Introduce PURL built-in functions

Question

Introduce PURL built-in functions

Opened this issue 5 months ago · 5 comments

lcarva commented 5 months ago

What is the underlying problem you're trying to solve?

Given a list of disallowed components, and an SBOM as input, I would like to write a rego policy that:

Verifies the entries in the SBOM, and in the list of disallowed components, define valid PURL values.
Parses a PURL value into an object that represents the various components of the PURL spec, e.g. name, version.
Detects when the SBOM uses one of the items from the list of disallowed components.

Describe the ideal solution

Introduce two new built-in rego functions:

purl.is_valid(purl): Determine whether or not a given PURL is valid. purl parameter is of type string. Return is a boolen.
purl.parse(purl): Parse a valid PURL into an object. purl parameter is of type string. Return is an object representation of the given purl.

The functionality above can be achieved by using https://github.com/package-url/packageurl-go.

Additional Context

I'm one of the maintainers of the Enterprise Contract project, which heavily relies on rego to perform validation of certain software artifacts, mainly container images. We have introduced the two suggested functions above in our implementation via custom rego functions. I would really rather have this as part of rego itself as it is likely to benefit others in the opa ecosystem.

Answer 1 · 2023-12-21T18:15:53.000Z

I'm happy to submit a PR if there's agreement to add this to OPA!

Answer 2 · 2023-12-21T19:39:31.000Z

@lcarva thanks for providing the context here. On the implementation piece, the package seems small enough that we could probably take the required logic and put it in internal if needed. I haven't heard about the PURL spec before and its usage for supply chain security so I'll let others chime in on whether this would be a good addition.

Answer 3 · 2023-12-21T19:51:14.000Z

I should've mentioned that the PURL spec is used by one of the most popular SBOM formats CycloneDX, see schema.

Answer 4 · 2024-01-02T18:49:34.000Z

Thanks for the info. Seems like a good addition to me.

Answer 5 · 2024-02-24T08:33:38.000Z

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.