Add distro information to package URLs for OS packages

[wagoodman]

This PR does primarily enhances up support for OS-related packages to include distro version information in any pURL generated:

- pkg:alpine/[email protected]?arch=amd64
+ pkg:alpine/[email protected]?arch=amd64&distro=alpine-3.4.6

The ID and VersionID are encoded into the pURL as a distro get-param; see the pURL spec for more info.

Additionally this PR:

• migrates the existing package URL functionality to the pkg package (since this semantically represents packages)
• beefs up testing around pURL generation to ensure that we are exercising all package types
• during this work it was found that the NPM metadata filename within pkg was inconsistent --the filename was updated

Related to anchore/grype#395

Note: this PR cannot be merged until #753 is merged and this PR is rebased.

[github-actions]

Benchmark Test Results

Benchmark results from the latest changes vs base branch

name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.26ms ± 1%    1.70ms ± 1%  +35.00%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            3.20ms ± 7%    3.99ms ± 1%  +24.71%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.11ms ± 2%    1.37ms ± 4%  +22.97%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         864µs ± 4%    1061µs ± 1%  +22.87%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     986µs ± 3%    1240µs ± 2%  +25.83%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      907µs ± 3%    1122µs ± 1%  +23.66%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      14.8ms ± 1%    18.0ms ± 1%  +21.63%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.36ms ± 2%    1.72ms ± 1%  +26.66%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          2.14µs ± 1%    2.42µs ± 1%  +12.73%  (p=0.008 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               253kB ± 0%     253kB ± 0%   +0.11%  (p=0.032 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            1.06MB ± 0%    1.06MB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     253kB ± 0%     253kB ± 0%     ~     (p=0.222 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         207kB ± 0%     208kB ± 0%   +0.14%  (p=0.016 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     254kB ± 0%     254kB ± 0%   +0.24%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      235kB ± 0%     236kB ± 0%   +0.14%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      3.78MB ± 0%    3.78MB ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.30MB ± 0%    1.30MB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            560B ± 0%      560B ± 0%     ~     (all equal)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               6.33k ± 0%     6.33k ± 0%     ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2             21.4k ± 0%     21.4k ± 0%     ~     (p=0.524 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     7.26k ± 0%     7.26k ± 0%     ~     (p=0.643 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         5.34k ± 0%     5.34k ± 0%     ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                     7.07k ± 0%     7.10k ± 0%   +0.51%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      6.80k ± 0%     6.82k ± 0%   +0.22%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                       74.7k ± 0%     74.7k ± 0%     ~     (p=0.167 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      7.36k ± 0%     7.36k ± 0%   +0.07%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            13.0 ± 0%      13.0 ± 0%     ~     (all equal)

[kzantow]

If you think this is ready, 👍

[kzantow]

One question, though: should these be more like pkg:deb/ubuntu/p@v?arch=a&distro=16.04 without the ubuntu-? (After looking again at: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#deb )

[wagoodman]

Honestly, I'm not certain. The spec only has one "good" example with this here: https://github.com/package-url/purl-spec/blob/1b1e9b2afa6de1c855225fb08cb46878ad653925/PURL-SPECIFICATION.rst#some-purl-examples

pkg:deb/debian/[email protected]?arch=i386&distro=jessie
pkg:rpm/fedora/[email protected]?arch=i386&distro=fedora-25

The debian distro code-name is a bad idea for us, so I didn't approach it that way... so the fedora example was used as a basis. That being said, there is essentially 0 verbiage on correct usage of distro even though it is a suggested qualifier (that we need).

References:

• https://github.com/package-url/purl-spec/tree/a21a9ecbab171fe06d1ac88843bc3721a42dbed0#known-qualifiers-keyvalue-pairs
• https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#rpm

Since there is little direction from the spec I'm open to other options here.

[wagoodman]

From an offline conversation: we'll leave this as is for now since it seems more semantically correct to the term "distro" but are open to changing in the future.

[wagoodman]

(force pushed to rebase from main now that #753 is merged)

[wagoodman]

looks like the codeql workflow hasn't kicked in after a long while (hours)

This could be due to the fact that the base branch was originally not main but was automatically switched when the reference PR merged.

Changing the PR from draft state and back didn't do the trick. Neither did switching the base branch to something else and back to main.

Also it seems like all pull request events are triggering for this PR at all... maybe a github actions bug?

[wagoodman]

I'm going to close and reopen this PR to hopefully trigger the pull_request events for this PR.

[wagoodman]

That's more like it 💯