SlideShare a Scribd company logo

PURL and vers: The Mostly Universal Package URL and Version Ranges Identifiers for Dependencies and Vulnerabilities

Download as PPTX, PDF
M
Michael Herzog

In this webinar, Hritik and Philippe introduces and explains a new universal notation for package version ranges, such as used when resolving package dependencies as in “I require package foo, version 2.0 or later versions” and referencing affected vulnerable package versions as in “vulnerability CVE-123 affects package bar, version 3.1 and version 4.2 but not version 5". These two mini standards pave the way towards (mostly) universal FOSS package naming and versioning for dependency resolution and vulnerability ranges references; and are emerging as essential to reliably process vulnerability data in the software supply chain.

Presentations & Public Speaking
1 of 22
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Package URL (purl) and Version Range specs (vers) The Mostly Universal Package URL and Version Range Identifiers for Dependencies and Vulnerabilities 1
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Passionate about open source, Linux and infosec ▷ Co-maintainer at VulnerableCode and univers ▷ Application Security engineer at CRED ▷ Google summer of code mentor and a participant ▷ Supporter of suckless philosophy ▷ hritik.elf@gmail.com, @MrHritik Hritik Vijay 2
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ ScanCode and AboutCode projects lead and maintainer ▷ Creator of Package URL, co-founder of SPDX, ClearlyDefined ▷ FOSS veteran, long time Google Summer of Code mentor ▷ Co-founder and CTO of nexB Inc., makes of DejaCode ▷ Weird facts and claims to fame ● Signed off on the largest deletion of lines of code in the Linux kernel (but these were only comments) ● Unrepentant code hoarder. Had 60,000+ GH forks now down only to 20K forks ▷ pombredanne@gmail.com irc:pombreda Philippe Ombredanne 3
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ The problem: more FOSS dependencies, more bugs ● But better code, faster and cheaper ▷ Solution elements ● Identifying packages is hard ● Understanding dependency resolution is hard ● Understanding vulnerable ranges is hard ● Versioning is hard ● What if? ▷ Solution: purl and vers Agenda 4
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Ever more FOSS packages are reused. Reused like LEGO® ● 10x to 100x more than a few years ago ▷ Complex stacks with multiple technologies and languages ● Deep dependency trees on both application and system packages ▷ Unstated dependencies across ● package ecosystem boundaries and system and application boundaries ▷ More bugs and vulnerabilities! ▷ Difficulty to automate dependencies and vulnerabilities Things are getting more complex!! 5
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Hand crafted, good old README with installation instructions ▷ Replace all package managers with one to rule them all with massive mono repo and "hermetic" build system (Bazel, BUCK) ▷ ... general purpose package managers (Spack, Conda) ▷ ... "functional" package managers (Nix or Guix) ▷ ... and containers (to hide the details in a bigger tarball) How can we deal with this complexity? 6
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ We need one standard to accommodate them all! 7 Credits: https://xkcd.com/927/ xkcd.com is best viewed with Netscape Navigator 4.0 or below on a Pentium 3±1 emulated in Javascript on an Apple IIGS at a screen resolution of 1024x1. Please enable your ad blockers, disable high-heat drying, and remove your device from Airplane Mode and set it to Boat Mode. For security reasons, please leave caps lock on while browsing. This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.https://creativecommons.org/licenses/by-nc/2.5/ 7
▷ Problem: Each ecosystem has its own conventions to identify, locate and provision software packages ▷ Solution: An expressive package-url string, minimalist yet obvious ▷ Identify & locate software packages reliably across tools and languages. pkg:npm/foobar@12.3.1 pkg:pypi/django@1.11.1 ▷ Started with ScanCode and VulnerableCode and now adopted in many places ▷ Now a de-facto standard used in LF ACT ORT, LF ACT Tren, LF OSSF OSV, CycloneDX, LF SPDX, Sonatype OSSIndex, OASIS CSAF, Anchore Syft and Grype, Microsoft OSSGadget, GitHub and many other places. ▷ Libraries in Java, PHP, Go, Python, JavaScript, Ruby, Swift, Rust, .Net, etc. ▷ Recommended by the US NTIA as an SBOM package identifier Meet Package URL (purl) 8
Package URL vs. other approaches ▷ Improved readability and obviousness: you can find a purl origin! ▷ No arbitrary vendor assignment ▷ NVD is adding "ecosystem" support in CVE API v5 ▷ OSSF OSV is supporting both purl and an "ecosystem" CPE purl cpe:2.3:a:apache:log4j:2.4:*:*:*:*:*:*:* pkg:maven/org.apache.logging.log4j/log4j- core@2.4 cpe:2.3:a:mark_pilgrim:feedparser:4.1:*:*:*: *:*:*:* pkg:pypi/feedparser@4.1 9
Package URL in the news "Component verification and vulnerability reporting are supported by some SBOM data formats today. Globally unique identifiers is a work in process supported by the leading data formats for package URLs (PURLs)." https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_final.pdf Software Bill of Materials (SBOM) and Cybersecurity Readiness January 2022 Stephen Hendrick, VP Research, The Linux Foundation 10
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Now we can name a package... version anyone? ▷ Resolving package dependencies ● "I require package <ABC>, version 2.0 or later versions" ▷ Affected vulnerable versions ● "vulnerability CVE-2021-1 affects <XYZ>, version 3.1 and version 4.2 but not version 5" ▷ Version numbers should be boring ▷ Yet each ecosystem has its own way for version and range! Debian, RPM, npm, PyPI, Ruby, etc. have their different notations using comparators >, < or =, or tilde ~ or caret ^ or star * ▷ Each resolves a dependency version in a range differently 11
