Draft: Support multiple purl identifiers in product_identification_helper

csaf_2.1/json_schema/csaf_json_schema.json

@@ -247,13 +247,19 @@
                 "minLength": 1
               }
             },
-            "purl": {
-              "title": "package URL representation",
-              "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
-              "type": "string",
-              "format": "uri",
-              "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+",
-              "minLength": 7
+            "purls": {
+              "title": "List of package URLs",
+              "description": "Contains a list of package URLs (purl).",
+              "type": "array",
+              "minItems": 1,
+              "items": {
+                "title": "package URL representation",
+                "description": "The package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.",
+                "type": "string",
+                "format": "uri",
+                "pattern": "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+",
+                "minLength": 7
+              }
             },
             "sbom_urls": {
               "title": "List of SBOM URLs",

csaf_2.1/prose/edit/etc/section-display-to-label.json

@@ -29,7 +29,7 @@
   "3.1.3.3.1": "full-product-name-type-product-identification-helper-cpe",
   "3.1.3.3.2": "full-product-name-type-product-identification-helper-hashes",
   "3.1.3.3.3": "full-product-name-type-product-identification-helper-model-numbers",
-  "3.1.3.3.4": "full-product-name-type-product-identification-helper-purl",
+  "3.1.3.3.4": "full-product-name-type-product-identification-helper-purls",
   "3.1.3.3.5": "full-product-name-type-product-identification-helper-sbom-urls",
   "3.1.3.3.6": "full-product-name-type-product-identification-helper-serial-numbers",
   "3.1.3.3.7": "full-product-name-type-product-identification-helper-skus",

csaf_2.1/prose/edit/etc/section-label-to-display.json

@@ -100,7 +100,7 @@
   "full-product-name-type-product-identification-helper-generic-uris": "3.1.3.3.8",
   "full-product-name-type-product-identification-helper-hashes": "3.1.3.3.2",
   "full-product-name-type-product-identification-helper-model-numbers": "3.1.3.3.3",
-  "full-product-name-type-product-identification-helper-purl": "3.1.3.3.4",
+  "full-product-name-type-product-identification-helper-purls": "3.1.3.3.4",
   "full-product-name-type-product-identification-helper-sbom-urls": "3.1.3.3.5",
   "full-product-name-type-product-identification-helper-serial-numbers": "3.1.3.3.6",
   "full-product-name-type-product-identification-helper-skus": "3.1.3.3.7",
@@ -250,9 +250,9 @@
   "vulnerabilities-property-ids": "3.2.4.6",
   "vulnerabilities-property-involvements": "3.2.4.7",
   "vulnerabilities-property-metrics": "3.2.4.8",
-  "vulnerabilities-property-metrics-content": "3.2.4.8.1", 
-  "vulnerabilities-property-metrics-products": "3.2.4.8.2", 
-  "vulnerabilities-property-metrics-source": "3.2.4.8.3", 
+  "vulnerabilities-property-metrics-content": "3.2.4.8.1",
+  "vulnerabilities-property-metrics-products": "3.2.4.8.2",
+  "vulnerabilities-property-metrics-source": "3.2.4.8.3",
   "vulnerabilities-property-notes": "3.2.4.9",
   "vulnerabilities-property-product-status": "3.2.4.10",
   "vulnerabilities-property-references": "3.2.4.11",

csaf_2.1/prose/edit/src/guidance-on-size.md

@@ -228,14 +228,14 @@ A string SHOULD NOT have a length greater than:
   * `/document/references[]/summary`
   * `/document/tracking/revision_history[]/summary`
   * `/product_tree/branches[]/product/product_identification_helper/cpe`
-  * `/product_tree/branches[]/product/product_identification_helper/purl`
+  * `/product_tree/branches[]/product/product_identification_helper/purls[]`
   * `/product_tree/branches[](/branches[])*/product/product_identification_helper/cpe`
-  * `/product_tree/branches[](/branches[])*/product/product_identification_helper/purl`
+  * `/product_tree/branches[](/branches[])*/product/product_identification_helper/purls[]`
   * `/product_tree/full_product_names[]/product_identification_helper/cpe`
-  * `/product_tree/full_product_names[]/product_identification_helper/purl`
+  * `/product_tree/full_product_names[]/product_identification_helper/purls[]`
   * `/product_tree/product_groups[]/summary`
   * `/product_tree/relationships[]/full_product_name/product_identification_helper/cpe`
-  * `/product_tree/relationships[]/full_product_name/product_identification_helper/purl`
+  * `/product_tree/relationships[]/full_product_name/product_identification_helper/purls[]`
   * `/vulnerabilities[]/acknowledgments[]/summary`
   * `/vulnerabilities[]/involvements[]/summary`
   * `/vulnerabilities[]/references[]/summary`

csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md

@@ -41,7 +41,7 @@ Product ID (`product_id`) holds a value of type Product ID (`product_id_t`).
 
