strin nexB/vulnerablecode#152 (e.g. https://github.com/nexB/vulnerablecode/pull/152/files#diff-b1145824c474d7ced1f3c9d3742cd707R294)
@nishakm. If the jar/war is available in an organizaitons internal repo (nexus, artifactory, etc), then you’d simply represent it like this:
If you want to try to describe a random file on the filesystem, PURL was not designed for that, but it can be done.
This is perfectly valid, but certainly non-standard. Both
file_name are reserved qualifiers that can be used with any PURL type.
packCLI which invokes a buildpack which downloads an artifact from a S3 bucket defined in the buildpack's recipe) I was wondering how I would describe this particular artifact using pURL. How about
pkg:cnb/jvm@sha256:deadca66a9e?repository_url=cloudfoundry.org? In this case, a distributor does not know the exact URL the artifact was downloaded from but does know who supplied it (cloudfoudry.org)
jvm.tgzis hosted on a content addressable storage system, then you only know the digest and the name of the supplier's client tool.
In : from packageurl import PackageURL In:p1=PackageURL(name="foo",type="bar",version="7.14-2+deb7u12") In : p1 Out: PackageURL(type='bar', namespace=None, name='foo', version='7.14-2+deb7u12', qualifiers=OrderedDict(), subpath=None) In : p1.version Out: '7.14-2+deb7u12' In : p1.to_string() Out: 'pkg:firstname.lastname@example.org%2Bdeb7u12'
Notice how the
version gets converted to
%2B when the
PackageURL object is converted to string, is this the expected behaviour?
Due to this, we are ending up with versions like
7.14-2%2Bdeb7u12 written to VulnerableCode's DB . Please suggest workarounds.