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ We could express a dependency in a mostly universal way? ▷ And not replace all package managers BUT rather rule them all ▷ Use Package URL "purl" to name a package across ecosystem ▷ Add new "vers" Version Range Spec for ranges ● For any ecosystem, building on Package URL "package type" and namespace ● Simplified comparators set: >, <, =, !=, <=, >= ● Ecosystem-specific version comparison ▷ Designed for dependency ranges AND vulnerability ranges What if .... 12
Version Range Spec (vers) ▷ Problem: Each ecosystem has its own convention to specify version ranges ▷ Solution: An expressive version range string, minimalist yet obvious, a purl adjunct ▷ Specify ranges reliably across tools and languages for deps and vulnerabilities. A version range specifier ("vers") is a URI with this syntax: vers:npm/1.2.3|>=2.0.0|<5.0.0 vers:pypi/0.0.1|0.0.2|0.0.3|1.0|2.0pre1 ▷ Started with VulnerableCode with "univers" library and now used in CycloneDX and ScanCode. ▷ Can pave the way to universal dependency resolution and better vulnerabilities processing 13
Alternative to vers ▷ Single syntax for everything Such as CPEs, everything is SEMVER ▷ Use node-semver for everything GitHub advisories ▷ Use each ecosystem specs, plus new defined specs Gitlab advisories ▷ Enumerate all the versions in a range OSSF OSV (but does ranges too) ▷ Use Maven mathematical notation Snyk 14
Putting it all together A mostly universal package name (purl) with a mostly universal version range (vers) opens up many possibilities: ▷ Store vulnerable version ranges and evaluate later if a version is vulnerable ▷ Build a multi package installer for many ecosystems ▷ Write mostly universal dependency declarations ▷ Write a mostly universal dependency resolver? An incremental approach instead of replacing everything 15
▷ CycloneDX: purl and vers ▷ SPDX: purl ▷ OSSF OSV: purl ▷ OASIS CSAF: purl ▷ VulnerableCode, Univers and ScanCode ● Where purl and vers started ● Some univers code is also used in Google OSV ● https://github.com/nexb/vulnerablecode ● https://github.com/nexB/univers ▷ And many more tools and specs Who is using it? 16
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Software package names ○ Mostly solved with Package URL emerging as a de-facto standard ▷ Version range notation for dependencies and vulnerable ranges ○ New mini spec for Version Range Specifiers ▷ Vulnerability identifiers ○ Mostly solved with NVD's CVE and ever growing aliases list ▷ Version control system references ○ Likely solved with VCS URLs adapted from Python pip, now in SPDX Credit https://www.severnedgevets.co.uk/pets/advice/advice-new-kitten-owners Credit: T.S. Eliot, "Old Possum's Book of Practical Cats" Conclusion: The Naming of Cats is a difficult matter But mostly solved! 17 17
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ If you want to help 18 You can contribute code, time, docs (or cash?) ▷ Use these fine FOSS tools and specs ● https://github.com/package-url ● https://www.aboutcode.org/ ● https://github.com/nexB/ ▷ Join the conversation at ● https://gitter.im/aboutcode-org ▷ Donate at ● https://opencollective.com/aboutcode 18
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ If you want to learn more about our projects 19 ▷ On Package URL and Version Ranges (purl and vers): ● Visit Purl https://github.com/package-url for the specs and libraries ● Vers is at https://github.com/package-url/purl-spec/blob/version-range- spec/VERSION-RANGE-SPEC.rst ▷ On VulnerableCode usage of purl and vers ● Register for our upcoming webinar on using purl with VulnerableCode on July 21 at https://nexb.com/0721-vulnerablecode ● Read our latest blog post at https://nexb.com/vulnerablecode-public- release ● Visit https://nexb.com/vulnerablecode for more information 19
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Credits Special thanks to all the people who made and released these excellent free resources: ▷ Presentation template by SlidesCarnival ▷ Photographs by Unsplash ▷ All the open source software authors that made ScanCode and AboutCode possible 20
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ No tech stack is an island running ● No single programming language ● No Single single package ecosystem We need a way to talk about packages and their versions across ecosystems. ● purl and vers are an attempt to solve this problem and express package dependencies and vulnerabilities using a common language among multiple tools, SBOM formats and tech stacks. We will present Package URL, a way to reference packages across ecosystems which is emerging as a de-facto standard identifier for open source software packages. And we will introduce a new universal notation for package version ranges, such as used when resolving package dependencies as in "I require package foo, version 2.0 or later versions" and referencing affected vulnerable package versions as in "vulnerability CVE-123 affects package bar, version 3.1 and version 4.2 but not version 5". These two mini standards pave the way towards (mostly) universal FOSS package naming and versioning for dependency resolution and vulnerability ranges references; and are emerging as essential to reliably process vulnerability data in the software supply chain. Summary 21
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Start with package you directly depend on ● name & version (or version range) ▷ Access some package index or metadata source ● collect all known versions of the package ▷ Select one version that matches the range you need ▷ For this version, collect the packages it depends on ● names and versions (or version range) ▷ Repeat recursively ▷ Update selected names and versions as needed until consistent ● Can be involved algos using sat solvers, backtracking, etc. ▷ Finally install these packages (not today's scope) What is dependency resolution? 22

