref": "cpe:/a:redhat:rhel_eus:9.2::baseos",
       "type": "operating-system",
       "name": "Red Hat Enterprise Linux",
       "version": "9.2 MAIN+EUS",

sbom/examples/product/rhel-9.4-main+eus.cdx.json

@@ -5,7 +5,6 @@
   "serialNumber": "urn:uuid:337d9115-4e7c-4e76-b389-51f7aed6eba8",
   "metadata": {
     "component": {
-      "bom-ref": "cpe:/o:redhat:enterprise_linux:9::baseos",
       "type": "operating-system",
       "name": "Red Hat Enterprise Linux",
       "version": "9.4 MAIN+EUS",

sbom/examples/rpm/build/delve-1.7.2-1.module+el8.6.0+12972+ebab5911.cdx.json

@@ -5,7 +5,6 @@
   "serialNumber": "urn:uuid:223234df-bb5b-49af-a896-143736f7d806",
   "metadata": {
     "component": {
-      "bom-ref": "pkg:rpm/redhat/delve@1.7.2-1.module+el8.6.0+12972+ebab5911?arch=src&rpmmod=go-toolset:rhel8:8060020250609110611:97d7f71f",
       "type": "library",
       "name": "delve",
       "version": "1.7.2-1.module+el8.6.0+12972+ebab5911",

sbom/examples/rpm/build/from-koji.py

@@ -423,12 +423,13 @@ def process_build(self, build_id, rpmmod):
         cdx_root_component = None
         cdx_pedigrees = []
         for rpm in rpms:
-            (name, version, release, nvr, arch) = (
+            (name, version, release, nvr, arch, epoch) = (
                 rpm["name"],
                 rpm["version"],
                 rpm["release"],
                 rpm["nvr"],
                 rpm["arch"],
+                rpm["epoch"],
             )
             filename = f"{downloaddir}/{name}-{version}-{release}.{arch}.rpm"
             if arch == "src":
@@ -441,6 +442,8 @@ def process_build(self, build_id, rpmmod):
             sha256header = self.get_rpm_sha256header(filename)
             sigmd5 = self.get_rpm_sigmd5(filename)
             purl = f"pkg:rpm/redhat/{name}@{version}-{release}?arch={arch}"
+            if epoch:
+                purl = f"{purl}&epoch={epoch}"
             if rpmmod:
                 purl = f"{purl}&rpmmod={rpmmod}"
             package = {
@@ -526,6 +529,8 @@ def process_build(self, build_id, rpmmod):
             "relationships": self.spdx_relationships,
         }
 
+        copy_of_cdx_root = deepcopy(cdx_root_component)
+        cdx_root_component.pop("bom-ref")
         cdx = {
             "bomFormat": "CycloneDX",
             "specVersion": "1.6",
@@ -546,19 +551,18 @@ def process_build(self, build_id, rpmmod):
             },
         }
 
-        copy_of_cdx_root = deepcopy(cdx_root_component)
         copy_of_cdx_root["pedigree"] = {"ancestors": cdx_pedigrees}
         self.cdx_components.append(copy_of_cdx_root)
         cdx["components"] = sorted(self.cdx_components, key=lambda c: c["purl"])
 
         binary_rpm_purls = set()
         for cdx_component in self.cdx_components:
-            if cdx_component["bom-ref"] == cdx_root_component["bom-ref"]:
+            if cdx_component["bom-ref"] == copy_of_cdx_root["bom-ref"]:
                 continue
             binary_rpm_purls.add(cdx_component["purl"])
 
         cdx["dependencies"] = [
-            {"ref": cdx_root_component["bom-ref"], "provides": sorted(list(binary_rpm_purls))}
+            {"ref": copy_of_cdx_root["bom-ref"], "provides": sorted(list(binary_rpm_purls))}
         ]
 
         with open(f"{build_id}.spdx.json", "w") as fp:
@@ -624,7 +628,7 @@ def create_cdx_from_spdx(spdx_data):
 build_ids = []
 rpmmod = ""
 if is_module:
-    module_tag, module_nsvc= get_modulemd_data()
+    module_tag, module_nsvc = get_modulemd_data()
     rpmmod = module_nsvc
     module_builds = SESSION.listTagged(module_tag)
     for module_build in module_builds:

sbom/examples/rpm/build/go-toolset-1.17.13-2.module+el8.6.0+22782+bd95fb4c.cdx.json

@@ -5,7 +5,6 @@
   "serialNumber": "urn:uuid:223234df-bb5b-49af-a896-143736f7d806",
   "metadata": {
     "component": {
-      "bom-ref": "pkg:rpm/redhat/go-toolset@1.17.13-2.module+el8.6.0+22782+bd95fb4c?arch=src&rpmmod=go-toolset:rhel8:8060020250609110611:97d7f71f",
       "type": "library",
       "name": "go-toolset",
       "version": "1.17.13-2.module+el8.6.0+22782+bd95fb4c",

sbom/examples/rpm/build/golang-1.17.13-9.module+el8.6.0+23245+b36ba85c.cdx.json

@@ -5,7 +5,6 @@
   "serialNumber": "urn:uuid:223234df-bb5b-49af-a896-143736f7d806",
   "metadata": {
     "component": {
-      "bom-ref": "pkg:rpm/redhat/golang@1.17.13-9.module+el8.6.0+23245+b36ba85c?arch=src&rpmmod=go-toolset:rhel8:8060020250609110611:97d7f71f",
       "type": "library",
       "name": "golang",
       "version": "1.17.13-9.module+el8.6.0+23245+b36ba85c",

sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.cdx.json

@@ -5,7 +5,6 @@
   "serialNumber": "urn:uuid:223234df-bb5b-49af-a896-143736f7d806",
   "metadata": {
     "component": {
-      "bom-ref": "pkg:rpm/redhat/openshift-pipelines-client@1.14.3-11352.el8?arch=src",
       "type": "library",
       "name": "openshift-pipelines-client",
       "version": "1.14.3-11352.el8",
@@ -61527,7 +61526,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/instrumentation@v0.46.1?package-id=5bd72523ff97f024#googlegolangorg/grpc/otelgrpc",
+      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/instrumentation@v0.46.1?package-id=5bd72523ff97f024#google.golang.org/grpc/otelgrpc",
       "type": "library",
       "name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
       "version": "v0.46.1",
@@ -61561,7 +61560,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/instrumentation@v0.46.1?package-id=32dc6765d524c372#googlegolangorg/grpc/otelgrpc",
+      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/instrumentation@v0.46.1?package-id=32dc6765d524c372#google.golang.org/grpc/otelgrpc",
       "type": "library",
       "name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
       "version": "v0.46.1",
@@ -61595,7 +61594,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/instrumentation@v0.46.1?package-id=5d57e43f394fdd30#googlegolangorg/grpc/otelgrpc",
+      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/instrumentation@v0.46.1?package-id=5d57e43f394fdd30#google.golang.org/grpc/otelgrpc",
       "type": "library",
       "name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
       "version": "v0.46.1",
@@ -61629,7 +61628,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/instrumentation@v0.46.1?package-id=ffc736852a1ceb9e#googlegolangorg/grpc/otelgrpc",
+      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/instrumentation@v0.46.1?package-id=ffc736852a1ceb9e#google.golang.org/grpc/otelgrpc",
       "type": "library",
       "name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
       "version": "v0.46.1",