feat(sbom): build purls with packageurl-python

Use the packageurl-python library to construct purls instead of manual
string building. Support two modes for purl specification in package
settings:

- Full purl string (`purl` field) used as-is, e.g.
  `pkg:generic/my-fork@1.0.0`
- Individual field overrides (`purl_type`, `purl_namespace`,
  `purl_name`, `purl_version`) that override the default
  construction from global settings and package identity

The two modes are mutually exclusive, enforced by a model validator.
A default purl (`pkg:pypi/<name>@<version>`) is now always generated.
The global `purl_type` setting (default: `pypi`) controls the
default type for all packages.

Add `repository_url` to `SbomSettings` as a global purl qualifier
(e.g. `?repository_url=https://packages.redhat.com`) that is added
to every downstream purl. Per-package `repository_url` overrides the
global value.

Downstream purl construction cascades:
  per-package `purl` (full override) >
  per-package field overrides (`purl_type`, etc.) >
  global defaults from `SbomSettings`

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Martin Prpič <mprpic@redhat.com>

Author: mprpic

pyproject.toml

@@ -35,6 +35,7 @@ dependencies = [
     "elfdeps>=0.2.0",
     "license-expression",
     "packaging",
+    "packageurl-python",
     "psutil",
     "pydantic",
     "pypi_simple",

src/fromager/packagesettings/_models.py

@@ -37,6 +37,8 @@ class SbomSettings(pydantic.BaseModel):
       sbom:
         supplier: "Organization: ExampleCo"
         namespace: "https://www.example.com"
+        purl_type: pypi
+        repository_url: "https://example.com/simple"
         creators:
           - "Organization: ExampleCo"
     """
@@ -55,6 +57,17 @@ class SbomSettings(pydantic.BaseModel):
     The fromager tool creator entry is always added automatically.
     """
 
+    purl_type: str = "pypi"
+    """Default purl type for all packages (e.g. ``pypi``, ``generic``)"""
+
+    repository_url: str | None = None
+    """Default purl ``repository_url`` qualifier for all packages
+
+    When set, this URL is added to every purl as a qualifier
+    (e.g. ``pkg:pypi/flask@2.0?repository_url=https://example.com/simple``).
+    Can be overridden per-package in the package settings file.
+    """
+
 
 class ResolverDist(pydantic.BaseModel):
     """Packages resolver dist
@@ -352,13 +365,60 @@ class PackageSettings(pydantic.BaseModel):
     """Alternative source download settings"""
 
     purl: str | None = None
-    """Package URL (purl) override for SBOM generation
+    """Full purl string override for SBOM generation
+
+    When set, this value is used as the complete purl for this package,
+    bypassing the normal purl construction from individual fields.
+    Mutually exclusive with ``purl_type``, ``purl_namespace``,
+    ``purl_name``, and ``purl_version``.
+    """
+
+    purl_type: str | None = None
+    """Override the purl type (e.g. ``generic`` instead of ``pypi``)"""
+
+    purl_namespace: str | None = None
+    """Override the purl namespace component"""
+
+    purl_name: str | None = None
+    """Override the purl name component (defaults to the package name)"""
+
+    purl_version: str | None = None
+    """Override the purl version component (defaults to the resolved version)"""
 
-    When set, this value is used instead of the default ``pkg:pypi/<name>@<version>``
-    purl. Useful for packages that are not on PyPI or are midstream forks.
-    Supports ``{name}`` and ``{version}`` format substitution.
+    repository_url: str | None = None
+    """Per-package override for the purl ``repository_url`` qualifier
+
+    Overrides the global ``sbom.repository_url`` setting for this package.
+    """
+
+    upstream_purl: str | None = None
+    """Full purl string identifying the upstream source package.
+
+    When set, this is used as the upstream identity in the SBOM's
+    GENERATED_FROM relationship. Used for packages sourced from
+    GitHub/GitLab rather than PyPI.
+
+    When absent, the upstream purl is auto-derived from the downstream
+    purl without the ``repository_url`` qualifier.
     """
 
+    @pydantic.model_validator(mode="after")
+    def validate_purl_fields(self) -> typing.Self:
+        """Ensure ``purl`` is not combined with individual purl fields."""
+        individual_fields = [
+            self.purl_type,
+            self.purl_namespace,
+            self.purl_name,
+            self.purl_version,
+        ]
+        if self.purl is not None and any(f is not None for f in individual_fields):
+            raise ValueError(
+                "'purl' cannot be combined with 'purl_type', 'purl_namespace', "
+                "'purl_name', or 'purl_version'; use either a full purl string "
+                "or individual purl fields"
+            )
+        return self
+
     resolver_dist: ResolverDist = Field(default_factory=ResolverDist)
     """Resolve distribution version"""
 

src/fromager/packagesettings/_pbi.py

@@ -71,9 +71,39 @@ def variant(self) -> Variant:
 