Recommended

Azure data factory security
Azure data factory securityAzure data factory security
Azure data factory securityMikeBrassil1
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
Data Visualization Techniques in Power BI
Data Visualization Techniques in Power BIData Visualization Techniques in Power BI
Data Visualization Techniques in Power BIAngel Abundez
 
Tableau Suite Analysis
Tableau Suite Analysis Tableau Suite Analysis
Tableau Suite Analysis Kymberly Grayson-Perry
 
Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance
Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance
Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance BigID Inc
 
TechEvent Databricks on Azure
TechEvent Databricks on AzureTechEvent Databricks on Azure
TechEvent Databricks on AzureTrivadis
 
Ax installation guide
Ax installation guideAx installation guide
Ax installation guideStan Per
 
Pattern recognition binoy k means clustering
Pattern recognition binoy k means clusteringPattern recognition binoy k means clustering
Pattern recognition binoy k means clustering108kaushik
 

Recommended

Azure data factory security
Azure data factory securityAzure data factory security
Azure data factory securityMikeBrassil1
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
Data Visualization Techniques in Power BI
Data Visualization Techniques in Power BIData Visualization Techniques in Power BI
Data Visualization Techniques in Power BIAngel Abundez
 
Tableau Suite Analysis
Tableau Suite Analysis Tableau Suite Analysis
Tableau Suite Analysis Kymberly Grayson-Perry
 
Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance
Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance
Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance BigID Inc
 
TechEvent Databricks on Azure
TechEvent Databricks on AzureTechEvent Databricks on Azure
TechEvent Databricks on AzureTrivadis
 
Ax installation guide
Ax installation guideAx installation guide
Ax installation guideStan Per
 
Pattern recognition binoy k means clustering
Pattern recognition binoy k means clusteringPattern recognition binoy k means clustering
Pattern recognition binoy k means clustering108kaushik
 
Introduction to DAX Language
Introduction to DAX LanguageIntroduction to DAX Language
Introduction to DAX LanguageAntonios Chatzipavlis
 
Data Warehouse or Data Lake, Which Do I Choose?
Data Warehouse or Data Lake, Which Do I Choose?Data Warehouse or Data Lake, Which Do I Choose?
Data Warehouse or Data Lake, Which Do I Choose?DATAVERSITY
 
Classification of data
Classification of dataClassification of data
Classification of dataDr. C.V. Suresh Babu
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory TrainingNishad Sukumaran
 
A complete guide to azure storage
A complete guide to azure storageA complete guide to azure storage
A complete guide to azure storageHimanshu Sahu
 
