packageurl-python
packageurl-python copied to clipboard
package-url
Python implementation of the package url spec. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ , the Google Summer of Code, nexB and other generous sponsors...
This PR adds oci Purl type to url2purl functionality, allowing to resolve URLs such as **oci://localhost:5000/helm-charts/mychart**.
This is a fix for https://github.com/package-url/packageurl-python/issues/155 * Added the known_purl_type based on the spec * Added code to validate the package type * Corrected test data as `pkg:rubygems` and `pkg:alpine`...
See also: - https://github.com/aboutcode-org/dejacode/issues/153
@mprpic reported some possible inconsistencies between the latest spec and this library: Some examples: ``` Out[4]: PackageURL(type='maven', namespace='org.apache.commons', name='io', version='1.3.4', qualifiers={'repository_url': 'https://example.repo.io/commons'}, subpath=None) In [5]: p.to_string() Out[5]: 'pkg:maven/org.apache.commons/[email protected]?repository_url=https://example.repo.io/commons' ``` ......
Fixes https://github.com/aboutcode-org/dejacode/issues/181
Hi there! While packaging packageurl-python for debian, I am getting this warning: ``` dh clean --buildsystem=pybuild dh_auto_clean -O--buildsystem=pybuild I: pybuild base:311: python3.13 setup.py clean /usr/lib/python3/dist-packages/setuptools/dist.py:493: SetuptoolsDeprecationWarning: Invalid dash-separated options !!...
According to the types, double colons (::) are valid for CPAN purls however the parsing method in `from_string` does not handle that properly. It throws an 'URL Authority component' error.
This is problematic: ``` >>> P.from_string("pkg:pypi/foo:[email protected]") Traceback (most recent call last): File "", line 1, in File "/home/tmp/purl/venv/lib/python3.10/site-packages/packageurl/__init__.py", line 508, in from_string raise ValueError(msg) ValueError: Invalid purl 'pkg:pypi/foo:[email protected]' cannot contain...
See https://github.com/supplyshield/supplyshield/blob/7bc6e77e3ea830931fd6eac041a6100b10ca3d19/libinv/blast_radius/cdx.py#L38 ``` def minify_package_url(package): return package.split("/")[-1].replace("?type=jar", "") ``` This is a maven PURL derived from a tool TBD that adds an extraneous "?type=jar" which is the default for maven...
Metadata
Owner
Metadata
Python implementation of the package url spec. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ , the Google Summer of Code, nexB and other generous sponsors...