Construction of an Inferred URL for a Package is dropping the plus sign

[DennisClark]

Adding the Package available at https://github.com/facebook/sapling/archive/refs/tags/0.2.20240718-145624+f4e9df48.tar.gz to DejaCode is generally successful, but there is a problem with the Inferred URL:

Package URL: pkg:github/facebook/[email protected]%20f4e9df48 Filename: sapling-0.2.20240718-145624-f4e9df48.tar.gz Download URL: https://github.com/facebook/sapling/archive/refs/tags/0.2.20240718-145624+f4e9df48.tar.gz Inferred URL: https://github.com/facebook/sapling/tree/0.2.20240718-145624 f4e9df48

Note that the Inferred URL has a gap (space) where there ought to be a + (plus) sign. If you click on it in the DejaCode user UI you get a 404. If you copy the whole thing, and edit it to restore the + then you get the intended repo page.

[OmkarPh]

In this draft PR - https://github.com/package-url/packageurl-python/pull/174, for now I've updated only the purl2url for github

Similar to this, golang pypi cargo etc also use version (which has potential spaces) from the purl_data to form inferred URL, If @tdruez is not working on the issue already, i can update those too

[OmkarPh]

Also, if we try to add package using purl - pkg:github/facebook/[email protected]%20f4e9df48 it resolves to incorrect download URL with a space instead of +

I've fixed this too in the PR

[DennisClark]

@OmkarPh thanks for working on this; we'll try to get it reviewed soon.