Considerations for Data Access in the Lakehouse
Considerations for Data Access in the LakehouseConsiderations for Data Access in the Lakehouse
Considerations for Data Access in the LakehouseDatabricks
 
Azure purview
Azure purviewAzure purview
Azure purviewShafqat Turza
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active DirectoryDavid J Rosenthal
 
Azure Data Studio Extension Development
Azure Data Studio Extension DevelopmentAzure Data Studio Extension Development
Azure Data Studio Extension DevelopmentDrew Skwiers-Koballa
 
Big data visualization
Big data visualizationBig data visualization
Big data visualizationAnurag Gupta
 
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdf
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdfBDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdf
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdfVasanthPerni1
 
Pass 2018 introduction to dax
Pass 2018 introduction to daxPass 2018 introduction to dax
Pass 2018 introduction to daxIke Ellis
 
Save and Share Files in the Cloud with OneDrive for Business - Customize Guide
Save and Share Files in the Cloud with OneDrive for Business - Customize GuideSave and Share Files in the Cloud with OneDrive for Business - Customize Guide
Save and Share Files in the Cloud with OneDrive for Business - Customize GuideDavid J Rosenthal
 
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...HostedbyConfluent
 
O365 Groups- Best Practices and Solutions
O365 Groups- Best Practices and SolutionsO365 Groups- Best Practices and Solutions
O365 Groups- Best Practices and SolutionsJohnConnected
 
Let's Talk About: Database Migration Service
Let's Talk About: Database Migration ServiceLet's Talk About: Database Migration Service
Let's Talk About: Database Migration ServicePedro Sousa
 
Google Cloud and Data Pipeline Patterns
Google Cloud and Data Pipeline PatternsGoogle Cloud and Data Pipeline Patterns
Google Cloud and Data Pipeline PatternsLynn Langit
 
An introduction to Business intelligence
An introduction to Business intelligenceAn introduction to Business intelligence
An introduction to Business intelligenceHadi Fadlallah
 
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | Edureka
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | EdurekaMicrosoft Azure Tutorial For Beginners | Microsoft Azure Training | Edureka
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | EdurekaEdureka!
 
Actionable Insights with AI - Snowflake for Data Science
Actionable Insights with AI - Snowflake for Data ScienceActionable Insights with AI - Snowflake for Data Science
Actionable Insights with AI - Snowflake for Data ScienceHarald Erb
 
VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsVulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsMichael Herzog
 
A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!Michael Herzog
 

More Related Content

What's hot

Data Warehouse or Data Lake, Which Do I Choose?
Data Warehouse or Data Lake, Which Do I Choose?Data Warehouse or Data Lake, Which Do I Choose?
Data Warehouse or Data Lake, Which Do I Choose?DATAVERSITY
 
A complete guide to azure storage
A complete guide to azure storageA complete guide to azure storage
A complete guide to azure storageHimanshu Sahu
 
Considerations for Data Access in the Lakehouse
Considerations for Data Access in the LakehouseConsiderations for Data Access in the Lakehouse
Considerations for Data Access in the LakehouseDatabricks
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active DirectoryDavid J Rosenthal
 
Azure Data Studio Extension Development
Azure Data Studio Extension DevelopmentAzure Data Studio Extension Development
Azure Data Studio Extension DevelopmentDrew Skwiers-Koballa
 
Big data visualization
Big data visualizationBig data visualization
Big data visualizationAnurag Gupta
 
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdf
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdfBDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdf
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdfVasanthPerni1
 
Pass 2018 introduction to dax
Pass 2018 introduction to daxPass 2018 introduction to dax
Pass 2018 introduction to daxIke Ellis
 
Save and Share Files in the Cloud with OneDrive for Business - Customize Guide
Save and Share Files in the Cloud with OneDrive for Business - Customize GuideSave and Share Files in the Cloud with OneDrive for Business - Customize Guide
Save and Share Files in the Cloud with OneDrive for Business - Customize GuideDavid J Rosenthal
 
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...HostedbyConfluent
 
O365 Groups- Best Practices and Solutions
O365 Groups- Best Practices and SolutionsO365 Groups- Best Practices and Solutions
O365 Groups- Best Practices and SolutionsJohnConnected
 
Let's Talk About: Database Migration Service
Let's Talk About: Database Migration ServiceLet's Talk About: Database Migration Service
Let's Talk About: Database Migration ServicePedro Sousa
 
Google Cloud and Data Pipeline Patterns
Google Cloud and Data Pipeline PatternsGoogle Cloud and Data Pipeline Patterns
Google Cloud and Data Pipeline PatternsLynn Langit
 
An introduction to Business intelligence
An introduction to Business intelligenceAn introduction to Business intelligence
An introduction to Business intelligenceHadi Fadlallah
 
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | Edureka
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | EdurekaMicrosoft Azure Tutorial For Beginners | Microsoft Azure Training | Edureka
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | EdurekaEdureka!
 
