pax_global_header00006660000000000000000000000064151655024370014522gustar00rootroot0000000000000052 comment=bb5e2665d407ee011b0aefa7b3cd615caf0b9ee9 anchore-packageurl-go-a0c3c17/000077500000000000000000000000001516550243700162635ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/.binny.yaml000066400000000000000000000006471516550243700203530ustar00rootroot00000000000000# only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases) cooldown: 7d # other binary versions inherited from .binny.yaml file in the anchore/go-make repo (version pinned in .make). # If you need to override a tool version, please do so by adding an entry here and go-make will # account for the local definition over the go-make shared definitions. tools: [] anchore-packageurl-go-a0c3c17/.bouncer.yaml000066400000000000000000000003631516550243700206640ustar00rootroot00000000000000permit: - BSD.* - CC0.* - MIT.* - Apache.* - MPL.* - ISC - WTFPL - Unlicense ignore-packages: # crypto/internal/boring is released under the openSSL license as a part of the Golang Standard Libary - crypto/internal/boring anchore-packageurl-go-a0c3c17/.chronicle.yaml000066400000000000000000000002651516550243700211760ustar00rootroot00000000000000# no matter the change, stay v0 for now enforce-v0: true # since github release pages already have titles that are the tag, we don't need to repeat that in the changelog title: "" anchore-packageurl-go-a0c3c17/.github/000077500000000000000000000000001516550243700176235ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/.github/dependabot.yml000066400000000000000000000027551516550243700224640ustar00rootroot00000000000000# Dependabot configuration # # Grouping behavior (see inline comments for details): # - Minor + patch updates: grouped into a single PR per ecosystem # - Major version bumps: individual PR per dependency # - Security updates: individual PR per dependency # # Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes. # Security updates are identified separately via GitHub's Advisory Database and # can be any version bump (patch, minor, or major) that fixes a known CVE. version: 2 updates: - package-ecosystem: gomod directories: - "/" - "/.make" cooldown: default-days: 7 schedule: interval: "weekly" day: "friday" open-pull-requests-limit: 10 labels: - "dependencies" groups: go-minor-patch: applies-to: version-updates # security updates get individual PRs patterns: - "*" update-types: # major omitted, gets individual PRs - "minor" - "patch" - package-ecosystem: "github-actions" directories: - "/" - "/.github/actions/*" cooldown: default-days: 7 schedule: interval: "weekly" day: "friday" open-pull-requests-limit: 10 labels: - "dependencies" groups: actions-minor-patch: applies-to: version-updates # security updates get individual PRs patterns: - "*" update-types: # major omitted, gets individual PRs - "minor" - "patch" anchore-packageurl-go-a0c3c17/.github/workflows/000077500000000000000000000000001516550243700216605ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/.github/workflows/codeql.yaml000066400000000000000000000026251516550243700240200ustar00rootroot00000000000000name: "CodeQL" on: push: branches: [ "master" ] pull_request: branches: [ "master" ] schedule: - cron: '38 11 * * 3' jobs: analyze: name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest permissions: security-events: write packages: read actions: read contents: read strategy: fail-fast: false matrix: include: - language: actions build-mode: none - language: go build-mode: manual steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Go if: matrix.language == 'go' uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod - name: Initialize CodeQL uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Build (Go) if: matrix.build-mode == 'manual' shell: bash run: go build ./... - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: category: "/language:${{matrix.language}}" anchore-packageurl-go-a0c3c17/.github/workflows/release.yaml000066400000000000000000000036671516550243700242000ustar00rootroot00000000000000name: "Release" permissions: contents: read # there should never be two releases in progress at the same time concurrency: group: release cancel-in-progress: false on: workflow_dispatch: inputs: version: description: tag the latest commit on main with the given version (prefixed with v) required: true jobs: version-available: uses: anchore/workflows/.github/workflows/check-version-available.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0 with: version: ${{ github.event.inputs.version }} check-gate: permissions: checks: read # required for getting the status of specific check names uses: anchore/workflows/.github/workflows/check-gate.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0 with: # these are checks that should be run on pull-request and merges to main. # we do NOT want to kick off a release if these have not been verified on main. # Please see the validations.yaml workflow for the names that should be used here. checks: '["Static analysis", "Unit tests"]' release: needs: [check-gate, version-available] environment: release # contains secrets needed for release runs-on: ubuntu-24.04 permissions: contents: write # needed for creating github release objects steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 # we need the full history to reason about changelogs and tags persist-credentials: true # needed for pushing a tag # setup checkout, go, go-make, binny, and cache go modules - uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0 - name: Create release env: GITHUB_TOKEN: ${{ github.token }} DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} RELEASE_VERSION: ${{ github.event.inputs.version }} run: make ci-release anchore-packageurl-go-a0c3c17/.github/workflows/validate-github-actions.yaml000066400000000000000000000013021516550243700272470ustar00rootroot00000000000000name: "Validate GitHub Actions" on: workflow_dispatch: pull_request: push: branches: - master paths: - '.github/workflows/**' - '.github/actions/**' permissions: contents: read jobs: zizmor: name: "Lint" runs-on: ubuntu-latest permissions: contents: read security-events: write # for uploading SARIF results steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run