Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency in packageurl-go for docker and OCI PURLs #635

Closed
pxp928 opened this issue Mar 27, 2023 · 1 comment · Fixed by #1444
Closed

Inconsistency in packageurl-go for docker and OCI PURLs #635

pxp928 opened this issue Mar 27, 2023 · 1 comment · Fixed by #1444

Comments

@pxp928
Copy link
Collaborator

pxp928 commented Mar 27, 2023
edited
Loading

Docker and OCI PURLs are potentially not well specified due to the namespace indicating it may contain a registry but the use of repository_url in the examples. In addition, the versions used in the examples use tags and potentially indicate truncated hashes.

There is an issue converting the purl into a graphQL package node and the package node back to a purl.

See purl_test.go for examples of these inconsistencies in the unit tests as well as comments

There is also an issue of url path escapes:
Example Purl: pkg:generic/openssl@1.1.10g?download_url=https:%2F%2Fopenssl.org%2Fsource%2Fopenssl-1.1.0g.tar.gz&checksum=sha256:de4d501267da

Need to determine how this affects OCI certifier and potentially deps.dev queries?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump github.com/google/osv-scanner from 1.4.1 to 1.4.2 guacsec/guac
1 participant
@pxp928