A Proof of Concept for including purl identifiers in CVE Records

[Tomalrich]

_Note 4/16: What is below was written before this week's on-again-off-again activity with the CVE Program and MITRE. Everything here is still quite relevant.

The CVE Program has started preparing to make purl an alternative software identifier to CPE in CVE Records. The CVE Quality Working Group (QWG) is now actively working on modifications to the CVE Record Format (aka ‘CVE Schema’) to accommodate purl. Since CPE will not go away, in the future CNAs will be able to designate affected products in a CVE Record using either identifier (and possibly the OmniBOR identifier as well).

While the QWG had been considering new identifiers for more than a year, their task was lent more urgency by the fact that in 2024, the NVD fell far behind in its job of adding CPE names to indicate vulnerable products in new CVE Records. In fact, the NVD added CPEs to fewer than half the new CVE Records created in 2024.

So far this year, the NVD’s “enrichment” rate has fallen even further, meaning their backlog of CVE Records without CPE names continues to grow rapidly. After missing at least two promised dates to eliminate the backlog in 2024, the NVD has stopped even estimating when they will catch up with this work.

The reason why a lack of CPE names in CVE Records creates a problem is that, without a CPE name, a CVE Record is invisible to automated vulnerability searches (for example, when a user enters a product name in the NVD’s search bar or uses one of the APIs).

This means that a user searching for new vulnerabilities identified in a software product won’t learn about any new CVE Record that doesn’t include a CPE name, even if the text of the record (which can’t be searched in a completely automated fashion) indicates the product is vulnerable.

Even worse, when this happens, the user will simply receive the message, “There are 0 matching records.” This is the same message they will receive if there are in fact zero vulnerabilities identified in the product. Of course, most NVD users, after seeing this message, will probably believe their product has no vulnerabilities – rather than that it likely does have vulnerabilities, but they can’t be identified through automated searches.

For this and other reasons, the QWG is now discussing changes to the CVE Schema to allow purl (and perhaps other identifiers in the future) to be used as an identifier for vulnerable products in CVE Records. While it is important to change the Schema, there are six other steps that need to be taken as well. These should be taken as part of a Proof of Concept, in which various participants in the CVE ecosystem utilize test CVE Records that are based on the proposed new Schema.

1. Identify vulnerability databases that are able – and willing – to ingest CVE Records that contain purls, and make it possible for automated searches based on purl to discover those records. Today, there is probably no vulnerability database that can do this without any modification, although some databases will require fewer modifications than others. For example, Sonatype’s OSS Index uses CVE as the vulnerability identifier and purl as the software identifier. However, since there are no CVE Records that include purls now, the database is currently using other means to determine applicability of new CVEs. There are also databases like the NVD, VulnDB and VulDB that are based on CPE and CVE. These databases can ingest CVE Records today, but they will need to be modified to accept purls in CVE records.
2. Identify scanning tool vendors that are willing and able to ingest test CVE Records containing a purl identifier, to determine whether the test CVE Records meet their needs, or whether there should be further changes to the format.
3. Interview medium- to large-sized end user organizations to learn about their requirements for vulnerability data. While these organizations are unlikely to have fixed opinions about the CVE Record Format, they can certainly describe their need for timeliness, accuracy, completeness, and applicability of vulnerability data. Chris Coffin, co-leader of the QWG, is especially concerned about getting end users involved in the process of extending the CVE Schema to include use of purl identifiers.
4. Interview CNAs about how they might use purl, and whether they think the test CVE Record Format is adequate for their needs. Since today purl is only used to identify open source software distributed in package managers and similar repositories, the CNAs most likely to be interested are those that create CVE Records for vulnerabilities that affect OSS. However, all CNAs will be welcome to participate in the PoC.
5. The fifth and final step is to execute an end-to-end Proof of Concept based on the test revisions to the CVE Schema. The PoC will consist of the following steps:
6. a. CNAs will create test CVE Records in the new format, including purl(s) for vulnerable product(s) described in the text of the record.
   b. If possible, those records will be submitted to the test CVE.org database, from where they will be downloaded by vulnerability databases. If this isn’t possible, the records will be submitted directly to the vulnerability databases.
   c. The vulnerability databases will ingest the test CVE Records, then ask users to conduct searches using purls that were included in one or more test records.
   d. If a search using a particular purl results in the user being shown every test CVE Record that includes the purl, that test will be considered a success.
   e. If any test purl search does not reveal one or more test CVE Records that include that purl, the test will be considered a failure. The cause of the failure will be investigated and documented for public viewing.
   f. Similarly, scanning tool vendors that wish to participate in this Proof of Concept will develop their own tests using the CVE Records that include purls. If possible, they will publish the results of their tests.
   g. The final step of the PoC will be to prepare a document that describes (i) vulnerability reporting needs identified by PoC participants, (ii) whether and how those needs were addressed in the PoC, and (iii) what lessons were learned from the PoC – especially regarding changes needed in the CVE Schema to accommodate use of purl identifiers in the overall CVE ecosystem.

