SBoM component PURL fields do not contain the repository_url field

Release notes

TODO

Problem to solve

Currently, it's not possible to know if a package only exists in a private package registry. I came across this when reviewing SBoM generated by gemnasium-maven while working on Maven Gemnasium scanner does not use private ma... (#365484 - closed)

Proposal

Identify SBoM components that only exist on private package registries by utilizing the repository_ur qualifier in the PURL field.

repository_url is an extra URL for an alternative, non-default package repository or registry. When a package does not come from the default public package repository for its type a purl may be qualified with this extra URL. The default repository or registry of a type is documented in the "Known purl types" section.

Adding the PURL qualifier will aid in discovering what components cannot be accessed externally. The implementation for this should consider the following edge cases:

• SBoM components are sometimes used by third parties to evaluate a component. Should we separate the sbom components by private and public components? Can we censor the repository_url with another value if generating a "public" SBoM? Ex: pkg:go/golang.org/x/tools/text@v1.0.0?repository_url=__PROTECTED_

See the PURL Builder for the implementation.

Intended users

• Sam (Security Analyst)
• Sasha (Software Developer)

Feature Usage Metrics

TODO

/cc @sam.white @brytannia

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.