purl-spec icon indicating copy to clipboard operation
purl-spec copied to clipboard

Published 20 hours ago verified publisher icon package-url

feat: add language qualitifer for multi language package managers

Open cpendery opened this issue 2 years ago • 5 comments

📝 Description

This adds a language qualifier to the purls for package managers where the packages can be written in multiple different source codes in order to allow for the identification of the package's language

Related to:

  • https://github.com/anchore/syft/pull/1083
  • https://github.com/anchore/syft/pull/1081
  • https://github.com/anchore/syft/pull/1073

cpendery avatar Jul 02 '22 16:07 cpendery

@stevespringett for input

bureado avatar Jul 06 '22 01:07 bureado

Also see #168 appearing to introduce arbitrary qualifiers for conan.

bureado avatar Jul 06 '22 16:07 bureado

Can there ever be a package which contains source code written in two or more languages?

Yes. Occurs in Maven Central where a project may have a combination of Java, Scala, and Kotlin source languages. These projects will also have XML or groovy depending on the build system used (Maven uses XML, Gradle uses groovy). Maven projects can also include "resources" which will typically consist of key/value properties, xml and json configuration, but technically, any language can be included there. Any application that has a dependency on Mozilla Rhino for example, would also typically include Javascript in one or more of the dependencies as well. Same thing for any of the other library that allows the execution of non-native languages on the JVM.

Will also occur with npm where both Javascript and Typescript are used. npm also allows arbitrary scripts to run when installing by default. These scripts could be bash, powershell, etc, which would be yet another language.

stevespringett avatar Jul 06 '22 17:07 stevespringett

One additional point on Maven, may likely be true for others as well, if the Maven type is war (web archive), then you can expect either Java, Scala, or Kotlin source languages for the backend, and HTML, CSS, and Javascript for the frontend, all in a single package.

stevespringett avatar Jul 06 '22 18:07 stevespringett

  1. Looks like there's a fixed set of languages suggested for these package managers, is there an authoritative source for those? (For futureproofing purposes)

I don't know of any fixed set for these package managers, so it may be better to have a naming convention for this fields so the spec doesn't need to change if support of a new language gets added. I think lowercased snake case where characters should not require html encoding (thinking of cpp vs c%2b%2b) which seems to follow purl-spec convention. This would yield: objective_c, c, cpp, elixir, swift, erlang.

cpendery avatar Jul 06 '22 18:07 cpendery