Get source rpm from purl

doozer/doozerlib/backend/konflux_image_builder.py

@@ -16,6 +16,7 @@
 from kubernetes.client import Configuration
 from kubernetes.dynamic import DynamicClient, exceptions, resource
 from ruamel.yaml import YAML
+from packageurl import PackageURL
 
 from artcommonlib.exectools import limit_concurrency
 from doozerlib import constants
@@ -261,11 +262,19 @@ async def _get_for_arch(arch):
             sbom_contents = json.loads(stdout)
             source_rpms = set()
             for x in sbom_contents["components"]:
-                if x["bom-ref"].startswith("pkg:rpm"):
-                    for i in x["properties"]:
-                        if i["name"] == "syft:metadata:sourceRpm":
-                            source_rpms.add(i["value"].rstrip(".src.rpm"))
-                            break
+                # konflux generates sbom in cyclonedx schema: https://cyclonedx.org
+                # sbom uses purl or package-url convention https://github.com/package-url/purl-spec
+                # example: pkg:rpm/rhel/[email protected]?arch=x86_64&upstream=coreutils-8.32-35.el9.src.rpm&distro=rhel-9.4
+                # https://github.com/package-url/packageurl-python does not support purl schemes other than "pkg"
+                # so filter them out
+                if x["purl"].startswith("pkg:"):
+                    purl = PackageURL.from_string(x["purl"])
+                    # right now, we only care about rpms
+                    if purl.type == "rpm":
+                        # get the source rpm
+                        source_rpm = purl.qualifiers.get("upstream", None)
+                        if source_rpm:
+                            source_rpms.add(source_rpm.rstrip(".src.rpm"))
             return source_rpms
 
         results = await asyncio.gather(*(_get_for_arch(arch) for arch in arches))

doozer/requirements.txt

@@ -29,3 +29,4 @@ aiohttp
 jira>=3.4.1
 ghapi
 zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
+packageurl-python