Support multiple purl identifiers in product_identification_helper

[mprpic]

This allows a vendor to specify multiple purl identifiers for a single component (present as a product version branch in the product tree). Multiple purls may identify the same component but point to different locations from where that component may be available. Thus, it is mandatory that if multiple purls are present in a single
product_identification_helper object, they must only differ in their qualifiers. Otherwise they should be set up as different product tree branches.

Resolves #774

[mprpic]

I'm unsure how to modify the examples to get the final text to build. When I run the make command, I get:

$ make build
bin/volatile.py
detected local reference for acknowledgments-type-example-eg-1 in (The example [eg](#acknowledgments-type-example-eg-1) above SHOULD lead to the following outcome in a human-readable advisory:)
The example \[[1](#acknowledgments-type-example-eg-1)\] above SHOULD lead to the following outcome in a human-readable advisory:
Traceback (most recent call last):
  File "/[...]/csaf/csaf_2.1/prose/edit/bin/volatile.py", line 575, in <module>
    sys.exit(main(sys.argv[1:]))
             ^^^^^^^^^^^^^^^^^^
  File "/[...]/csaf/csaf_2.1/prose/edit/bin/volatile.py", line 461, in main
    global_example_num = eg_global_from[magic_label]
                         ~~~~~~~~~~~~~~^^^^^^^^^^^^^
KeyError: 'purl-eg-2'
make: *** [Makefile:4: build] Error 1

[tschmidtb51]

@mprpic Thank you for the Draft. I didn't had time yet to do a complete review but here are some quick comments:

• The qualifier test should be a separate one. Also, we need to add
  • valid examples
  • invalid examples
• The guidance on size needs to be adapted.
• The editorial change should be separate from the feature change (thanks for catching it).
• Rebase after Editor revision for TC meeting 2024-08-28 #784 is merged.

[mprpic]

* [ ]  The qualifier test should be a separate one. Also, we need to add
  * [ ]  valid examples
  * [ ]  invalid examples

Ack, I can move it to its own section with examples. Do you care if the original one remains as is and a new one is added with the next test number, i.e. tests-01-mndtr-13-purl.md stays as is and a new tests-01-mndtr-35-purl-qualifiers.md is added? Or do I need to sort them next to each other and bump all tests by one?

* [ ]  The guidance on size needs to be adapted.

Done!

* [ ]  The editorial change should be separate from the feature change (thanks for catching it).

So that's any changes to files under csaf_2.1/prose? Are you saying those should go into a separate PR after the schema changes one is merged?

* [ ]  Rebase after [Editor revision for TC meeting 2024-08-28 #784](https://github.com/oasis-tcs/csaf/pull/784) is merged.

Done!

[tschmidtb51]

Ack, I can move it to its own section with examples. Do you care if the original one remains as is and a new one is added with the next test number, i.e. tests-01-mndtr-13-purl.md stays as is and a new tests-01-mndtr-35-purl-qualifiers.md is added? Or do I need to sort them next to each other and bump all tests by one?

Please keep the old file as they were (except for correcting the structure that changed). The new test should be tests-01-mndtr-38-purl-qualifiers.md. (Other ones are already taken.) To add that to the generated document, it must be added in csaf_2.1/prose/edit/etc/bind.txt.

So that's any changes to files under csaf_2.1/prose? Are you saying those should go into a separate PR after the schema changes one is merged?

No. It was specific to the change of brackets (which then resulted in #787).
Note: The suggested change is actually wrong as we are taking about the schema not a specific instance.

[tschmidtb51]

Please have a look at the suggested changes.

[sthagen]

LGTM. But, should we not target the current editorial branch editor-revision-2024-11-27 ?

Please retarget. ... and I will recreate the gap for your new tests-01-mndtr-38-... file to slot in. Thanks.

Update: The merge window for the editor revision of 2024-11-27 will close before this PR can be merged, so I retargeted to a feature branch instead. If approved and merged this change set will become part of the editor revision of December 2024 or later.

[tschmidtb51]

I'll merge it into the feature branch and do the necessary changes there. @mprpic Thank you for the contribution.

[tschmidtb51]

@mprpic Was there a specific reason why you removed the \\ in front of the /?