Actionable Insights with AI - Snowflake for Data Science
Actionable Insights with AI - Snowflake for Data ScienceActionable Insights with AI - Snowflake for Data Science
Actionable Insights with AI - Snowflake for Data ScienceHarald Erb
 

What's hot (20)

Introduction to DAX Language
Introduction to DAX LanguageIntroduction to DAX Language
Introduction to DAX Language
 
Data Warehouse or Data Lake, Which Do I Choose?
Data Warehouse or Data Lake, Which Do I Choose?Data Warehouse or Data Lake, Which Do I Choose?
Data Warehouse or Data Lake, Which Do I Choose?
 
Classification of data
Classification of dataClassification of data
Classification of data
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
 
A complete guide to azure storage
A complete guide to azure storageA complete guide to azure storage
A complete guide to azure storage
 
Considerations for Data Access in the Lakehouse
Considerations for Data Access in the LakehouseConsiderations for Data Access in the Lakehouse
Considerations for Data Access in the Lakehouse
 
Azure purview
Azure purviewAzure purview
Azure purview
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
 
Azure Data Studio Extension Development
Azure Data Studio Extension DevelopmentAzure Data Studio Extension Development
Azure Data Studio Extension Development
 
Big data visualization
Big data visualizationBig data visualization
Big data visualization
 
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdf
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdfBDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdf
BDA-UNIT_1-(Intro & Sources of data & Data Preprocessing).pdf
 
Pass 2018 introduction to dax
Pass 2018 introduction to daxPass 2018 introduction to dax
Pass 2018 introduction to dax
 
Save and Share Files in the Cloud with OneDrive for Business - Customize Guide
Save and Share Files in the Cloud with OneDrive for Business - Customize GuideSave and Share Files in the Cloud with OneDrive for Business - Customize Guide
Save and Share Files in the Cloud with OneDrive for Business - Customize Guide
 
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...
How to Build the Data Mesh Foundation: A Principled Approach | Zhamak Dehghan...
 
O365 Groups- Best Practices and Solutions
O365 Groups- Best Practices and SolutionsO365 Groups- Best Practices and Solutions
O365 Groups- Best Practices and Solutions
 
Let's Talk About: Database Migration Service
Let's Talk About: Database Migration ServiceLet's Talk About: Database Migration Service
Let's Talk About: Database Migration Service
 
Google Cloud and Data Pipeline Patterns
Google Cloud and Data Pipeline PatternsGoogle Cloud and Data Pipeline Patterns
Google Cloud and Data Pipeline Patterns
 
An introduction to Business intelligence
An introduction to Business intelligenceAn introduction to Business intelligence
An introduction to Business intelligence
 
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | Edureka
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | EdurekaMicrosoft Azure Tutorial For Beginners | Microsoft Azure Training | Edureka
Microsoft Azure Tutorial For Beginners | Microsoft Azure Training | Edureka
 
Actionable Insights with AI - Snowflake for Data Science
Actionable Insights with AI - Snowflake for Data ScienceActionable Insights with AI - Snowflake for Data Science
Actionable Insights with AI - Snowflake for Data Science
 

Similar to PURL and vers: The Mostly Universal Package URL and Version Ranges Identifiers for Dependencies and Vulnerabilities

VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsVulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsMichael Herzog
 
A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!Michael Herzog
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioMichael Herzog
 
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode
VulnTotal: Cross-validate vulnerability coverage of VulnerableCodeVulnTotal: Cross-validate vulnerability coverage of VulnerableCode
VulnTotal: Cross-validate vulnerability coverage of VulnerableCodeMichael Herzog
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesBruno Cornec
 
NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017Maarten Balliauw
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneAnne Nicolas
 
Architecting the Future: Abstractions and Metadata - All Things Open
Architecting the Future: Abstractions and Metadata - All Things OpenArchitecting the Future: Abstractions and Metadata - All Things Open
Architecting the Future: Abstractions and Metadata - All Things OpenDaniel Barker
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfnicerussianpainter
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...OpenShift Origin
 
