-
Jamie Tanna authoredWhen importing SBOMs, we consume the Package URL (pURL) and take the parts of it that we want to keep, but then throw away the rest. Instead of doing this, we should make it available in the database, where it can then be retrieved and further processed. This allows us to take more complex pURLs like: pkg:rpm/redhat/xz-libs@5.2.4-4.el8_6?arch=x86_64&distro=redhat-8.6 pkg:deb/debian/login@1:4.8.1-1?arch=arm64 And then we're able to perform more complex processing on them. This is a breaking change due to the definition in https://dmd.tanna.dev/concepts/compatible-since/: > Introducing a required column, which doesn't have a default In which we've added the `package_url` field, so need to appropriately note that this is a breaking change. This also requires refactoring the parameter to `newSBOMDependenciesQuery` as it's no longer getting a full SBOM row, as we don't query the `package_url`. Closes #528.ccb812f4