Generated purl for OCI images includes namespace, which is not allowed by purl spec

[logicflakes]

When generating an SBOM using cdxgen with -t docker, the resulting BOM includes a purl of type oci that incorrectly uses the repository URL as the namespace, which is explicitly disallowed by the current purl specification.

Steps to Reproduce:

1. Run:

cdxgen -t docker -o bom.json registry.relizahub.com/library/rearm-cli@sha256:696a2e4d457df5be966a4570d9695905b3d0afcf69d7728f0746d836504c4fce

2. Observe in bom.json:

"purl":"pkg:oci/registry.relizahub.com/library/rearm-cli@sha256:696a2e4d457df5be966a4570d9695905b3d0afcf69d7728f0746d836504c4fce"

Problem:

According to the purl spec for OCI:

OCI purls do not contain a namespace, although, repository_url may contain a namespace as part of the physical location of the package.

This means:

• The namespace should be omitted from the purl.

• Information like registry.relizahub.com/library or ghcr.io/org/ should instead go into a repository_url field.

Including the namespace violates the spec and may cause issues with tooling that strictly parses purl.
There's an open issue for this on purl-spec as well OCI PURL type should allow namespace declaration #425

Suggested Fix:

• Remove the namespace segment from OCI purls.

• Move repository or registry details to a repository_url qualifier (e.g., pkg:oci/rearm-cli@sha256:696a2e4d457df5be966a4570d9695905b3d0afcf69d7728f0746d836504c4fce?repository_url=registry.relizahub.com/library).

Version Info:

cdxgen version: 11.2.6

References:

• OCI package type in purl spec
• OCI PURL type should allow namespace declaration #425
  

[prabhu]

Thank you for this report. We need some time to think this through since it's a breaking change.