Reliable from-source builds (Qshare 28 Nov 2023).pdf
Reliable from-source builds (Qshare 28 Nov 2023).pdfReliable from-source builds (Qshare 28 Nov 2023).pdf
Reliable from-source builds (Qshare 28 Nov 2023).pdfRalf Gommers
 
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...Fasten Project
 
Approaching package manager
Approaching package managerApproaching package manager
Approaching package managerTimur Safin
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleParis Container Day
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...DevOps.com
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingSreenivas Makam
 
RootStack - Devfactory
RootStack - DevfactoryRootStack - Devfactory
RootStack - DevfactoryKangaroot
 
betterCode Workshop: Effizientes DevOps-Tooling mit Go
betterCode Workshop: Effizientes DevOps-Tooling mit GobetterCode Workshop: Effizientes DevOps-Tooling mit Go
betterCode Workshop: Effizientes DevOps-Tooling mit GoQAware GmbH
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 

Similar to PURL and vers: The Mostly Universal Package URL and Version Ranges Identifiers for Dependencies and Vulnerabilities (20)

VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsVulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
 
A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.io
 
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode
VulnTotal: Cross-validate vulnerability coverage of VulnerableCodeVulnTotal: Cross-validate vulnerability coverage of VulnerableCode
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packages
 
NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
 
Architecting the Future: Abstractions and Metadata - All Things Open
Architecting the Future: Abstractions and Metadata - All Things OpenArchitecting the Future: Abstractions and Metadata - All Things Open
Architecting the Future: Abstractions and Metadata - All Things Open
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdf
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
 
Reliable from-source builds (Qshare 28 Nov 2023).pdf
Reliable from-source builds (Qshare 28 Nov 2023).pdfReliable from-source builds (Qshare 28 Nov 2023).pdf
Reliable from-source builds (Qshare 28 Nov 2023).pdf
 
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
FASTEN presentation at OSS2021, by Michele Scarlato, Endocode, May 12, 2021, ...
 
Approaching package manager
Approaching package managerApproaching package manager
Approaching package manager
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie Frazelle
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental Networking
 
RootStack - Devfactory
RootStack - DevfactoryRootStack - Devfactory
RootStack - Devfactory
 
betterCode Workshop: Effizientes DevOps-Tooling mit Go
betterCode Workshop: Effizientes DevOps-Tooling mit GobetterCode Workshop: Effizientes DevOps-Tooling mit Go
betterCode Workshop: Effizientes DevOps-Tooling mit Go
 
Composer
ComposerComposer
Composer
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 

Recently uploaded

The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !risocarla2016
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptssuser319dad
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxJohnree4
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)Basil Achie
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxCarrieButtitta
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringSebastiano Panichella
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxnoorehahmad
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Recently uploaded (20)

The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptx
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptx
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
 

PURL and vers: The Mostly Universal Package URL and Version Ranges Identifiers for Dependencies and Vulnerabilities

