How to match pkg/nix/* PURLs to Vulnerabilities?

[blitz]

Bombon generates Package URLs, such as these:

pkg:nix/glibc@2.39

As far as I can see, there is no CVE data source for these PURLs. Is there any advice on how to handle these for vulnerability analysis?

[nikstur]

There's no official PURL spec yet for Nix. However, there is a draft PR open: package-url/purl-spec#314

Not super clear to me, how to use this for vulnerability analysis.

Happy to change the PURL if there is a good proposal.

See also how syft creates Nix PURLS: anchore/syft#1696

[0xf09f95b4]

For a more short-term solution for vulnerability-scan-compatibility, would it be possible to "guess" CPEs instead, similar to how sbombix does it?

[blitz]

For a more short-term solution for vulnerability-scan-compatibility, would it be possible to "guess" CPEs instead, similar to how sbombix does it?

Correct CPEs would help, but sbomnix generates wrong CPEs. For glibc it generates cpe:2.3:a:glibc:glibc:2.39-52:*:*:*:*:*:*:* while actual CVEs are filed under cpe:2.3:a:gnu:glibc:2.37:*:*:*:*:*:*:* (note glibc vs gnu). Manually adding the correct CPE makes DependencyTrack find vulnerabilities, though.

I'm not sure whether the CPEs can be autogenerated, but adding the relevant fields to the meta attributes of derivations could be feasible.

[nikstur]

I'm not opposed to guessing, however, we could also guess PURLs as I don't see why CPEs would be better.

Adding a CPE or PURL meta field seems like the even better solution though. It's probably worth it to coordinate with the security tracker team on this.

[h0nIg]

@nikstur did you received any feedback from the security tracker team regarding PURL's or CPE's?