Draft: Support multiple purl identifiers in product_identification_helper

[mprpic]

This allows a vendor to specify multiple purl identifiers for a single component (present as a product version branch in the product tree). Multiple purls may identify the same component but point to different locations from where that component may be available. Thus, it is mandatory that if multiple purls are present in a single
product_identification_helper object, they must only differ in their qualifiers. Otherwise they should be set up as different product tree branches.

Resolves #774

[mprpic]

I'm unsure how to modify the examples to get the final text to build. When I run the make command, I get:

$ make build
bin/volatile.py
detected local reference for acknowledgments-type-example-eg-1 in (The example [eg](#acknowledgments-type-example-eg-1) above SHOULD lead to the following outcome in a human-readable advisory:)
The example \[[1](#acknowledgments-type-example-eg-1)\] above SHOULD lead to the following outcome in a human-readable advisory:
Traceback (most recent call last):
  File "/[...]/csaf/csaf_2.1/prose/edit/bin/volatile.py", line 575, in <module>
    sys.exit(main(sys.argv[1:]))
             ^^^^^^^^^^^^^^^^^^
  File "/[...]/csaf/csaf_2.1/prose/edit/bin/volatile.py", line 461, in main
    global_example_num = eg_global_from[magic_label]
                         ~~~~~~~~~~~~~~^^^^^^^^^^^^^
KeyError: 'purl-eg-2'
make: *** [Makefile:4: build] Error 1

[tschmidtb51]

@mprpic Thank you for the Draft. I didn't had time yet to do a complete review but here are some quick comments:

• The qualifier test should be a separate one. Also, we need to add
  • valid examples
  • invalid examples
• The guidance on size needs to be adapted.
• The editorial change should be separate from the feature change (thanks for catching it).
• Rebase after Editor revision for TC meeting 2024-08-28 #784 is merged.

[mprpic]

* [ ]  The qualifier test should be a separate one. Also, we need to add
  * [ ]  valid examples
  * [ ]  invalid examples

Ack, I can move it to its own section with examples. Do you care if the original one remains as is and a new one is added with the next test number, i.e. tests-01-mndtr-13-purl.md stays as is and a new tests-01-mndtr-35-purl-qualifiers.md is added? Or do I need to sort them next to each other and bump all tests by one?

* [ ]  The guidance on size needs to be adapted.

Done!

* [ ]  The editorial change should be separate from the feature change (thanks for catching it).

So that's any changes to files under csaf_2.1/prose? Are you saying those should go into a separate PR after the schema changes one is merged?

* [ ]  Rebase after [Editor revision for TC meeting 2024-08-28 #784](https://github.com/oasis-tcs/csaf/pull/784) is merged.

Done!

[tschmidtb51]

Ack, I can move it to its own section with examples. Do you care if the original one remains as is and a new one is added with the next test number, i.e. tests-01-mndtr-13-purl.md stays as is and a new tests-01-mndtr-35-purl-qualifiers.md is added? Or do I need to sort them next to each other and bump all tests by one?

Please keep the old file as they were (except for correcting the structure that changed). The new test should be tests-01-mndtr-38-purl-qualifiers.md. (Other ones are already taken.) To add that to the generated document, it must be added in csaf_2.1/prose/edit/etc/bind.txt.

So that's any changes to files under csaf_2.1/prose? Are you saying those should go into a separate PR after the schema changes one is merged?

No. It was specific to the change of brackets (which then resulted in #787).
Note: The suggested change is actually wrong as we are taking about the schema not a specific instance.

[tschmidtb51]

Please have a look at the suggested changes.

[tschmidtb51]

I guess those should be unique...

Suggested change

	"minItems": 1,
	"minItems": 1,
	"uniqueItems": true,

[tschmidtb51]

/product_tree/*/product/product_identification_helper/purl (in all possible instances need also to be added to the array section.

[tschmidtb51]

Please make sure that aligns with other sections that use an array, e.g. remediations or notes.

[tschmidtb51]

Suggested change

	If multiple purls are specified, they MUST only differ in their qualifiers. Otherwise, separate product branches should
	be used to differentiate between the components.
	If multiple purls are specified, they SHALL only differ in their qualifiers.
	Otherwise, separate product branches should be used to differentiate between the components.