Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce the concept of a "successor package" to the purldb data model #175

Open
Tracked by #272
DennisClark opened this issue Aug 29, 2023 · 4 comments
Open
Tracked by #272

Introduce the concept of a "successor package" to the purldb data model #175

DennisClark opened this issue Aug 29, 2023 · 4 comments
Assignees
@JonoYang
Labels
enhancement New feature or request
Milestone
v3.0.0

Comments

@DennisClark
Copy link
Member

It is not a super-common situation (fortunately) but sometimes a package gets moved and/or renamed to an entirely new namespace. Consider log4j

pkg:maven/log4j/[email protected] is followed by
pkg:maven/org.apache.logging.log4j/[email protected]

indicating that it became part of a "logging" project. This is fine, but it can make it challenging to find the "next" or "later" versions of a specific package.

Modeling details to be determined: possibly a new field on the basic package definition called successor_package (purl format of course) or possibly a new relation, since this is a relatively rare occurrence.
@DennisClark DennisClark added the enhancement New feature or request label Aug 29, 2023
@DennisClark DennisClark added this to the v3.0.0 milestone Aug 29, 2023
@pombredanne pombredanne mentioned this issue Sep 2, 2023
Open
1 task
@Hritik14
Copy link

Hritik14 commented Sep 5, 2023

More such examples:

  1. spring-attic/spring-cloud-aws -> awspring/spring-cloud-aws
  2. com.mysql -> mysql-connector-j

@Hritik14
Copy link

Hritik14 commented Sep 5, 2023

Just a food for thought: If the commit history can be leveraged to trace a package, that could be super helpful.

@pombredanne pombredanne mentioned this issue Sep 7, 2023
Open
@pombredanne
Copy link
Member

See also aboutcode-org/vulnerablecode#1284 and aboutcode-org/vulnerablecode#1285

@johnmhoran johnmhoran mentioned this issue Sep 7, 2023
Open
@armijnhemel
Copy link

this should probably be a 1:n mapping. There are some packages that have been split into multiple packages. One example is hostap which was succeeded by hostapd and wpa_supplicant. This is rare though.

@JonoYang JonoYang mentioned this issue Jan 10, 2024
Open
3 tasks
@pombredanne pombredanne mentioned this issue Jan 31, 2024
Closed
16 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JonoYang JonoYang

Labels
enhancement New feature or request
Projects
None yet
Milestone
v3.0.0
Development

No branches or pull requests
5 participants
@pombredanne @DennisClark @JonoYang @Hritik14 @armijnhemel