refactor(purl): use TypeApk from purl (#5232)

* use TypeApk from purl

* refactor: some tweaks

Signed-off-by: knqyf263 <[email protected]>

---------

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

Author: DmitriyLewen

pkg/purl/purl.go

@@ -16,7 +16,6 @@ import (
 )
 
 const (
-	TypeAPK  = "apk" // not defined in github.com/package-url/packageurl-go
 	TypeOCI  = "oci"
 	TypeDart = "dart"
 )
@@ -135,7 +134,7 @@ func (p *PackageURL) LangType() ftypes.LangType {
 }
 
 func (p *PackageURL) IsOSPkg() bool {
-	return p.Type == TypeAPK || p.Type == packageurl.TypeDebian || p.Type == packageurl.TypeRPM
+	return p.Type == packageurl.TypeApk || p.Type == packageurl.TypeDebian || p.Type == packageurl.TypeRPM
 }
 
 func (p *PackageURL) BOMRef() string {
@@ -180,11 +179,10 @@ func NewPackageURL(t ftypes.TargetType, metadata types.Metadata, pkg ftypes.Pack
 		if metadata.OS != nil {
 			namespace = string(metadata.OS.Family)
 		}
-	case TypeAPK: // TODO: replace with packageurl.TypeApk once they add it.
-		qualifiers = append(qualifiers, parseApk(metadata.OS)...)
-		if metadata.OS != nil {
-			namespace = string(metadata.OS.Family)
-		}
+	case packageurl.TypeApk:
+		var qs packageurl.Qualifiers
+		name, namespace, qs = parseApk(name, metadata.OS)
+		qualifiers = append(qualifiers, qs...)
 	case packageurl.TypeMaven, string(ftypes.Gradle): // TODO: replace with packageurl.TypeGradle once they add it.
 		namespace, name = parseMaven(name)
 	case packageurl.TypePyPi:
@@ -246,17 +244,25 @@ func parseOCI(metadata types.Metadata) (packageurl.PackageURL, error) {
 	return *packageurl.NewPackageURL(packageurl.TypeOCI, "", name, digest.DigestStr(), qualifiers, ""), nil
 }
 
-func parseApk(fos *ftypes.OS) packageurl.Qualifiers {
+// ref. https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#apk
+func parseApk(pkgName string, fos *ftypes.OS) (string, string, packageurl.Qualifiers) {
+	// the name must be lowercase
+	pkgName = strings.ToLower(pkgName)
+
 	if fos == nil {
-		return packageurl.Qualifiers{}
+		return pkgName, "", nil
 	}
 
-	return packageurl.Qualifiers{
+	// the namespace must be lowercase
+	ns := strings.ToLower(string(fos.Family))
+	qs := packageurl.Qualifiers{
 		{
 			Key:   "distro",
 			Value: fos.Name,
 		},
 	}
+
+	return pkgName, ns, qs
 }
 
 // ref. https://github.com/package-url/purl-spec/blob/a748c36ad415c8aeffe2b8a4a5d8a50d16d6d85f/PURL-TYPES.rst#deb
@@ -384,7 +390,7 @@ func purlType(t ftypes.TargetType) string {
 	case ftypes.RustBinary, ftypes.Cargo:
 		return packageurl.TypeCargo
 	case ftypes.Alpine:
-		return TypeAPK
+		return packageurl.TypeApk
 	case ftypes.Debian, ftypes.Ubuntu:
 		return packageurl.TypeDebian
 	case ftypes.RedHat, ftypes.CentOS, ftypes.Rocky, ftypes.Alma,

pkg/sbom/spdx/unmarshal.go

@@ -178,7 +178,7 @@ func (s *SPDX) parsePackages(pkgs map[common.ElementID]*spdx.Package) error {
 			return xerrors.Errorf("failed to parse package: %w", err)
 		}
 		switch pkgURL.Type {
-		case purl.TypeAPK, packageurl.TypeDebian, packageurl.TypeRPM:
+		case packageurl.TypeApk, packageurl.TypeDebian, packageurl.TypeRPM:
 			osPkgs = append(osPkgs, *pkg)
 		default:
 			// Language-specific packages