packageurl-python
packageurl-python copied to clipboard
package-url
Python implementation of the package url spec. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ , the Google Summer of Code, nexB and other generous sponsors...
I don't have a Proof of Concept yet, but to me it seems that the following pieces of code: ``` "https?://registry.npmjs.*/.*", "https?://(www\\.)?npmjs.*/package.*", "https?://.+python.+org/(packages|project)/.*", nuget_www_pattern = r"^https?://.*nuget.org/(api/v2/)?packages?/(?P.+)/(?P.+)$" @purl_router.route("https?://.*sourceforge.net/projects?/.*") ``` could accidentally...
In this [code blob](https://github.com/package-url/packageurl-python/blob/0d3336804ce6dac59975c8c170d4015149442a93/src/packageurl/__init__.py#L141-L173), seems PyPI purls have `_` replaced with `-` in the name field. This is likely to align with the purlspec: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#pypi However, the wording here gives...
The from_string() method does not parse purls with dependencies specified properly. Steps to recreate: - Parse: `pkg:npm/@promster/[email protected]([email protected])([email protected])` - Will return: `{'type': 'npm', 'namespace': '@promster', 'name': '[email protected]([email protected])(typescript', 'version': '4.9.4)', 'qualifiers': None,...
The PURL test suite contains an invalid PURL `pkg:swift/github.com/Alamofire/@5.4.3` which is supposed to fail parsing because it has no name. packageurl-python parses the PURL as having namespace `github.com` and name...
This should include RHEL, Fedora, SUSE, CentOS and Rocky Linux/CIQ ----- > @pombredanne http://dl.rockylinux.org/vault/centos/8.5.2111/AppStream/x86_64/kickstart/Packages/dejavu-lgc-sans-fonts-2.35-7.el8.noarch.rpm yields this PURL: pkg:generic/dejavu-lgc-sans-fonts-2.35-7.el8.noarch.rpm It should instead return a proper RPM PURL. > @tdruez ``` from...
To make sharing purls easy, I've deployed https://purl.fyi/, appending the purl to this domain redirects to the relevant package homepage. Eg: https://purl.fyi/pkg:pypi/[email protected] The support for purls is not heavy and...
purl_to_lookups in django/utils.py returns the purl fields that have values. It would be nice to have an option for it to return all purl fields, even if the field was...
>>> from packageurl.contrib import purl2url >>> purl2url.get_repo_url("pkg:golang/xorm.io/[email protected]") >>> purl2url.get_download_url("pkg:golang/xorm.io/[email protected]") >>> purl2url.get_repo_url("pkg:golang/gopkg.in/[email protected]") >>> purl2url.get_download_url("pkg:golang/gopkg.in/[email protected]") >>> purl2url.get_repo_url("pkg:alpine/[email protected]?arch=x86_64&upstream=zlib&distro=alpine-3.14.3") >>> purl2url.get_download_url("pkg:alpine/[email protected]?arch=x86_64&upstream=zlib&distro=alpine-3.14.3") get_repo_url and get_download_url give no result for the PURLs above. Why?
A very basic implementation for golang support. Supports most of the golang purls what I tested with, but not perfect.
Metadata
Owner
Metadata
Python implementation of the package url spec. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ , the Google Summer of Code, nexB and other generous sponsors...