osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Invalid purls

Open gitgitwhat opened this issue 2 years ago • 3 comments

I've found a number of records where the purls are not properly formatted.

PYSEC-2021-872 is one example. The purl in that record is pkg:pypi:distributed which is not valid (second colon should be a slash).

Here's the purl spec for reference: https://github.com/package-url/purl-spec

gitgitwhat avatar Apr 19 '23 13:04 gitgitwhat

I have also noticed an issue regarding debian purls, if you add distro to the purl then from what i've seen it is ignored, also arch=source is problematic as it automatically disqualifies querying by a specific architecture i.e. x86 example: "package": { "purl": "pkg:deb/debian/imagemagick@8:6.9.10.23+dfsg-2.1+deb10u1?distro=debian-8" } will ignore the distro query and return the vulnerabilities and querying "package": { "purl": "pkg:deb/debian/imagemagick@8:6.9.10.23+dfsg-2.1+deb10u1?arch=amd64" } will result with empty object, querying with arch=any also yields empty result. this is the purl returned by osv image purl spec for reference https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst

satanshiro avatar May 23 '23 11:05 satanshiro

@satanshiro I'll fork your comment out into a separate issue because it's a different data source with likely very different solutions to the original issue raised here.

andrewpollock avatar May 24 '23 02:05 andrewpollock

@gitgitwhat were your observations limited to the Python ecosystem, or broader?

andrewpollock avatar May 24 '23 02:05 andrewpollock

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] avatar Jul 24 '24 18:07 github-actions[bot]

Automatically closing stale issue

github-actions[bot] avatar Aug 07 '24 20:08 github-actions[bot]