7. After the PoC has been completed, the leaders of the project will develop training on use of purl for members of the CVE community. This will include presenting and recording webinars, both for "newbie" users and as technical training for CNAs, vulnerability database operators and scanning tool vendors.
   

[gregkh]

Has the purl specification been changed to allow open source projects that host their own software (like KDE, GNOME, and Linux), issue purl identifiers? Last I checked it did not allow this, but I could be wrong.

[gregkh]

A "problem" with CPE is that it does not allow for "this range is vulnerable" and must be added "by hand" to the records as far as we can tell. purl is a way to identify a specific instance of a program, but not any range of releases of that program. A CVE record is there to describe the ranges of vulnerable/not vulnerable versions of the software, so how will purl tie into that?

[oej]

@gregkh Isn't the range problem what VERS is trying to solve, as part of PURL?
https://github.com/package-url/purl-spec/blob/main/VERSION-RANGE-SPEC.rst

[oej]

Has the purl specification been changed to allow open source projects that host their own software (like KDE, GNOME, and Linux), issue purl identifiers? Last I checked it did not allow this, but I could be wrong.

There is a SWID part that would work, but in my personal view is not elegant. This is high on the list for the PURL project to solve, both for commercial projects and open source that is distributed without packaging.

[gregkh]

@gregkh Isn't the range problem what VERS is trying to solve, as part of PURL? https://github.com/package-url/purl-spec/blob/main/VERSION-RANGE-SPEC.rst

Oh nice, I missed that, thank you! Ok, ranges is covered, nice to see.

[gregkh]

Has the purl specification been changed to allow open source projects that host their own software (like KDE, GNOME, and Linux), issue purl identifiers? Last I checked it did not allow this, but I could be wrong.

There is a SWID part that would work, but in my personal view is not elegant. This is high on the list for the PURL project to solve, both for commercial projects and open source that is distributed without packaging.

A tarball is not "packaging"? :)

Seriously, I think this is the largest problem with purl right now, only a very limited set of software releases can use the specification. Why not solve that now, before proposing this be used by CVE because as-is, CVE could not adopt this when most users of the schema would not be able to create a valid purl for their software.

[Tomalrich]

Thanks, Greg. You're right that purl doesn't currently cover all use cases; the purl community is currently working on exactly these issues. You're welcome to join them in this effort. However, the CVE Program has already decided to incorporate use of purl for those CNAs that want to use it. Nobody will be forced to use purl if they don't want to. CPE won't go away. Currently almost any software found in a package manager can have a purl. Most importantly, the purl doesn't have to be "created", since the purl is based entirely on the package manager name, the name of the package in that package manager, and optionally the version string in that package manager. All three pieces of information can be easily verified by anyone, and nobody at the NVD or elsewhere needs to create anything. What I, Olle and Seth are proposing is to facilitate the introduction of purl by doing an end-to-end proof of concept, which will answer questions like, "Which vulnerability databases will be able to ingest CVE Records that include purls, and make those records searchable using a purl?" We are also planning to develop and record training webinars on use of purl in the CVE ecosystem. Tom Tom Alrich LLC 312-515-8996 My book "Introduction to SBOM and VEX" is now available<https://www.amazon.com/s?k=introduction+to+sbom+and+vex&crid=2IDUG1OC1P8JO&sprefix=introduction+to+sbom%2Caps%2C220&ref=nb_sb_ss_ts-doa-p_2_20>! For context, see this<https://tomalrichblog.blogspot.com/2024/02/introduction-to-sbom-and-vex-both.html> post.

