PURLs not resolving properly when enriching a CycloneDX SBOM with ecosyste.ms #34
Comments
ninjamast3r
added a commit
to ninjamast3r/parlay
that referenced
this issue
Jul 27, 2023
garethr
pushed a commit
that referenced
this issue
Aug 13, 2023
garethr
pushed a commit
that referenced
this issue
Aug 18, 2023
|
Thanks for reporting and helping to fix, just to say this is available now in the latest 0.2.0 release 🙇 Enriched version of the sample you provided. {"$schema":"http://cyclonedx.org/schema/bom-1.4.schema.json","bomFormat":"CycloneDX","specVersion":"1.4","serialNumber":"urn:uuid:f3a24198-a2ef-492f-b122-a75453849d64","version":1,"components":[{"type":"library","supplier":{"name":"Masterminds"},"author":"Masterminds","name":"github.com/Masterminds/semver","version":"v1.5.0","description":"Package semver provides the ability to work with Semantic Versions (http://semver.org) in Go.\n\nSpecifically it provides the ability to:\n\nTo parse a semantic version use the `NewVersion` function. For example,\n\nIf there is an error the version wasn't parseable. The version object has methods\nto get the parts of the version, compare it to other versions, convert the\nversion back into a string, and get the original string. For more details\nplease see the documentation at https://godoc.org/github.com/Masterminds/semver.\n\nA set of versions can be sorted using the `sort` package from the standard library.\nFor example,\n\nChecking a version against version constraints is one of the most featureful\nparts of the package.\n\nThere are two elements to the comparisons. First, a comparison string is a list\nof comma separated and comparisons. These are then separated by || separated or\ncomparisons. For example, `\"\u003e= 1.2, \u003c 3.0.0 || \u003e= 4.2.3\"` is looking for a\ncomparison that's greater than or equal to 1.2 and less than 3.0.0 or is\ngreater than or equal to 4.2.3.\n\nThe basic comparisons are:\n\nThere are multiple methods to handle ranges and the first is hyphens ranges.\nThese look like:\n\nThe `x`, `X`, and `*` characters can be used as a wildcard character. This works\nfor all comparison operators. When used on the `=` operator it falls\nback to the pack level comparison (see tilde below). For example,\n\nTilde Range Comparisons (Patch)\n\nThe tilde (`~`) comparison operator is for patch level ranges when a minor\nversion is specified and major level changes when the minor number is missing.\nFor example,\n\nCaret Range Comparisons (Major)\n\nThe caret (`^`) comparison operator is for major level changes. This is useful\nwhen comparisons of API versions as a major change is API breaking. For example,","licenses":[{"expression":"MIT"}],"purl":"pkg:golang/github.com/Masterminds/semver@v1.5.0","externalReferences":[{"url":"https://github.com/masterminds/semver","type":"website"},{"url":"https://pkg.go.dev/github.com/masterminds/semver","type":"distribution"},{"url":"https://github.com/masterminds/semver","type":"vcs"},{"url":"https://pkg.go.dev/github.com/masterminds/semver#section-documentation","type":"documentation"}],"properties":[{"name":"ecosystems:first_release_published_at","value":"2016-06-30T14:46:44Z"},{"name":"ecosystems:latest_release_published_at","value":"2019-09-11T18:23:18Z"},{"name":"ecosystems:topic","value":"caret"},{"name":"ecosystems:topic","value":"comparison"},{"name":"ecosystems:topic","value":"constraints"},{"name":"ecosystems:topic","value":"go"},{"name":"ecosystems:topic","value":"golang"},{"name":"ecosystems:topic","value":"semantic-versions"},{"name":"ecosystems:topic","value":"semver"},{"name":"ecosystems:topic","value":"tilde"}]}]} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have a minimal CycloneDX 1.4 SBOM that I'm trying to enrich:
{ "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:f3a24198-a2ef-492f-b122-a75453849d64", "version": 1, "components": [ { "type": "library", "name": "github.com/Masterminds/semver", "version": "v1.5.0", "purl": "pkg:golang/github.com/Masterminds/semver@v1.5.0" } ] }If I run it through parlay I get exactly what I put in:
The issue occurs in this function, which tries to split the namespace and name. Because of how packageurl formats from strings as it does here, this causes the
purl.Namespace != ""condition to be hit, making the purl actually requested from the sbompkg:golang/github.com/Masterminds:semver@v1.5.0, which fails to resolve.If I force the purl to
pkg:golang/github.com/Masterminds/semver@v1.5.0enrichment works properly.The text was updated successfully, but these errors were encountered: