Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 05 11:38
    dkozlov starred package-url/purl-spec
  • Aug 04 10:19
    Xiphoseer opened #189
  • Aug 04 10:15
  • Aug 04 08:43
    nettrino starred package-url/purl-spec
  • Aug 02 16:51
    jkowalleck edited #187
  • Aug 02 16:50
    jkowalleck edited #188
  • Aug 02 16:47
    jkowalleck opened #188
  • Aug 02 16:36
    jkowalleck synchronize #187
  • Aug 02 16:35
    jkowalleck opened #187
  • Aug 02 16:19
  • Aug 02 01:34
    zejun19 starred package-url/purl-spec
  • Jul 29 17:45
    jlb-bb opened #186
  • Jul 29 08:09

    pombredanne on swid-purl-type

    (compare)

  • Jul 29 08:09
    pombredanne closed #173
  • Jul 29 08:09

    pombredanne on master

    Initial add of swid as a purl t… Clarified tagId and tagVersion … Added namespace clarification a… and 4 more (compare)

  • Jul 29 08:09
    pombredanne closed #174
  • Jul 29 03:18
    stevespringett commented #174
  • Jul 29 03:17
    stevespringett synchronize #174
  • Jul 29 03:17

    stevespringett on swid-purl-type

    Changed to underscores from cam… (compare)

  • Jul 28 16:49
    stevespringett commented #174
Philippe Ombredanne
@pombredanne

Is there any project out there to try to enumerate every available PURL?

@tclasen "every" would be a hard thing since there are eventually an infinity of purls ;)

that said beyond the affected/vulnerable purls and the fixed purls, I have a project (in the making and quite advanced, but not published yet) to create a comprehensive DB of all the packages. This is a project that needs tender, lover and care :) and some grease to be pushed to to the top of the TODO stack
The model for this db is keyed by purl
@tclasen would you be game to help push this?
Tory Clasen
@tclasen
@pombredanne , I'm game to at least take a look, can you send me an invite.
Philippe Ombredanne
@pombredanne
@tclasen the best way to help if you have a few cycles to spare would be on https://gitter.im/aboutcode-org/vulnerablecode .. as this is the way we can get the best correlations between purls and CPEs.... there is some WIP to migrate to a new model
@tclasen which TZ are you in?
Jono Yang
@JonoYang
Version 0.9.8.1 of packageurl-python has been released. This new version has updates to the url2purl module. url2purl now creates a generic PackageURL for download URLs passed into it if no other more specific URL handlers can handle that particular download URL. We also create generic PackageURLs for code.google.com archive URLs and certain forms of sourceforge URLs.
Philippe Ombredanne
@pombredanne
@JonoYang awesome! thanks
Shawn Hartsock ☁️
@hartsock_twitter

Hey folks … I have been working with image specifications recently. I noticed this blog post:
https://hackmd.io/1I7Pdx0dTQSzxkNvn5O8HQ
… expanding on this a bit … taking the case where a container build job is also pulling in source code from an SCM and then compiling … and its the result of the compile that ends up in the container. For example a code.java file is compiled to code.class and packaged into code.jar … and this jar ends up in the container image …

Maybe a way to record this is to record the pURL of the source code (example pkg:github/package-url/purl-spec@244fd47e07d1004f0aed9c ) and then reference this in the image-spec annotations?

I’m not sure this impacts any of your design decisions directly but I thought I’d mention it.

Steve Springett
@stevespringett
@pombredanne it looks like there's a few minor things to get sorted out with vers, however, is there anything preventing the merge of the PR as is? BTW, CycloneDX v1.4 has fully adopted vers, even in its current state. We've proven that its useful for many of the use cases currently being explored.
One additional question. Do you envision separate libraries for vers, or would you prefer vers support to be added to each of the existing implementations?
Philippe Ombredanne
@pombredanne

@hartsock_twitter re:

I’m not sure this impacts any of your design decisions directly but I thought I’d mention it.

That's a great use case :)

@stevespringett re:

it looks like there's a few minor things to get sorted out with vers, however, is there anything preventing the merge of the PR as is? BTW, CycloneDX v1.4 has fully adopted vers, even in its current state. We've proven that its useful for many of the use cases currently being explored.

Nothing special. I just wanted to make sure things would work well in practice ... and so far they are.

One additional question. Do you envision separate libraries for vers, or would you prefer vers support to be added to each of the existing implementations?

What do you think? an implementation can be a bit more involved than the purl one... I would likely prefer a smaller purpose-specific libraries... but we do not have to mandate anything special there.... either way works

Philippe Ombredanne
@pombredanne
@stevespringett not even vaguely related... I am glad to see that some of the code I crafted is of some use in https://github.com/CycloneDX/cyclonedx-python/blob/3b3477bc8c79f46208ad46568082ceca036cac2f/pyproject.toml#L39 ... https://github.com/nexB/pip-requirements-parser :+1:
Jeffry Hesse
@DarthHater
@stevespringett @pombredanne @steven-esser : Declan is the kiddo of one of the Sonatype engineers, and wanted to learn how to contribute to Open Source, so I picked an issue off of the list at packageurl-js and helped him out! package-url/packageurl-js#26
Steve Springett
@stevespringett
Awesome. Thanks @DarthHater and thanks for jumping in
Philippe Ombredanne
@pombredanne
@DarthHater sweet!
Steven Esser
@steven-esser
Will check it out!
restlessmonkey
@restlessmonkey
Hi - I'm looking for some example Python code to read JSON SBOMs. Is there such a thing in this group?
Steven Esser
@steven-esser
@DarthHater PR merged and new version v0.0.6 of packageurl-js published to NPM. Thanks for the contribution!
Philippe Ombredanne
@pombredanne
:heart:
@restlessmonkey did you mean a CycloneDX or SPDX SBOM?
if yes, that likely to be more something for each respective project :)
Paul Horton
@madpah
Hey All - I raised an Issue package-url/packageurl-python#65 a bit ago - are you open to a PR that types the Python packageurl library?
Paul Horton
@madpah
And secondly, do you want a hand generally with the packageurl-python project?
Philippe Ombredanne
@pombredanne
@madpah Hey :)
@madpah I guess that can OK for such a small library ... but what are the actual benefits of string typing? I am always wondering abou this

And secondly, do you want a hand generally with the packageurl-python project?

Yes! of course

Jeffry Hesse
@DarthHater
Hi hello!!! @steven-esser @pombredanne a colleague at Sonatype is playing with purls and discovered a couple issues (or what he perceives as issues), so here I am with some PRs for you: package-url/packageurl-go#32 (first so far, golang purl lib, seems to be missing the test-suite-json?)
There are a couple test failures, and I think they are valid best I can SORT of tell
Jeffry Hesse
@DarthHater
Ok @steven-esser @pombredanne (and I suppose my friend in SBOMs, @stevespringett ), fixed the test failures and added the test data in on: package-url/packageurl-go#32
Philippe Ombredanne
@pombredanne
@DarthHater awesome!
let me check this over the we
Jeffry Hesse
@DarthHater
No problem buddy!
I'll probably have a couple other tiny PRs too, just to help us use it
Philippe Ombredanne
@pombredanne
@DarthHater even more awesome :bow:
Paul Horton
@madpah

Hey @pombredanne - re PEP-561 typing (and beyond the official Rationale), we had a few downstream folk request us type the CycloneDX Python LIb as they had tools like mypy in their CI processes and it caused extra work (headaches) for them to deal with un-typed dependencies.

tldr: Hygiene I guess?

Re: help @pombredanne - is this the best place to talk specifically about the Python library?
Philippe Ombredanne
@pombredanne
@madpah sure thing
@madpah I feel that typed Python is another language at times and not my Python :P
but I can live with it as long as we are still supporting Python 3.6+ for now
so please go for it :+1:
Paul Horton
@madpah
Sure @pombredanne - will look at a PR then for typing a’la PEP-561
What CI is actually used for package-url Python @pombredanne ? It’s not clear from the repo?
Philippe Ombredanne
@pombredanne
@madpah I am ashamed
The CI seem to be gone entirely :)
Paul Horton
@madpah
Oh dear. Any objection to me getting GitHub Actions or Circle CI up and running for it?
Philippe Ombredanne
@pombredanne
I will merge in a skeleton I use elsewhere with a decent CI setup and enable Azure + Appveyor at least
Paul Horton
@madpah
Sure - whatever you prefer.
Philippe Ombredanne
@pombredanne

Oh dear. Any objection to me getting GitHub Actions or Circle CI up and running for it?

@madpah perfect too