Conversation
stevespringett
added
the
PURL type definition
|
@pombredanne @stevespringett Can you take a look at this? We're already using it in practice within GitHub, and I'd love to make sure that it's an accepted type definition. |
|
|
||
| pkg:githubactions/package-url/purl-spec@244fd47e07d1004 | ||
| pkg:githubactions/package-url/[email protected] | ||
| pkg:githubactions/github/codeql-action/analyze@v2 |
There was a problem hiding this comment.
What is the relationship between pkg:githubactions/github/codeql-action/analyze@v2 and the Marketplace where actions are found? For example, this action is not listed in the marketplace, but https://github.com/marketplace/actions/codeql-bundle is. I think this needs to be clarified as many people will associate the githubactions purl type with the actions that are in the Marketplace, but that's not true in this case.
There was a problem hiding this comment.
The Marketplace listings are basically advertisements and disconnected from the actual software distribution. You can reference an action in any repository regardless of whether there is a Marketplace listing. The only requirement is that there's an action.yml file in the repository and that the version matches a SHA, branch, or release tag. You'll see some of the scenarios around how things get referenced here: https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#adding-an-action-to-your-workflow
|
|
||
| githubactions | ||
| ------ | ||
| ``githubactions`` for GitHub Actions: |
There was a problem hiding this comment.
What is the default repository_url? Does this apply to Actions? If not, why not? The purl spec does not differentiate between public Internet facing repositories and internal ones. If there's a default repository_url, even an internal one, it should be part of the purl type definition.
There was a problem hiding this comment.
Sure, I could add one of those if you think it's helpful. GitHub Actions are always in practice pulled from the current GitHub instance you're on. So if you're on github.com, it's that, and if you're on an enterprise server instance, it's that.
|
|
||
| pkg:githubactions/package-url/purl-spec@244fd47e07d1004 | ||
| pkg:githubactions/package-url/[email protected] | ||
| pkg:githubactions/github/codeql-action/analyze@v2 |
There was a problem hiding this comment.
It appears like the name attribute could be a single word purl-spec or could have subpath codeql-action/analyze. This appear to be different from other schemes where subpath are after qualifiers separated by a hash.
pkg:githubactions/github/codeql-action@v2?repository_url=...#subpath=analyze
There was a problem hiding this comment.
I think subpath has a special meaning for referring to files within a package, which is not the case here if the action is its own package which happens to be in the same repository as other packages. This seems consistent with Go where the namespace/name is treated as a single value which means something in Go instead of two separate values. (eg a lot of Go PURLs have the PURL name "v2" because of the way Go handles version epochs)
There was a problem hiding this comment.
@matt-phylum has it. The subpath is about picking a non-default action in a repository in instances where multiple actions exist.
There was a problem hiding this comment.
This seems inconsistent with the description given above:
namespaceis the user or organization
nameis the repository name
subpathis used to point to the location of an action within a repository in the event there are multiple defined.
If the name component is strictly the repository name, then based on the components from the spec:
scheme:type/namespace/name@version?qualifiers#subpath
This example should be:
pkg:githubactions/github/codeql-action@v2#analyze
|
Hi! I'm trying to use this schema, how would you say this vulnerability would fit into the actions pURL? GHSA-hw6r-g8gj-2987 |
This schema is intended to refer to a GitHub Actions action, not a workflow, so in your case, I think the regular GitHub namespace is more appropriate. |
jkowalleck
added
Proposed new type
and removed
PURL type definition
|
Poke for progress, as I just wasted 10 minutes trying to work out what the prefix was to use with actions/dependency-review-action's
I worked out it should be |
|
@martincostello Hey, there have been discussions recently in a community whether this should exist as a type and whether not just use Also, after the merge of PR #514, PURL types are now defined in JSON 👼 😇 : With the new approach... this PR would need to be updated if we go with a separate type. Thanks for your understanding and patience! |
|
2 years, quite the zombie PR! @trevrosen may have thoughts on this. I'm no longer working on supply chain security, so I can't say if GitHub still wants this capability or how. |
|
Would it make sense to revive this ticket, in light of https://www.getsafety.com/blog-posts/shai-hulud-npm-attack and https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised ? I'd love to see github produce SBOMs describing what actions where used during a run, where any actions that were "pulled in" were referred to in the form of a PackageURL that clearly distinguishes actions from other types of package dependencies.
|
13 participants
This PR adds GitHub Actions as a distinct type. We use this in the GitHub Dependency graph because GitHub Actions are distinct in meaning from the GitHub repository package references, and sometimes get CVEs published on them.