Propose a PURL specification for vcpkg to use in GitHub dependency graph submission API #32732
Replies: 2 comments
-
|
The current situation is slightly worse than you describe it. vcpkg currently submits a github PURL, but it is a invalid github PURL. E.g. it will submit something like this: But the format for github PURLs is (https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#github): There is just no way to describe the information that vcpkg wants to encode in a valid github PURL. This invalid PURL results in the SBOM generated by GitHub converting the PURL into a unknown PURL Which is even less useful. |
Beta Was this translation helpful? Give feedback.
-
|
I've started a draft of this at package-url/purl-spec#245. I'll update here when I move it out of draft state. |
Beta Was this translation helpful? Give feedback.
-
The GitHub dependency graph submission API accepts a JSON formatted object as input. Part of that input is a
package_urlstring that follows the package URL specification.Currently, a generic GitHub package URL specification is being used, which is not sufficient to provide useful information to users of vcpkg.
There are 7 components of a package URL (purl) and brief descriptions of what they are meant to convey:
pkgThese components are stitched together to form a purl, like this
scheme:type/namespace/name@version?qualifiers#subpathA purl for vcpkg should be able to encode the full complexity of vcpkg ports, including:
It should optionally be able to encode:
Beta Was this translation helpful? Give feedback.
All reactions