-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python purl
URLs seem incorrect, some examples don't work
#627
Comments
@unchris do you see |
@unchris thanks for sharing more details on your side. @jovel & co. Dependency Graph detects the package
(Unassigning myself, do not have cycles atm, might be able to pick up later this week) |
@unchris Upon further investigation I realized that the version must be specified if we want to get a PURL back from the API. I created a sample PR here: future-funk/bug-free-adventure#1
As you can see, the returned PURL is properly scoped to Without a version number it's impossible to know if a set of vulnerabilities applies. I would recommend including the Please re-open if I missed anything! |
@febuiles Thanks for this, when I use a version number in the The original PR that I used did also submit the As for what's missed: basically just doc and test changes I'd guess? The code search in my initial comment shows a number of places where the PURL is showing Thanks again for your help! |
Ooof, thanks for this callout, I misinterpreted the original comment. I've merged this PR to fix this issue.
If you can reproduce this in a public repo I'd be happy to take a look into it. |
No need - it looks like among the many variations I tested, every one of them had a mistake:
When I use Thanks again for all your help! |
Across this repo, the examples for Python PURLs uses
pkg:pip
but the purl-spec says it should bepkg:pypi
.Here's a code search showing all the instances of this.
I've been trying to use this action in a new workflow to deny, for example,
pycrypto
, which is one of the examples in theaction.yml
among other places:I've tried a number of variants but none of them blocks pycrypto. After adding debug logging though, I found this is because the
pycrypto
purl is blank in the run:here's one it gets right:
even weirder is what it comes up with for
python
itself:This is in a
pyproject.toml
-based project usingpoetry
. Here's the dependency section for completeness:(the weird set of dependencies was chosen specifically to trigger warnings, this project exists to test Github advanced security and related tooling like this dependency review action 😂 )
The text was updated successfully, but these errors were encountered: