SBOMs using package tab in the Package details page looks broken

[mrizzi]

The error message suggests the UI is calling using the UUID, i.e. http://localhost:3000/api/v2/sbom/by-package?id=1ac154ff-3a4b-5263-8479-8759d20ef066&limit=10&offset=0, but the API is expecting a purl or a cpe, i.e.

{"error":"CpeOrPurl","message":"Requires either `purl` or `cpe`","details":"Received - PURL: None, CPE: None"}

[mrizzi]

@carlosthe19916 explained (in the matrix channel)

BEFORE it worked /api/v2/sbom/by-package?id={ID} but not anymore. So there are changes introduced that makes the endpoint not able to work as it used to be

[dejanb]

This commit 52fce44#diff-abdf786058d674c66d96b4193ca72745bdc4d422f077278f649ec7b89ce48b81 changed the API, so that it now requires either purl or cpe for this API endpoint.

We can:

1. Change the UI to call by-package?purl={qualified_purl}. I tested this API call and it works fine.
2. Return an option to query by packge UUID

@ctron was the change intentional?

[ctron]

Yes it was. As it was a pain passing through the UUID. I think if we're using PURLs, we should use PURLs. Which might make our life easier should be move away from this in the future, dropping the three table hierarchy.

[dejanb]

@carlosthe19916 can you give a try with the change to pass the purl to the endpoint?

[carlosthe19916]

Hi guys,
In the context of: GET http://localhost:3000/api/v2/sbom/by-package
I confirm, the endpoint works passing ?purl=abcd or ?cpe=yyz

However is it possible to pass purl OR cpe OR ID? This way the ID keeps working as it used to be?

Reasons:

• All endpoints rely on IDs E.g. /api/v1/sbom/{id}, /api/v1/sbom/{id}/label, /api/v1/sbom/{id}/download, /api/v2/purl/{id} and a long long etc.
• For a client it is important to consistently be able to identify entities, it used to be IDs and nothing else. If we change it this will happen:
  • Given an SBOM whose ID 123 and a Purl whose ID is xyz I can not directly fetch the SBOMs related to that purl using /api/v2/sbom/by-package?xyz as first I need to fetch the the package using GET /api/v2/purl/{xyz} get its Purl and only then be able to call /api/v2/sbom/by-package?purl_identified_fetching_package_endpoint

I think PURL or CPE or ID should be the way go. IMHO the current REST endpoint is not a good API REST experience. WDYT?

[ctron]

I think that the idea of "ID" is flawed. Which came up when adding the "CPE". If we'd add "ID" back, we'd also need a "CPE ID" in addition. Also, there actually is an ID, which is the ID of the package (not the PURL).

In those other cases you mentioned, IDs actually are IDs.

I think all places returning purls, actually do return purls, which you can use directly. If we have another endpoint which returns the UUID of a PURL, we might want to amend that to return the actual PURL in addition.

[carlosthe19916]

Ok. The UI now is aligned with those changes. We can close this ticket