Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
DarthHater @DarthHater shakes fist at air
Paul Horton
@madpah
lol @DarthHater
Paul Horton
@madpah
@pombredanne PR for enabling GitHub Actions is with you for review (merging is blocked for me until 1 approver :-))
Tory Clasen
@tclasen

Anyone know why the python package isn't letting me get a url from a purl?

@app.command()
def get(purl: str):
    parsed = PackageURL.from_string(purl)
    typer.echo(f"Grabbing {parsed}")
    typer.echo("A", purl2url.get_url(purl))
    typer.echo("B", purl2url.get_url(parsed.to_string()))
    typer.echo("C", purl2url.get_url(str(parsed)))
    typer.echo("D", purl2url.get_url(parsed.to_string()))

For this I've tried the two following PURLs:

And for both of them I successfully parse and can print the purl, but the A, B, C, D echos after that are all empty (but don't crash).

Philippe Ombredanne
@pombredanne
It should be reasonably straightforward using tidbits of code from https://github.com/nexB/fetchcode/blob/master/src/fetchcode/package.py and the expansive set in https://github.com/nexB/scancode-toolkit/tree/develop/src/packagedcode
@tclasen can I interest you in contributing these?
@TG1999 ^ ping
@tclasen please start with an issue
Tushar Goel
@TG1999
@pombredanne ack
Jeffry Hesse
@DarthHater
@pombredanne any chance you are gonna check this out soonish? package-url/packageurl-go#32 (coworker is demoing something that relies on it right now, hence asking)
Tushar Goel
@TG1999
package-url/packageurl-python#86 @pombredanne @tclasen addressed the above chat in the issue
Philippe Ombredanne
@pombredanne
@DarthHater reviewed and approved. Will merged shortly! :bow:
Jeffry Hesse
@DarthHater
AWESOME!!!
Thanks dude!
Philippe Ombredanne
@pombredanne
done
ChronosMOT
@ChronosMOT
Hi, I would like to contribute, but am unsure how to go about it. I've seen an issue where a contributing.md was discussed, but never got realized.
What is the preffered way to contribute? Should I open an issue to discuss my ideas, discuss them here or start writing the specifications I think are needed and then discuss in the PR?
Specifically I'm looking into creating an SBOM for a Windows 10 System and would like to add a type for Store Apps. The data you can get on those is very uniform and it should be easy to create a specification for those.
Philippe Ombredanne
@pombredanne
@ChronosMOT Hey :) for this the best is to start with a PR adding a type. That's the simplest and this is usually fairly straightforward .... BTW is there a way to directly download Store Apps? just curious?
ChronosMOT
@ChronosMOT
Hi @pombredanne . Ok, then I'll do that.
Appearantly there is https://lazyadmin.nl/it/install-microsoft-store-apps-without-store/ ^^
Philippe Ombredanne
@pombredanne
great :+1: that's best
I assume that there is likely some recipe to automatically derive these
ChronosMOT
@ChronosMOT
Well... After a quick try it seems that there is a website that lists the download-link for the app-package for each product on the store. There isn't really a good way to get to that download-link...
So you can download it apps without using the store, but it gets a bit involved ^^"
Philippe Ombredanne
@pombredanne
if there is a will, there is a way! :)
Jason Kulatunga
@AnalogJ

I'm attempting to create an open-source universal downloader of sorts, based on PURL's. I've done this before in another life, and it was a PITA to come up with all the different URI's for the various artifact providers, the package-url spec seems very similar to what we ended up creating in house, and I'd love to build ontop of it.

Couple of questions:

  • is there already a known tool that will download artifacts given a PURL? (preferably a standalone binary written in Go?)
  • my first use-case is to download a github release asset (scrutiny-collector-metrics-windows-4.0-amd64.exe attached to this release https://github.com/AnalogJ/scrutiny/releases/tag/v0.4.8), is there a existing PURL format for something like that?
  • if not, which of the following would make the most sense?
    • pkg:github/AnalogJ/scrutiny@v0.4.8?file_name=scrutiny-collector-metrics-windows-4.0-amd64.exe&type=release_asset
    • pkg:github/AnalogJ/scrutiny@v0.4.8?type=release_asset#scrutiny-collector-metrics-windows-4.0-amd64.exe
Philippe Ombredanne
@pombredanne

@AnalogJ Hey :) looks great!

is there already a known tool that will download artifacts given a PURL? (preferably a standalone binary written in Go?)

That's a goal of https://github.com/nexB/fetchcode/ (in Python)

my first use-case is to download a github release asset (scrutiny-collector-metrics-windows-4.0-amd64.exe attached to this release https://github.com/AnalogJ/scrutiny/releases/tag/v0.4.8), is there a existing PURL format for something like that?

Not really, but we can invent one.

if not, which of the following would make the most sense?

IMHO, the first one would be the closest. A default one would be:
pkg:github/AnalogJ/scrutiny@v0.4.8?download_url=https://github.com/AnalogJ/scrutiny/releases/download/v0.4.8/scrutiny-collector-metrics-windows-4.0-amd64.exe ....

We could spec and update the spec for release assets:
could be something such as:

pkg:github/AnalogJ/scrutiny@v0.4.8?release_asset=scrutiny-collector-metrics-windows-4.0-amd64.exe
(and obvious) since here a specific property of GH release assets is that a name is unique within a release, so we could leverage this and have something compact and unambiguous

@AnalogJ is this for https://github.com/PackagrIO/fetchr ? :P
@AnalogJ you may be interested in package-url/purl-spec#139 which is to be merged anytime and https://github.com/nexB/univers which is in Python, not Go... but a Go vers would be awesome

Jason Kulatunga
@AnalogJ

Awesome, thanks for the help @pombredanne !
Yeah, fetchr will be a go library & cli for downloading artifacts using purl urls.

in my past life, we did run into an issue with our universal downloader that I havent seen discussed in the purl issues/repo -- immutable vs mutable references.

with a docker image its pretty easy to see that alpine:latest is not guaranteed to be immutable (vs alpine@sha256:12345abcdef) however referencing the image by digest is not always possible in the destination -- ie a helm chart references the image as alpine:v1.2.3

this also applies to git repos (where tags are mutable) and other artifact types.

