Replace qualifier with optional namespace for local packages #612
Comments
|
There was a lot of discussion around this in the PR that implemented this a while ago. https://cyclonedx.slack.com/archives/CVA0G10FN/p1698795100019359 I'm happy to reopen the discussion but I'm probably not the correct person to hold it as I lost track. We should bring the conclusion back here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am new to purl and sbom, so it is possible that I am not understanding this correctly.
From: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst
If I have a local package, the current output is like this:
pkg:cargo/<name_of_package>@<version>?download_url=file%3A%2F%2F.The file://. is kindof useless and is not actually a download url. These packages are proprietary and not available for direct download. Therefor, I propose the following:
pkg:cargo/<optional_namespace>/<name_of_package>@<version>subpath remains untouched.I have implemented by providing an cli override argument --local-namespace=, which replaces source=None with Some(NormalizedString::new(format!("local+{}", namespace))); in the cargo metadata output and parses it accordingly in purl.rs.
The text was updated successfully, but these errors were encountered: