Default maven repository

[prabhu]

trafficstars

The default maven repository got changed as per this issue.

While working on a PR, noticed that the Remote Repository reported by maven was https://repo1.maven.org/maven2/.

Am I correct in assuming that this repository MUST get added to the purl as repository_url as per the current specification?

Some examples:

pkg:maven/com.github.javaparser/[email protected]?type=jar&repository_url=https%3A%2F%2Frepo1.maven.org%2Fmaven2%2F"

pkg:maven/org.codehaus.groovy/[email protected]?type=jar&repository_url=https%3A%2F%2Frepo1.maven.org%2Fmaven2%2F"

pkg:maven/org.codehaus.groovy/[email protected]?type=jar&repository_url=https%3A%2F%2Frepo1.maven.org%2Fmaven2%2F"

[matt-phylum]

A similar thing happened with Python in #250. It makes a mess because these repository URLs are supposed to be equivalent, but how are you supposed to know when building or comparing PURLs?

[prabhu]

The consumer of purls could maintain a database of aliases and perform the matching. I think the spec could have less opinion. For example, purl doesn't have to assume any default repository and allow tools to always form the full values including the repository url.