  • 1. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Package URL (purl) and Version Range specs (vers) The Mostly Universal Package URL and Version Range Identifiers for Dependencies and Vulnerabilities 1
  • 2. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Passionate about open source, Linux and infosec ▷ Co-maintainer at VulnerableCode and univers ▷ Application Security engineer at CRED ▷ Google summer of code mentor and a participant ▷ Supporter of suckless philosophy ▷ hritik.elf@gmail.com, @MrHritik Hritik Vijay 2
  • 3. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ ScanCode and AboutCode projects lead and maintainer ▷ Creator of Package URL, co-founder of SPDX, ClearlyDefined ▷ FOSS veteran, long time Google Summer of Code mentor ▷ Co-founder and CTO of nexB Inc., makes of DejaCode ▷ Weird facts and claims to fame ● Signed off on the largest deletion of lines of code in the Linux kernel (but these were only comments) ● Unrepentant code hoarder. Had 60,000+ GH forks now down only to 20K forks ▷ pombredanne@gmail.com irc:pombreda Philippe Ombredanne 3
  • 4. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ The problem: more FOSS dependencies, more bugs ● But better code, faster and cheaper ▷ Solution elements ● Identifying packages is hard ● Understanding dependency resolution is hard ● Understanding vulnerable ranges is hard ● Versioning is hard ● What if? ▷ Solution: purl and vers Agenda 4
  • 5. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Ever more FOSS packages are reused. Reused like LEGO® ● 10x to 100x more than a few years ago ▷ Complex stacks with multiple technologies and languages ● Deep dependency trees on both application and system packages ▷ Unstated dependencies across ● package ecosystem boundaries and system and application boundaries ▷ More bugs and vulnerabilities! ▷ Difficulty to automate dependencies and vulnerabilities Things are getting more complex!! 5
  • 6. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Hand crafted, good old README with installation instructions ▷ Replace all package managers with one to rule them all with massive mono repo and "hermetic" build system (Bazel, BUCK) ▷ ... general purpose package managers (Spack, Conda) ▷ ... "functional" package managers (Nix or Guix) ▷ ... and containers (to hide the details in a bigger tarball) How can we deal with this complexity? 6
  • 7. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ We need one standard to accommodate them all! 7 Credits: https://xkcd.com/927/ xkcd.com is best viewed with Netscape Navigator 4.0 or below on a Pentium 3±1 emulated in Javascript on an Apple IIGS at a screen resolution of 1024x1. Please enable your ad blockers, disable high-heat drying, and remove your device from Airplane Mode and set it to Boat Mode. For security reasons, please leave caps lock on while browsing. This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.https://creativecommons.org/licenses/by-nc/2.5/ 7
  • 8. ▷ Problem: Each ecosystem has its own conventions to identify, locate and provision software packages ▷ Solution: An expressive package-url string, minimalist yet obvious ▷ Identify & locate software packages reliably across tools and languages. pkg:npm/foobar@12.3.1 pkg:pypi/django@1.11.1 ▷ Started with ScanCode and VulnerableCode and now adopted in many places ▷ Now a de-facto standard used in LF ACT ORT, LF ACT Tren, LF OSSF OSV, CycloneDX, LF SPDX, Sonatype OSSIndex, OASIS CSAF, Anchore Syft and Grype, Microsoft OSSGadget, GitHub and many other places. ▷ Libraries in Java, PHP, Go, Python, JavaScript, Ruby, Swift, Rust, .Net, etc. ▷ Recommended by the US NTIA as an SBOM package identifier Meet Package URL (purl) 8
  • 9. Package URL vs. other approaches ▷ Improved readability and obviousness: you can find a purl origin! ▷ No arbitrary vendor assignment ▷ NVD is adding "ecosystem" support in CVE API v5 ▷ OSSF OSV is supporting both purl and an "ecosystem" CPE purl cpe:2.3:a:apache:log4j:2.4:*:*:*:*:*:*:* pkg:maven/org.apache.logging.log4j/log4j- core@2.4 cpe:2.3:a:mark_pilgrim:feedparser:4.1:*:*:*: *:*:*:* pkg:pypi/feedparser@4.1 9
  • 10. Package URL in the news "Component verification and vulnerability reporting are supported by some SBOM data formats today. Globally unique identifiers is a work in process supported by the leading data formats for package URLs (PURLs)." https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_final.pdf Software Bill of Materials (SBOM) and Cybersecurity Readiness January 2022 Stephen Hendrick, VP Research, The Linux Foundation 10
  • 11. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Now we can name a package... version anyone? ▷ Resolving package dependencies ● "I require package <ABC>, version 2.0 or later versions" ▷ Affected vulnerable versions ● "vulnerability CVE-2021-1 affects <XYZ>, version 3.1 and version 4.2 but not version 5" ▷ Version numbers should be boring ▷ Yet each ecosystem has its own way for version and range! Debian, RPM, npm, PyPI, Ruby, etc. have their different notations using comparators >, < or =, or tilde ~ or caret ^ or star * ▷ Each resolves a dependency version in a range differently 11
  • 12. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ We could express a dependency in a mostly universal way? ▷ And not replace all package managers BUT rather rule them all ▷ Use Package URL "purl" to name a package across ecosystem ▷ Add new "vers" Version Range Spec for ranges ● For any ecosystem, building on Package URL "package type" and namespace ● Simplified comparators set: >, <, =, !=, <=, >= ● Ecosystem-specific version comparison ▷ Designed for dependency ranges AND vulnerability ranges What if .... 12
