-
Ticket
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
Very Likely
-
0
I have a question about the PURL of Modular Packages.
Previously, it seems that pkg:rpmmod and pkg:rpm were linked together using a relationship.
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.8::appstream"
}
}
},
{
"category": "product_version",
"name": "gimp:2.8:8080020250623120629:0621e4ee",
"product": {
"name": "gimp:2.8:8080020250623120629:0621e4ee",
"product_id": "gimp:2.8:8080020250623120629:0621e4ee",
"product_identification_helper": {
"purl": "pkg:rpmmod/redhat/gimp@2.8:8080020250623120629:0621e4ee"
}
}
},
{
"category": "product_version",
"name": "pygtk2-doc-0:2.24.0-25.module+el8.4.0+9382+ff08b506.noarch",
"product": {
"name": "pygtk2-doc-0:2.24.0-25.module+el8.4.0+9382+ff08b506.noarch",
"product_id": "pygtk2-doc-0:2.24.0-25.module+el8.4.0+9382+ff08b506.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pygtk2-doc@2.24.0-25.module%2Bel8.4.0%2B9382%2Bff08b506?arch=noarch"
}
}
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gimp:2.8:8080020250623120629:0621e4ee as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:gimp:2.8:8080020250623120629:0621e4ee"
},
"product_reference": "gimp:2.8:8080020250623120629:0621e4ee",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gimp-2:2.8.22-26.module+el8.8.0+23318+cec921ba.1.ppc64le as a component of gimp:2.8:8080020250623120629:0621e4ee as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:gimp:2.8:8080020250623120629:0621e4ee:gimp-2:2.8.22-26.module+el8.8.0+23318+cec921ba.1.ppc64le"
},
"product_reference": "gimp-2:2.8.22-26.module+el8.8.0+23318+cec921ba.1.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S:gimp:2.8:8080020250623120629:0621e4ee"
},
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-5473.json
Has it changed so that the rpmmod qualifier is now added to pkg:rpm?
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}, {
"category": "product_version",
"name": "mysql:8.0:8100020250212154709:489197e6",
"product": {
"name": "mysql:8.0:8100020250212154709:489197e6",
"product_id": "mysql:8.0:8100020250212154709:489197e6",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mysql@8.0?rpmmod=mysql:8.0:8100020250212154709:489197e6"
}
}
}
{
"category": "product_version",
"name": "mecab-0:0.996-2.module+el8.10.0+22857+7f331edd.aarch64",
"product": {
"name": "mecab-0:0.996-2.module+el8.10.0+22857+7f331edd.aarch64",
"product_id": "mecab-0:0.996-2.module+el8.10.0+22857+7f331edd.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mecab@0.996-2.module%2Bel8.10.0%2B22857%2B7f331edd?arch=aarch64"
}
}
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mysql:8.0:8100020250212154709:489197e6 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:mysql:8.0:8100020250212154709:489197e6"
},
"product_reference": "mysql:8.0:8100020250212154709:489197e6",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mecab-0:0.996-2.module+el8.10.0+22857+7f331edd.aarch64 as a component of mysql:8.0:8100020250212154709:489197e6 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:mysql:8.0:8100020250212154709:489197e6:mecab-0:0.996-2.module+el8.10.0+22857+7f331edd.aarch64"
},
"product_reference": "mecab-0:0.996-2.module+el8.10.0+22857+7f331edd.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:mysql:8.0:8100020250212154709:489197e6"
},
https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-11053.json
https://redhatproductsecurity.github.io/security-data-guidelines/purl/#identifying-rpm-modules
Currently, it seems that there are these two ways of expressing it, but is there any plan to unify them into one?
