-
-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace qualifier with optional namespace for local packages #612
Comments
There was a lot of discussion around this in the PR that implemented this a while ago. https://cyclonedx.slack.com/archives/CVA0G10FN/p1698795100019359 I'm happy to reopen the discussion but I'm probably not the correct person to hold it as I lost track. We should bring the conclusion back here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am new to purl and sbom, so it is possible that I am not understanding this correctly.
From: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst
If I have a local package, the current output is like this:
pkg:cargo/<name_of_package>@<version>?download_url=file%3A%2F%2F.
The file://. is kindof useless and is not actually a download url. These packages are proprietary and not available for direct download. Therefor, I propose the following:
pkg:cargo/<optional_namespace>/<name_of_package>@<version>
subpath remains untouched.I have implemented by providing an cli override argument --local-namespace=, which replaces source=None with Some(NormalizedString::new(format!("local+{}", namespace))); in the cargo metadata output and parses it accordingly in purl.rs.
The text was updated successfully, but these errors were encountered: