guac icon indicating copy to clipboard operation
guac copied to clipboard

Published 20 hours ago verified publisher icon guacsec

[feature] Implement collector for ClearlyDefined

Open funnelfiasco opened this issue 1 year ago • 5 comments

Implementing a portion of #1014, let's implement a GUAC collector for license data from ClearlyDefined as described in https://docs.google.com/document/d/1NmLlU5wuP2X9CK7QCWZkkOciNn1QFLKQCFCW9CEI8HQ/edit#heading=h.q8v64s9nqno

This will allow GUAC users to include license-related information, which can be helpful for spotting compliance risks.

funnelfiasco avatar Jun 12 '24 20:06 funnelfiasco

Thanks @funnelfiasco, I'll be sharing this initiative with the ClearlyDefined community!

nickvidal avatar Jun 13 '24 12:06 nickvidal

I have started work on this issue. Thanks to @nickvidal and the community for providing guidance on how to map between purl and coordinates used by clearlyDefined.

Examples below illustrate coordinates for each of the following purl type supported.  In general, the following holds true:
purl Type = type coordinate
purl namespace = namespace coordinate
purl name = name coordinate
purl version = revision coordinate

There are some exceptions however, which are provided in the notes below.  

cocoapods https://cdn.cocoapods.org/.
-> pod (coordinate)
e.g. pod/cocoapods/-/SoftButton/0.1.0
	
cargo https://crates.io/.
-> crate (coordinate)
e.g. crate/cratesio/-/bitflags/1.0.4

composer https://packagist.org.
-> composer (coordinate)
e.g. composer/packagist/symfony/polyfill-mbstring/1.11.0

conda https://repo.anaconda.com.
-> conda (coordinate)
e.g. conda/conda-forge/linux-aarch64/numpy/1.16.6-py36hdc1b780_0
notes:
channel -> provider coordinate
	3 providers: anaconda-main, anaconda-r, conda-forge
subdir -> namespace coordinate
version-build -> revision coordinate
e.g.
pkg:conda/[email protected]?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2
-> conda/anaconda-main/linux-64/absl-py0.4.1-py36h06a4308_0

deb
-> deb (coordinate)
e.g. deb/debian/-/mini-httpd/1.30-0.2_arm64
notes:
1.
version_architecture -> revision coordinate
2.
source package:
debsrc/debian/-/mini-httpd/1.30-0.2


gem https://rubygems.org.
-> gem (coordinate)
e.g. gem/rubygems/-/sorbet/0.5.11226

github https://github.com.
-> git/github (coordinate type/provider)
e.g. git/github/ratatui-org/ratatui/bcf43688ec4a13825307aef88f3cdcd007b32641

golang for Go packages:
-> go (coordinate)
e.g. go/golang/rsc.io/quote/v1.3.0
name is url encoded.

maven https://repo.maven.apache.org/maven2.
-> maven (coordinate)
three providers: mavencentral, mavengoogle and gradleplugin
e.g. 
maven/mavencentral/org.apache.httpcomponents/httpcore/4.3
maven/mavengoogle/android.arch.lifecycle/common/1.0.1
maven/gradleplugin/io.github.lognet/grpc-spring-boot-starter-gradle-plugin/4.6.0
note:
source component:
sourcearchive/mavencentral/org.apache.httpcomponents/httpcore/4.3

npm 
-> npm (coordinate)
e.g. npm/npmjs/-/redis/0.1.0
namespace is used for scope

nuget: https://www.nuget.org.
-> nuget (coordinate)
e.g. nuget/nuget/-/xunit.core/2.4.1

pypi https://pypi.org
-> pypi (coordinate)
e.g. pypi/pypi/-/backports.ssl_match_hostname/3.7.0.1

pxp928 avatar Jul 08 '24 13:07 pxp928

Thank you @pxp928 and @qtomlinson!

nickvidal avatar Jul 10 '24 15:07 nickvidal

e.g. pkg:conda/[email protected]?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2 -> conda/anaconda-main/linux-64/absl-py0.4.1-py36h06a4308_0

correction: -> conda/anaconda-main/linux-64/absl-py/0.4.1-py36h06a4308_0

qtomlinson avatar Jul 10 '24 15:07 qtomlinson

I've published the coordinates and purl type mapping to our documentation:

https://docs.clearlydefined.io/docs/resources/coordinates

nickvidal avatar Jul 11 '24 16:07 nickvidal