New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extract language and package type from pURLs on SBOM decode #777
Conversation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Benchmark Test ResultsBenchmark results from the latest changes vs base branch
|
p.Version, | ||
nil, | ||
"", | ||
).ToString() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT: go's https://pkg.go.dev/fmt#Stringer uses String() string
as signature.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So for example
purl := packageurl.NewPackageURL(
packageurl.TypeNPM,
"",
p.Name,
p.Version,
nil,
"",
)
fmt.Printf("purl: %s", purl) // Printf will look for purl.String()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm there is an alternative: https://github.com/package-url/packageurl-go/blob/master/packageurl.go#L189
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems like p.ToString()
and p.String()
are really the same call on this object (not certain why they didn't just provide String
and leave off ToString
). Since String
simply calls ToString
I think I'll leave this as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
) * add language detection from pURLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add package type detection from pURLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add cargo and npm pURL support Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix npm tests and linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
) * add language detection from pURLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add package type detection from pURLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add cargo and npm pURL support Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix npm tests and linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
This PR paves the way to use pURLs as a way to indicate package language and package type, two attributes that are not easily encoded into in-spec properties for CycloneDX and SPDX. This will be useful when decoding SBOM documents that did not necessarily originate from Syft, but do have pURL information available.
Possible future SPDX decode function:
Additionally adds pURL support for cargo and npm package types.
Related to anchore/grype#395