Support for packageurl #64
Comments
|
I could not agree more! |
|
Hi! Could I ask where you are suggesting to add support for purls? As part of an API query? Our thinking with our current schema and API is to keep it compatible with PURLs where we can, i.e. keeping the "ecosystem" values consistent with the ones chosen by purl ("golang", "pypi" etc), so that in most cases you can just split the PURL into the ecosystem name and the package path and version and still have it accepted by OSV. |
|
That is correct. But if purl will be supported in api query then it will be easily integrated with other open source tools like owasp dependency track, nexb vulnerable code |
|
We support PURL API requests now: But @VinodAnandan pointed out that we don't support package URLs with versions in them. e.g. "pkg:maven/org.apache.struts:[email protected]". Re-opening to consider this feature. |
|
First, thank you for implementing PURL support! 🚀 In addition to the missing version though, the PURL syntax isn't quite right yet either (for Maven packages). PURL is defined as: For the Currently, the following does not yield any results: $ curl -X POST -d '{"package": {"purl": "pkg:maven/org.apache.struts/struts2-core"}, "version": "2.0.14"}' https://api.osv.dev/v1/query |
PURL uses '/' as a separator between group ID and artifact ID. Part of #64.
|
Thanks for pointing that out @nscuro. I have a PR out and this should be fixed shortly. Querying by PURLs that have versions in them will also come shortly. |
PURL uses '/' as a separator between group ID and artifact ID. Part of #64.
|
|
|
Thank you @oliverchang !! |
Support to identify package with package url would be nice and it will be easy to integrate with other tool chain.
https://github.com/package-url/purl-spec
The text was updated successfully, but these errors were encountered: