Appreciate this is more of a problem with the upstream tool, but I wanted to flag the data quality aspect here.

Here's an example of a Debian SBOM created using bom-v0.4.1:

sbomex pull --id 442

This contains references like:

pkg:deb/debian/gpgv@2.2.40-1?arch=s390x

From the purl spec:

There is no default package repository: this should be implied either from the distro qualifiers key or using a base url as a repository_url qualifiers key.

Basically the purl is incomplete. Without the distro information the purl here is ambiguous. I'd argue based on the spec it's technically an invalid purl, but the spec as written is a bit hard to parse. But whether or not it's invalid, it's not specific without the distro information.

HI @garethr, I really appreciate your input, and thanks for your patience with this issue.

1. We have another tool entirely focused on the quality of SBOM content here: https://github.com/interlynk-io/sbomqs. I'll migrate this issue to that one to make we track it accurately.
2. As the PURL spec stands today, this is a valid value. Please see examples from the deb section (please see bold examples below):

pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie
pkg:deb/debian/dpkg@1.19.0.4?arch=amd64&distro=stretch
pkg:deb/ubuntu/dpkg@1.19.0.4?arch=amd64

I read that this is meant to imply that the dpkg @ 1.19.0.4 is built for amd64 regardless of distribution (and, therefore, any vulnerability applicable to 1.19.0.4 may apply to this component).

This could further narrow by specifying distro, but IMHO, PURL's original goal has been disambiguation rather than refinement. Let me know if you disagree with this assessment.