…

________________________________ From: Greg Kroah-Hartman ***@***.***> Sent: Thursday, April 17, 2025 2:20 AM To: ossf/wg-vulnerability-disclosures ***@***.***> Cc: Tom Alrich ***@***.***>; Author ***@***.***> Subject: Re: [ossf/wg-vulnerability-disclosures] A Proof of Concept for including purl identifiers in CVE Records (Issue #161) Has the purl specification been changed to allow open source projects that host their own software (like KDE, GNOME, and Linux), issue purl identifiers? Last I checked it did not allow this, but I could be wrong. There is a SWID part that would work, but in my personal view is not elegant. This is high on the list for the PURL project to solve, both for commercial projects and open source that is distributed without packaging. A tarball is not "packaging"? :) Seriously, I think this is the largest problem with purl right now, only a very limited set of software releases can use the specification. Why not solve that now, before proposing this be used by CVE because as-is, CVE could not adopt this when most users of the schema would not be able to create a valid purl for their software. — Reply to this email directly, view it on GitHub<#161 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVCDY62AYGZSMNRL6VESFZT2Z5I2PAVCNFSM6AAAAAB3DJLDUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMJSGAZDGNBRGI>. You are receiving this because you authored the thread.Message ID: ***@***.***> [https://avatars.githubusercontent.com/u/14953?s=20&v=4]gregkh left a comment (ossf/wg-vulnerability-disclosures#161)<#161 (comment)> Has the purl specification been changed to allow open source projects that host their own software (like KDE, GNOME, and Linux), issue purl identifiers? Last I checked it did not allow this, but I could be wrong. There is a SWID part that would work, but in my personal view is not elegant. This is high on the list for the PURL project to solve, both for commercial projects and open source that is distributed without packaging. A tarball is not "packaging"? :) Seriously, I think this is the largest problem with purl right now, only a very limited set of software releases can use the specification. Why not solve that now, before proposing this be used by CVE because as-is, CVE could not adopt this when most users of the schema would not be able to create a valid purl for their software. — Reply to this email directly, view it on GitHub<#161 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVCDY62AYGZSMNRL6VESFZT2Z5I2PAVCNFSM6AAAAAB3DJLDUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMJSGAZDGNBRGI>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[oej]

Has the purl specification been changed to allow open source projects that host their own software (like KDE, GNOME, and Linux), issue purl identifiers? Last I checked it did not allow this, but I could be wrong.

There is a SWID part that would work, but in my personal view is not elegant. This is high on the list for the PURL project to solve, both for commercial projects and open source that is distributed without packaging.

A tarball is not "packaging"? :)
Got me there. You are right, but, well, there's no TARDIST.org system for distribution of tarballs :-)

Seriously, I think this is the largest problem with purl right now, only a very limited set of software releases can use
the specification. Why not solve that now, before proposing this be used by CVE because as-is, CVE could
not adopt this when most users of the schema would not be able to create a valid purl for their software.

CVE is not switching to PURL, it is adding PURL where it makes sense. And it does for a lot of software.
In parallell we are working hard in OWASP CycloneDX and ECMA TC54 to sort out purl for the use cases you mention. The kernel use case is likely very interesting for the group - would you like to set up a meeting to discuss the kernel use case?

[gregkh]

Seriously, I think this is the largest problem with purl right now, only a very limited set of software releases can use
the specification. Why not solve that now, before proposing this be used by CVE because as-is, CVE could
not adopt this when most users of the schema would not be able to create a valid purl for their software.

CVE is not switching to PURL, it is adding PURL where it makes sense. And it does for a lot of software.

That's fine, but it also does not work for lots of other software, so ideally it would be good if it could actually work for everything so that everyone can use and rely on it.

Otherwise we are back at the beginning, where some groups use one identifier, and others a different one, and others none at all. That would just make the current situation even worse for consumers of CVE records, not better.

In parallell we are working hard in OWASP CycloneDX and ECMA TC54 to sort out purl for the use cases you mention. The kernel use case is likely very interesting for the group - would you like to set up a meeting to discuss the kernel use case?

I have discussed this already in the past, but sure, would be willing to discuss it again.

But it's really simple, look at any of the kernel.org CVE records and tell me how you would use purl to identify the releases that are involved. Same goes for any other self-hosted open source project (i.e. GNOME, KDE, curl, python or perl (not python or perl modules, but the language releases themselves), kubernetes, etc.) How would we use purl in our CVE entries?

[oej]

I do agree. A project I'm involved with, kamailio.org, mainly distributes source code and tarballs - and can't set up a PURL for it. In addition we have our own Debian packages (where PURL works).

[Tomalrich]

One interesting fact about purl: Steve Springett's Dependency Track open source SCA tool is used well over 20 million times every day to look up an open source package - identified in an SBOM - in Sonatype's OSS Index vulnerability database. All of those lookups use purl. Tom Alrich LLC 312-515-8996 My book "Introduction to SBOM and VEX" is now available<https://www.amazon.com/s?k=introduction+to+sbom+and+vex&crid=2IDUG1OC1P8JO&sprefix=introduction+to+sbom%2Caps%2C220&ref=nb_sb_ss_ts-doa-p_2_20>! For context, see this<https://tomalrichblog.blogspot.com/2024/02/introduction-to-sbom-and-vex-both.html> post.

