Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PURL output isn't correctly separate namespace and name for NPM (maybe more) #131

Open
brphelps opened this issue Jun 21, 2022 · 0 comments
Open

PURL output isn't correctly separate namespace and name for NPM (maybe more) #131

brphelps opened this issue Jun 21, 2022 · 0 comments
Labels
detector:pip The pip detector status:ready Ready to start implementation type:bug Bug fix of existing functionality

Comments

@brphelps
Copy link

An example of the ScanManifest.json contents for an NPM package:

      "component": {
        "name": "@types/prop-types",
        "version": "15.7.4",
        "hash": null,
        "author": null,
        "type": "Npm",
        "id": "@types/prop-types 15.7.4 - Npm",
        "packageUrl": {
          "Scheme": "pkg",
          "Type": "npm",
          "Namespace": null,
          "Name": "@types/prop-types",
          "Version": "15.7.4",
          "Qualifiers": null,
          "Subpath": null
        }
      },

It looks like the tool is not aligning with the PURL spec definition of how namespaces should be decomposed in NPM packages (defined as the scope component).

It appears this would be relatively simple code in the NpmComponent -- Instead of passing along NPM's concept of name into the name property and ignoring whitespace, a simple split (taking the last segment as the name and the former X segments, escaped and joined with /) could provide the Namespace.

It also seems possible other ecosystems are not correctly utilizing namespace in PURL, but I haven't looked much into it.
@cobya cobya added type:bug Bug fix of existing functionality detector:pip The pip detector status:ready Ready to start implementation labels Jun 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detector:pip The pip detector status:ready Ready to start implementation type:bug Bug fix of existing functionality
Projects
Component Detection - Detector Improvements
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brphelps @cobya