We solved this by adding the ability to query and embed immutable refs in our "purl-like" identifiers.

something similar to:

pkg:docker/smartentry/debian@dc437cc87d10?immutable_ref=sha256@abc12345

Philippe Ombredanne
@pombredanne
@AnalogJ this makes sense... I think we may have specified something for checksums... https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs ... could this be of help?
may be this?
pkg:docker/alpine@v1.2.3?checksums=sha256:dc437cc87d10
Philippe Ombredanne
@pombredanne
taoxinyi
@taoxinyi
Hi team, I'm working on some integration with purl and I'm trying to understand what's the correct way to describe a golang package github.com/argoproj/argo-events/sensors/artifacts as shown in this Snyk vulnerability. Should everything go to the namespace and name portion like this pkg:golang/github.com/argoproj/argo-events/sensors/artifacts or go to subpath portion like this pkg:golang/github.com/argoproj/argo-events#sensors/artifacts?
Philippe Ombredanne
@pombredanne
@taoxinyi pkg:golang/github.com/argoproj/argo-events#sensors/artifacts is the way :)
Walter-Haydock
@Walter-Haydock
@pombredanne - awesome project. I am just joining the conversation, and am going to ask a naive question: is there a "database" of package-urls that I could query, to see all of them in existence?
Philippe Ombredanne
@pombredanne
@Walter-Haydock there is no such thing but I have some code to create this alright :)
@Walter-Haydock the need for a db of package urls is not as essential than for other forms of ids, as in most cases the purl can be inferred from the actual package and its content.... in contrast to a CPE that would be more like a given name that would absolutely need some db
there is a bit code that helps also to infer a purl from a download URL... for instance in the Python library, url2purl does a bunch of these: https://github.com/package-url/packageurl-python/blob/main/src/packageurl/contrib/url2purl.py
(not enough but a decent start)
@Walter-Haydock Thank you for the kind words BTW
Philippe Ombredanne
@pombredanne
so wrt. a DB, there is a bunch of code in https://github.com/nexB/scancode-toolkit/tree/develop/src/packagedcode that can yield a purl from package and dependency manifests and lockfiles. And more code in https://github.com/nexb/vulnerablecode (and that's just for some of the project I directly maintain.... there is awesome purl code in CycloneDX @ OWASP and at Sonatype and in ORT and many other places)
2 replies
in the end exposing such a DB is in the plan... the only reason why it is not there yet is time and resources ;)
hibbardc
@hibbardc
@pombredanne That is refreshing news, to say the least. The lack of existence of such a DB is holding back the entire SBOM effort IMHO. I'm trying to discover whether PURLs will be truly unique and reliable: how can we guarantee no two orgs won't create 2 different PURLs for the same package instance? I've seen PURLs generated by SBOM tools that get mixed up, and use package names not assigned by the original author/ producer, especially in re-distributed packages. Is there any requirement that the "name" portion of the PURL must come from the original author/producer (as required by NTIAs Min Data Elements for SBOMs) or only that it uses a name chosen by the namespace it was found under? If you and I obtain openssl from two different package managers, will your PURL use "openssl-lib" as the name, and the PURL I generate use "openssl" instead? Of course, when we try to use our SBOMs to create vulnerability lists, having slightly different name data in the PURL could mean disaster.
2 replies
Philippe Ombredanne
@pombredanne
hibbardc
@hibbardc
@pombredanne Is there a way of evaluating 2 PURLs to see [deterministically] whether or not they point to the same package (have you considered adding a SHA1 hash in the PURL)? Otherwise, how can an org guarantee they find all the public vulnerabilities of any package (using it's PURL + Sec Feeds)? Is this ability an important part of how PURLs are intended to be used? Without this ability, it seems SBOMs must choose another naming system, if they are to be used for Security purposes (and thus guarantee the ability to find all publicly known vulns for a given PURL)...
1 reply
Nemo
@captn3m0
I have the same concern with the scanner I am building for endoflife.date. Currently planning to exhaustively list PURLs to cover all distros but it’s tough
As a second option, I was looking at the ClearlyDefined.io project where we can add such cross referencing information.
Motahare
@motaharem
Good evening everyone, I was wondering if there is anyway to find the repo that a purl is generated by?
hibbardc
@hibbardc
@captn3m0 I'm also looking at ClearlyDefined as a possible collaboration point. It might be extended to include a lot of Security info we would need to match different package names up, for any given single package. Their DB is huge. But collecting, curating, and maintaining that Security data would be a lot of work. We need a giant list of alternative names for all OSS packages, mapping given packages to all the names they are called, by different Orgs. That way, when I see an SBOM that lists a PURL with "Debian\openssl-0@0.9.6d", for instance, and I see NVD published a CVE against "cpe:2.3:a:openssl:openssl:0.9.6d:." then my tooling can recognize they're the same thing, and I can say this SBOM is impacted said CVE. Otherwise, I end up looking for Vulns associated with "bad" names for the packages in my SBOM, and always end up return no vulns (Name Mismatch problem).
Nemo
@captn3m0
I think repology dataset can be of some help on the distro side (we link the canonical purl to a distro package, which then links to the other package names).