cyclonedx-rust-cargo icon indicating copy to clipboard operation
cyclonedx-rust-cargo copied to clipboard
verified publisher icon CycloneDX

Investigate if custom registries should result in purl's with a different type from "cargo"

Open amy-keibler opened this issue 3 years ago • 1 comments

From #226's

  1. Is the purl standardized for Rust somewhere in the spec? What should the purl be for crates not distributed via crates.io?

The purl specification does not indicate a required type specific to Rust, beyond

type: the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required.

Investigate what other CycloneDX tools are doing, particularly if they support private repositories. Rust supports private registries and indicates at a per-dependency level what registry it comes from, so we should be able to access this information if we want to use that as the purl's type for a dependency component and the [package]'s publish list for the package's component

amy-keibler avatar Aug 21 '22 03:08 amy-keibler

There is a dedicated qualifier for this:

repository_url is an extra URL for an alternative, non-default package repository or registry.

Source: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs

This is what is used in #523

Shnatsel avatar Nov 03 '23 00:11 Shnatsel