     @property
     def purl(self) -> str | None:
-        """Package URL (purl) override for SBOM generation."""
+        """Full purl string override for SBOM generation."""
         return self._ps.purl
 
+    @property
+    def purl_type(self) -> str | None:
+        """Per-package purl type override."""
+        return self._ps.purl_type
+
+    @property
+    def purl_namespace(self) -> str | None:
+        """Per-package purl namespace override."""
+        return self._ps.purl_namespace
+
+    @property
+    def purl_name(self) -> str | None:
+        """Per-package purl name override."""
+        return self._ps.purl_name
+
+    @property
+    def purl_version(self) -> str | None:
+        """Per-package purl version override."""
+        return self._ps.purl_version
+
+    @property
+    def repository_url(self) -> str | None:
+        """Per-package override for the purl ``repository_url`` qualifier."""
+        return self._ps.repository_url
+
+    @property
+    def upstream_purl(self) -> str | None:
+        """Full purl string identifying the upstream source package."""
+        return self._ps.upstream_purl
+
     @property
     def annotations(self) -> Annotations:
         """Get Package and variant annotations

src/fromager/sbom.py

@@ -13,39 +13,74 @@
 import typing
 from datetime import UTC, datetime
 
+from packageurl import PackageURL
 from packaging.requirements import Requirement
 from packaging.utils import canonicalize_name
 from packaging.version import Version
 
 if typing.TYPE_CHECKING:
     from . import context
+    from .packagesettings import PackageBuildInfo, SbomSettings
 
 logger = logging.getLogger(__name__)
 
 SBOM_FILENAME = "fromager.spdx.json"
 
 
-def _build_purl(
+def _build_downstream_purl(
     *,
-    package_name: str,
-    package_version: Version,
-    purl_override: str | None,
+    name: str,
+    version: Version,
+    pbi: PackageBuildInfo,
+    sbom_settings: SbomSettings,
 ) -> str:
-    """Build a package URL for the SBOM.
+    """Build the downstream package URL for the wheel.
 
-    Returns ``pkg:pypi/<name>@<version>`` by default. If a purl override
-    is set in per-package settings, it is used instead with
-    ``str.format()`` substitution for ``{name}`` and ``{version}``.
+    If a full ``purl`` override is set in per-package settings, it is
+    used as-is.  Otherwise, a purl is constructed from individual field
+    overrides (per-package) falling back to global defaults.
     """
-    if purl_override:
-        try:
-            return purl_override.format(name=package_name, version=package_version)
-        except (KeyError, ValueError) as err:
-            raise ValueError(
-                f"invalid purl template {purl_override!r}: "
-                "only {name} and {version} are supported"
-            ) from err
-    return f"pkg:pypi/{package_name}@{package_version}"
+    if pbi.purl:
+        return pbi.purl
+
+    purl_type = pbi.purl_type or sbom_settings.purl_type
+    qualifiers: dict[str, str] = {}
+    repo_url = pbi.repository_url or sbom_settings.repository_url
+    if repo_url:
+        qualifiers["repository_url"] = repo_url
+
+    return PackageURL(
+        type=purl_type,
+        namespace=pbi.purl_namespace,
+        name=pbi.purl_name or name,
+        version=pbi.purl_version or str(version),
+        qualifiers=qualifiers or None,
+    ).to_string()
+
+
+def _build_upstream_purl(
+    *,
+    name: str,
+    version: Version,
+    pbi: PackageBuildInfo,
+    sbom_settings: SbomSettings,
+) -> str:
+    """Build the upstream source package URL.
+
+    If ``upstream_purl`` is set in per-package settings, it is used
+    as-is.  Otherwise, the upstream purl is derived from the same base
+    as the downstream purl but without the ``repository_url`` qualifier.
+    """
+    if pbi.upstream_purl:
+        return pbi.upstream_purl
+
+    purl_type = pbi.purl_type or sbom_settings.purl_type
+    return PackageURL(
+        type=purl_type,
+        namespace=pbi.purl_namespace,
+        name=pbi.purl_name or name,
+        version=pbi.purl_version or str(version),
+    ).to_string()
 
 
 def generate_sbom(
@@ -56,8 +91,9 @@ def generate_sbom(
 ) -> dict[str, typing.Any]:
     """Generate a minimal SPDX 2.3 JSON document for a wheel.
 
-    The document contains the wheel as the primary package and a
-    DESCRIBES relationship from the document to the package.
+    The document contains the downstream wheel as the primary package,
+    the upstream source as a second package, and DESCRIBES /
+    GENERATED_FROM relationships.
     """
     sbom_settings = ctx.settings.sbom_settings
     if sbom_settings is None:
@@ -73,26 +109,48 @@ def generate_sbom(
 
     namespace = f"{sbom_settings.namespace}/{name}-{version}.spdx.json"
 
-    package_entry: dict[str, typing.Any] = {
+    downstream_purl = _build_downstream_purl(
+        name=name,
+        version=version,
+        pbi=pbi,
+        sbom_settings=sbom_settings,
+    )
+    upstream_purl = _build_upstream_purl(
+        name=name,
+        version=version,
+        pbi=pbi,
+        sbom_settings=sbom_settings,
+    )
+
+    wheel_entry: dict[str, typing.Any] = {
         "SPDXID": "SPDXRef-wheel",
         "name": name,
         "versionInfo": str(version),
         "downloadLocation": "NOASSERTION",
         "supplier": sbom_settings.supplier,
+        "externalRefs": [
+            {
+                "referenceCategory": "PACKAGE-MANAGER",
+                "referenceType": "purl",
+                "referenceLocator": downstream_purl,
+            }
+        ],
     }
 
-    purl = _build_purl(
-        package_name=name,
-        package_version=version,
-        purl_override=pbi.purl,
-    )
-    package_entry["externalRefs"] = [
-        {
-            "referenceCategory": "PACKAGE-MANAGER",
-            "referenceType": "purl",
-            "referenceLocator": purl,
-        }
-    ]
+    upstream_entry: dict[str, typing.Any] = {
+        "SPDXID": "SPDXRef-upstream",
+        "name": name,
+        "versionInfo": str(version),
+        "downloadLocation": "NOASSERTION",
+        "supplier": "NOASSERTION",
+        "externalRefs": [
+            {
+                "referenceCategory": "PACKAGE-MANAGER",
+                "referenceType": "purl",
+                "referenceLocator": upstream_purl,
+            }
+        ],
+    }
 
     doc: dict[str, typing.Any] = {
         "spdxVersion": "SPDX-2.3",
@@ -104,13 +162,18 @@ def generate_sbom(
             "created": timestamp,
             "creators": creators,
         },
-        "packages": [package_entry],
+        "packages": [wheel_entry, upstream_entry],
         "relationships": [
             {
                 "spdxElementId": "SPDXRef-DOCUMENT",
                 "relationshipType": "DESCRIBES",
                 "relatedSpdxElement": "SPDXRef-wheel",
             },
+            {
+                "spdxElementId": "SPDXRef-wheel",
+                "relationshipType": "GENERATED_FROM",
+                "relatedSpdxElement": "SPDXRef-upstream",
+            },
         ],
     }
     return doc

tests/conftest.py

@@ -86,7 +86,7 @@ def testdata_context(
 def make_sbom_ctx(
     tmp_path: pathlib.Path,
     sbom_settings: SbomSettings | None = None,
-    purl: str | None = None,
+    package_overrides: dict[str, typing.Any] | None = None,
 ) -> context.WorkContext:
     """Create a minimal WorkContext with SBOM settings."""
     settings_file = packagesettings.SettingsFile(sbom=sbom_settings)
@@ -97,10 +97,10 @@ def make_sbom_ctx(
         variant="cpu",
         max_jobs=None,
     )
-    if purl is not None:
+    if package_overrides is not None:
         ps = packagesettings.PackageSettings.from_mapping(
             "test-pkg",
-            {"purl": purl},
+            package_overrides,
             source="test",
             has_config=True,
         )

tests/test_packagesettings.py

@@ -73,6 +73,12 @@
     "name": "test-pkg",
     "has_config": True,
     "purl": None,
+    "purl_type": None,
+    "purl_namespace": None,
+    "purl_name": None,
+    "purl_version": None,
+    "repository_url": None,
+    "upstream_purl": None,
     "project_override": {
         "remove_build_requires": ["cmake"],
         "update_build_requires": ["setuptools>=68.0.0", "torch"],
@@ -134,6 +140,12 @@
     },
     "has_config": True,
     "purl": None,
+    "purl_type": None,
+    "purl_namespace": None,
+    "purl_name": None,
+    "purl_version": None,
+    "repository_url": None,
+    "upstream_purl": None,
     "project_override": {
         "remove_build_requires": [],
         "update_build_requires": [],
@@ -174,6 +186,12 @@
     },
     "has_config": True,
     "purl": None,
+    "purl_type": None,
+    "purl_namespace": None,
+    "purl_name": None,
+    "purl_version": None,
+    "repository_url": None,
+    "upstream_purl": None,
     "project_override": {
         "remove_build_requires": [],
         "update_build_requires": [],