  • 13. Version Range Spec (vers) ▷ Problem: Each ecosystem has its own convention to specify version ranges ▷ Solution: An expressive version range string, minimalist yet obvious, a purl adjunct ▷ Specify ranges reliably across tools and languages for deps and vulnerabilities. A version range specifier ("vers") is a URI with this syntax: vers:npm/1.2.3|>=2.0.0|<5.0.0 vers:pypi/0.0.1|0.0.2|0.0.3|1.0|2.0pre1 ▷ Started with VulnerableCode with "univers" library and now used in CycloneDX and ScanCode. ▷ Can pave the way to universal dependency resolution and better vulnerabilities processing 13
  • 14. Alternative to vers ▷ Single syntax for everything Such as CPEs, everything is SEMVER ▷ Use node-semver for everything GitHub advisories ▷ Use each ecosystem specs, plus new defined specs Gitlab advisories ▷ Enumerate all the versions in a range OSSF OSV (but does ranges too) ▷ Use Maven mathematical notation Snyk 14
  • 15. Putting it all together A mostly universal package name (purl) with a mostly universal version range (vers) opens up many possibilities: ▷ Store vulnerable version ranges and evaluate later if a version is vulnerable ▷ Build a multi package installer for many ecosystems ▷ Write mostly universal dependency declarations ▷ Write a mostly universal dependency resolver? An incremental approach instead of replacing everything 15
  • 16. ▷ CycloneDX: purl and vers ▷ SPDX: purl ▷ OSSF OSV: purl ▷ OASIS CSAF: purl ▷ VulnerableCode, Univers and ScanCode ● Where purl and vers started ● Some univers code is also used in Google OSV ● https://github.com/nexb/vulnerablecode ● https://github.com/nexB/univers ▷ And many more tools and specs Who is using it? 16
  • 17. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Software package names ○ Mostly solved with Package URL emerging as a de-facto standard ▷ Version range notation for dependencies and vulnerable ranges ○ New mini spec for Version Range Specifiers ▷ Vulnerability identifiers ○ Mostly solved with NVD's CVE and ever growing aliases list ▷ Version control system references ○ Likely solved with VCS URLs adapted from Python pip, now in SPDX Credit https://www.severnedgevets.co.uk/pets/advice/advice-new-kitten-owners Credit: T.S. Eliot, "Old Possum's Book of Practical Cats" Conclusion: The Naming of Cats is a difficult matter But mostly solved! 17 17
  • 18. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ If you want to help 18 You can contribute code, time, docs (or cash?) ▷ Use these fine FOSS tools and specs ● https://github.com/package-url ● https://www.aboutcode.org/ ● https://github.com/nexB/ ▷ Join the conversation at ● https://gitter.im/aboutcode-org ▷ Donate at ● https://opencollective.com/aboutcode 18
  • 19. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ If you want to learn more about our projects 19 ▷ On Package URL and Version Ranges (purl and vers): ● Visit Purl https://github.com/package-url for the specs and libraries ● Vers is at https://github.com/package-url/purl-spec/blob/version-range- spec/VERSION-RANGE-SPEC.rst ▷ On VulnerableCode usage of purl and vers ● Register for our upcoming webinar on using purl with VulnerableCode on July 21 at https://nexb.com/0721-vulnerablecode ● Read our latest blog post at https://nexb.com/vulnerablecode-public- release ● Visit https://nexb.com/vulnerablecode for more information 19
  • 20. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Credits Special thanks to all the people who made and released these excellent free resources: ▷ Presentation template by SlidesCarnival ▷ Photographs by Unsplash ▷ All the open source software authors that made ScanCode and AboutCode possible 20
  • 21. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ No tech stack is an island running ● No single programming language ● No Single single package ecosystem We need a way to talk about packages and their versions across ecosystems. ● purl and vers are an attempt to solve this problem and express package dependencies and vulnerabilities using a common language among multiple tools, SBOM formats and tech stacks. We will present Package URL, a way to reference packages across ecosystems which is emerging as a de-facto standard identifier for open source software packages. And we will introduce a new universal notation for package version ranges, such as used when resolving package dependencies as in "I require package foo, version 2.0 or later versions" and referencing affected vulnerable package versions as in "vulnerability CVE-123 affects package bar, version 3.1 and version 4.2 but not version 5". These two mini standards pave the way towards (mostly) universal FOSS package naming and versioning for dependency resolution and vulnerability ranges references; and are emerging as essential to reliably process vulnerability data in the software supply chain. Summary 21
  • 22. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Start with package you directly depend on ● name & version (or version range) ▷ Access some package index or metadata source ● collect all known versions of the package ▷ Select one version that matches the range you need ▷ For this version, collect the packages it depends on ● names and versions (or version range) ▷ Repeat recursively ▷ Update selected names and versions as needed until consistent ● Can be involved algos using sat solvers, backtracking, etc. ▷ Finally install these packages (not today's scope) What is dependency resolution? 22