Invalid purls
I've found a number of records where the purls are not properly formatted.
PYSEC-2021-872 is one example. The purl in that record is pkg:pypi:distributed which is not valid (second colon should be a slash).
Here's the purl spec for reference: https://github.com/package-url/purl-spec
I have also noticed an issue regarding debian purls, if you add distro to the purl then from what i've seen it is ignored, also arch=source is problematic as it automatically disqualifies querying by a specific architecture i.e. x86
example:
"package": {
"purl": "pkg:deb/debian/imagemagick@8:6.9.10.23+dfsg-2.1+deb10u1?distro=debian-8"
}
will ignore the distro query and return the vulnerabilities
and querying
"package": {
"purl": "pkg:deb/debian/imagemagick@8:6.9.10.23+dfsg-2.1+deb10u1?arch=amd64"
}
will result with empty object, querying with arch=any also yields empty result.
this is the purl returned by osv
purl spec for reference https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
@satanshiro I'll fork your comment out into a separate issue because it's a different data source with likely very different solutions to the original issue raised here.
@gitgitwhat were your observations limited to the Python ecosystem, or broader?
This issue has not had any activity for 60 days and will be automatically closed in two weeks
Automatically closing stale issue