Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix PURLToPackage function and move it #439

Merged
merged 5 commits into from
Jul 13, 2023
Merged

Fix PURLToPackage function and move it #439

merged 5 commits into from
Jul 13, 2023

Conversation

another-rex
Copy link
Collaborator

@another-rex another-rex commented Jul 10, 2023
edited
Loading

Turns out our PURLToPackage function was returning incorrect results for ecosystems that contain a namespace like golang, the returned result was simply missing the full namespace (github.com/author/...). When adding the namespace, there's also some exceptions with some ecosystems (e.g. Maven uses :, debian and alpine repeats their name in their namespace, etc).

This also moves the PURLToPackage to the models package instead of osvscanner, deprecating the existing one in osvscanner because:

  • Makes more sense, it actually has nothing to do with the scanner itself, but is converting between PURLs and a structure under model.
  • Prevents cyclic imports when used elsewhere (in the offline scanning PR, and in the upcoming PURL parsing PR that I'm currently working on)

Also added additional tests to clarify behavior and prevent regressions in the future.

G-Rath
G-Rath suggested changes Jul 11, 2023
View reviewed changes
pkg/models/purl_to_package.go Outdated Show resolved Hide resolved
pkg/models/purl_to_package.go Outdated Show resolved Hide resolved
pkg/models/purl_to_package_test.go Outdated Show resolved Hide resolved
oliverchang
oliverchang reviewed Jul 11, 2023
View reviewed changes
pkg/models/purl_to_package.go
// Debian and Alpine repeats their namespace in PURL, so don't add it to the name
name = parsedPURL.Name
default:
name = parsedPURL.Namespace + "/" + parsedPURL.Name
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this definitely the case in all other ecosystems?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure this is the case for all other ecosystems in osv right now, going by the package_to_purl function in python:

https://github.com/google/osv.dev/blob/24e724430a0c2d6ef23eae7ae7007e7d2771b3d7/osv/purl_helpers.py#L42

If we add more linux distros we'll also need to remove the namespace for them as well.

@another-rex another-rex merged commit 36e5ed8 into google:main Jul 13, 2023
@Porkepix Porkepix mentioned this pull request Jul 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverchang oliverchang oliverchang approved these changes

@G-Rath G-Rath G-Rath approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@another-rex @oliverchang @G-Rath