…

________________________________ From: Olle E. Johansson ***@***.***> Sent: Friday, April 18, 2025 2:58 AM To: ossf/wg-vulnerability-disclosures ***@***.***> Cc: Tom Alrich ***@***.***>; Author ***@***.***> Subject: Re: [ossf/wg-vulnerability-disclosures] A Proof of Concept for including purl identifiers in CVE Records (Issue #161) I do agree. A project I'm involved with, kamailio.org, mainly distributes source code and tarballs - and can't set up a PURL for it. In addition we have our own Debian packages (where PURL works). — Reply to this email directly, view it on GitHub<#161 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVCDY67DBSRI443IBIALR2322CWCTAVCNFSM6AAAAAB3DJLDUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMJUHA3DGOBQGM>. You are receiving this because you authored the thread.Message ID: ***@***.***> [https://avatars.githubusercontent.com/u/20310?s=20&v=4]oej left a comment (ossf/wg-vulnerability-disclosures#161)<#161 (comment)> I do agree. A project I'm involved with, kamailio.org, mainly distributes source code and tarballs - and can't set up a PURL for it. In addition we have our own Debian packages (where PURL works). — Reply to this email directly, view it on GitHub<#161 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVCDY67DBSRI443IBIALR2322CWCTAVCNFSM6AAAAAB3DJLDUKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMJUHA3DGOBQGM>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[david-a-wheeler]

@gregkh asked:

Has the purl specification been changed to allow open source projects that host their own software (like KDE, GNOME, and Linux), issue purl identifiers? Last I checked it did not allow this, but I could be wrong.

It does have some mechanisms, in a few different ways:

1. If you host your own repo but use an existing defined type of repo, add that as a repository_url parameter per PURL-SPECIFICATION
2. For github or bitbucket, there are special types github and bitbucket, per PURL-TYPES.
3. You can use generic per PURL-TYPES - generic, when all else fails. You need to provide download_url or vcs_url, and preferably checksum.

It's not as clear as it should be in this area, but it's better than "guess the package from a name".

[gregkh]

@gregkh asked:

Has the purl specification been changed to allow open source projects that host their own software (like KDE, GNOME, and Linux), issue purl identifiers? Last I checked it did not allow this, but I could be wrong.

It does have some mechanisms, in a few different ways:

1. If you host your own repo but use an existing defined type of repo, add that as a repository_url parameter per PURL-SPECIFICATION

Hm, I thought I looked at that, and talked with others, but somehow it wouldn't work for us for some reason that a release version from kernel.org would not fit into that scheme?

But I could be wrong, as an example, how would any (pick one) of the releases on the front page of https://kernel.org right now be referenced in purl format?

Also, how would an individual commit be referenced, like the ones we use in our CVE announcements like in https://lore.kernel.org/linux-cve-announce/2025041827-CVE-2025-40364-d93c@gregkh/ for example.

thanks!

[david-a-wheeler]

Here's my shot. I think this should be written down more formally somewhere... :-).

A purl should answer the question "where did you get this package?".

Let's talk about the kernel.org release. Current stable release is 6.14.2. at https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.14.2.tar.xz. Let's presume we're indicating a conventional tarball download, which is what many people use (it's shown in bold on the kernel.org website!). The purl spec doesn't have any better type matches, so it says we should use type "generic": "generic for plain, generic packages that do not fit anywhere else such as for "upstream-from-distro" packages. In particular this is handy for a plain version control repository such as a bare git repo.".

That means the Linux kernel stable 6.14.2 as a tarball would have a purl of:

pkg:generic/linux@6.14.2?download_url=https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.14.2.tar.xz&checksum=sha256:c5c682a354ea3190139357a57d34a79e5c37221ace823a938e10116b577a2e1b

Technically the checksum is optional, but I recommend including it (using SHA-256 or better). You can shorten the checksum. When you want to refer to a specific version, the checksum helps ensure we're talking about the same thing.

The challenge with the Linux kernel is that people get the Linux kernel from multiple different places, and the source matters. As you know, the Linux kernel acquired as part of Red Hat Enterprise Linux (RHEL), Fedora, Debian, or Ubuntu won't necessarily be the same as any particular release from kernel.org, and a vulnerability may apply to both or only one or neither. So if you want to refer to the Fedora kernel (in particular, a vulnerability that only applies to Fedora), you'd use that format:

pkg:rpm/fedora/kernel@6.14.2-1.fc42?arch=i686&distro=fedora-42

Some vulnerabilities apply to multiple sources. Ideally a vulnerability report would list them all, but they should list at least the highest upstream value it applies to, so that people can determine that it probably applies to them too. It's important that a vulnerability report format support multiple purls for a given vulnerability, since a vulnerability can apply to multiple package.

If there's a version range, then don't specify the version, specify a version range (or in addition to the specific version).

[david-a-wheeler]

Purl is more focused on identifying released packages. Obviously people can install any software they can get their hands on, but that is what purl focuses on.

I think there should be some sort "clarification" written down to better deal with such cases. Historically purl focused more on PyPI, maven, etc., but clearly other cases matter!