 Helper to identify the product (`product_identification_helper`) of value type `object` provides in its properties at least
 one method which aids in identifying the product in an asset database.
-Of the given eight properties `cpe`, `hashes`, `model_numbers`, `purl`, `sbom_urls`, `serial_numbers`, `skus`,
+Of the given eight properties `cpe`, `hashes`, `model_numbers`, `purls`, `sbom_urls`, `serial_numbers`, `skus`,
 and `x_generic_uris`, one is mandatory.
 
 ```
@@ -51,27 +51,27 @@ and `x_generic_uris`, one is mandatory.
         "cpe": {
           // ...
         },
-        "hashes": [
+        "hashes": {
           // ...
-        ],
-        "model_numbers": [
+        },
+        "model_numbers": {
           // ...
-        ],
-        "purl": {
+        },
+        "purls": {
           // ...
         },
-        "sbom_urls": [
+        "sbom_urls": {
           // ...
-        ],
-        "serial_numbers": [
+        },
+        "serial_numbers": {
           // ...
-        ],
-        "skus": [
+        },
+        "skus": {
           // ...
-        ],
-        "x_generic_uris": [
+        },
+        "x_generic_uris": {
           // ...
-        ]
+        }
       }
     }
 ```
@@ -239,9 +239,10 @@ Two `*` MUST NOT follow each other.
     IC25T060ATCS05-0
 ```
 
-##### Full Product Name Type - Product Identification Helper - purl
+##### Full Product Name Type - Product Identification Helper - purls
 
-The package URL (purl) representation (`purl`) is a `string` of 7 or more characters with `pattern` (regular expression):
+List of purls (`purls`) of value type `array` with 1 or more items contains a list of package URL (purl) identifiers.
+A purl is a `string` of 7 or more characters that meets the criteria of `pattern` (regular expression):
 
 ```
     ^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*\\/.+
@@ -252,8 +253,11 @@ The package URL (purl) representation (`purl`) is a `string` of 7 or more charac
 > CSAF uses only the canonical form of purl to conform with section 3.3 of [cite](#RFC3986).
 > Therefore, URLs starting with `pkg://` are considered invalid.
 
-This package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.
-See [cite](#PURL) for details.
+A package URL (purl) attribute refers to a method for reliably identifying and locating software packages external to this specification.
+See [cite](#PURL) for details. Multiple purls can be specified to allow for identifiers to locate identical components in different locations.
+
+If multiple purls are specified, they MUST only differ in their qualifiers. Otherwise, separate product branches should
+be used to differentiate between the components.
 
 ##### Full Product Name Type - Product Identification Helper - SBOM URLs
 

csaf_2.1/prose/edit/src/tests-01-mndtr-13-purl.md

@@ -5,9 +5,9 @@ It MUST be tested that given purl is valid.
 The relevant paths for this test are:
 
 ```
-  /product_tree/branches[](/branches[])*/product/product_identification_helper/purl
-  /product_tree/full_product_names[]/product_identification_helper/purl
-  /product_tree/relationships[]/full_product_name/product_identification_helper/purl
+  /product_tree/branches[](/branches[])*/product/product_identification_helper/purls[]
+  /product_tree/full_product_names[]/product_identification_helper/purls[]
+  /product_tree/relationships[]/full_product_name/product_identification_helper/purls[]
 ```
 
 *Example 1 (which fails the test):*
@@ -19,11 +19,35 @@ The relevant paths for this test are:
         "name": "Product A",
         "product_id": "CSAFPID-9080700",
         "product_identification_helper": {
-          "purl": "pkg:maven/@1.3.4"
+          "purls": [
+            "pkg:maven/@1.3.4"
+          ]
         }
       }
     ]
   }
 ```
 
 > Any valid purl has a name component.
+
+It MUST also be tested that if more than one purl is specified, they can only differ in their qualifiers.
+
+*Example 2 (which fails the test):*
+
+```
+  "product_tree": {
+    "full_product_names": [
+      {
+        "name": "Product A",
+        "product_id": "CSAFPID-9080700",
+        "product_identification_helper": {
+          "purls": [
+            "pkg:maven/org.example.blue/[email protected]",
+            "pkg:maven/org.example.blue/[email protected]"
+          ]
+        }
+      }
+    ]
+  }
+```
+> The two purls differ in the name component.

csaf_2.1/test/validator/data/mandatory/oasis_csaf_tc-csaf_2_1-2024-6-1-13-01.json

@@ -35,9 +35,11 @@
         "name": "Product A",
         "product_id": "CSAFPID-9080700",
         "product_identification_helper": {
-          "purl": "pkg:maven/@1.3.4"
+          "purls": [
+            "pkg:maven/@1.3.4"
+          ]
         }
       }
     ]
   }
-}
+}