zizmor" uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 with: advanced-security: true inputs: .github anchore-packageurl-go-a0c3c17/.github/workflows/validations.yaml000066400000000000000000000023221516550243700250600ustar00rootroot00000000000000name: "Validations" on: workflow_dispatch: push: branches: - master pull_request: permissions: contents: read jobs: Static-Analysis: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Static analysis" runs-on: ubuntu-24.04 steps: # setup checkout, go, go-make, binny, and cache go modules - uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0 - name: Run static analysis run: make static-analysis Unit-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Unit tests" runs-on: ubuntu-24.04 steps: # setup checkout, go, go-make, binny, and cache go modules - uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0 - name: Download test data run: curl -L https://raw.githubusercontent.com/package-url/purl-spec/1951d217bde29590a73f075db4ab71cc00011459/test-suite-data.json -o testdata/test-suite-data.json - name: Run unit tests run: make unit - name: Fuzz tests run: make fuzz anchore-packageurl-go-a0c3c17/.github/zizmor.yml000066400000000000000000000002751516550243700217040ustar00rootroot00000000000000rules: unpinned-uses: ignore: # Allow unpinned uses of trusted internal anchore/workflows actions - oss-project-board-add.yaml - remove-awaiting-response-label.yaml anchore-packageurl-go-a0c3c17/.gitignore000066400000000000000000000010671516550243700202570ustar00rootroot00000000000000# local development go.work go.work.sum mise.toml /specs/ # IDEs .idea/ .vscode/ .history/ # tools and aux data .tool .tmp .task # release info /CHANGELOG.md /VERSION # archives and fixtures /test/results /dist /snapshot .server/ *.fingerprint *.tar *.jar *.war *.ear *.jpi *.hpi *.zip *.log .images .tmp/ coverage.txt bin/ # Binaries for programs and plugins *.exe *.exe~ *.dll *.so *.dylib # Test binary, build with `go test -c` *.test # Output of the go coverage tool, specifically when used with LiteIDE *.out # macOS Finder metadata .DS_STORE *.profile anchore-packageurl-go-a0c3c17/.golangci.yaml000066400000000000000000000055711516550243700210200ustar00rootroot00000000000000version: "2" run: tests: false linters: default: none enable: - asciicheck - bodyclose - copyloopvar - dogsled - dupl - errcheck - funlen - gocognit - goconst - gocritic - gocyclo - goprintffuncname - gosec - govet - ineffassign - misspell - nakedret - nolintlint - revive - staticcheck - unconvert - unparam - unused - whitespace settings: funlen: lines: 100 statements: 60 gocognit: min-complexity: 40 gocritic: enabled-checks: - deferInLoop gosec: excludes: - G115 exclusions: generated: lax presets: - comments - common-false-positives - legacy - std-error-handling paths: - third_party$ - builtin$ - examples$ # do not enable... # - deadcode # The owner seems to have abandoned the linter. Replaced by "unused". # - depguard # We don't have a configuration for this yet # - goprintffuncname # does not catch all cases and there are exceptions # - nakedret # does not catch all cases and should not fail a build # - gochecknoglobals # - gochecknoinits # this is too aggressive # - rowserrcheck disabled per generics https://github.com/golangci/golangci-lint/issues/2649 # - godot # - godox # - goerr113 # - goimports # we're using gosimports now instead to account for extra whitespaces (see https://github.com/golang/go/issues/20818) # - golint # deprecated # - gomnd # this is too aggressive # - interfacer # this is a good idea, but is no longer supported and is prone to false positives # - lll # without a way to specify per-line exception cases, this is not usable # - maligned # this is an excellent linter, but tricky to optimize and we are not sensitive to memory layout optimizations # - nestif # - prealloc # following this rule isn't consistently a good idea, as it sometimes forces unnecessary allocations that result in less idiomatic code # - rowserrcheck # not in a repo with sql, so this is not useful # - scopelint # deprecated # - structcheck # The owner seems to have abandoned the linter. Replaced by "unused". # - testpackage # - varcheck # The owner seems to have abandoned the linter. Replaced by "unused". # - wsl # this doens't have an auto-fixer yet and is pretty noisy (https://github.com/bombsimon/wsl/issues/90) issues: max-same-issues: 25 uniq-by-line: false # TODO: enable this when we have coverage on docstring comments # # The list of ids of default excludes to include or disable. # include: # - EXC0002 # disable excluding of issues about comments from golint formatters: enable: - gofmt - goimports exclusions: generated: lax paths: - third_party$ - builtin$ - examples$ anchore-packageurl-go-a0c3c17/.make/000077500000000000000000000000001516550243700172565ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/.make/go.mod000066400000000000000000000003771516550243700203730ustar00rootroot00000000000000module make go 1.26.2 require github.com/anchore/go-make v0.1.0 require ( github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect github.com/goccy/go-yaml v1.19.2 // indirect golang.org/x/mod v0.34.0 // indirect golang.org/x/sys v0.42.0 // indirect ) anchore-packageurl-go-a0c3c17/.make/go.sum000066400000000000000000000014771516550243700204220ustar00rootroot00000000000000github.com/anchore/go-make v0.1.0 h1:w/DTKznE1s0u5H1ahAnLaHRbCyNuOn5sJd0UltKWCIA= github.com/anchore/go-make v0.1.0/go.mod h1:JafD2Md95wih7aGmA12yVoReZW3mOgIuwHbw5aOcIOQ= github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs= github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= anchore-packageurl-go-a0c3c17/.make/main.go000066400000000000000000000011061516550243700205270ustar00rootroot00000000000000package main import ( "os" . "github.com/anchore/go-make" "github.com/anchore/go-make/run" "github.com/anchore/go-make/tasks/golint" "github.com/anchore/go-make/tasks/gotest" "github.com/anchore/go-make/tasks/release" ) func main() { Makefile( gotest.Tasks(), golint.Tasks(), release.ChangelogTask(), release.TagAndCreateGHRelease(), // custom fuzz testing task Task{ Name: "fuzz", Description: "run fuzz tests", Run: func() { Run("go test -fuzztime=1m -fuzz .", run.Stdout(os.Stdout), run.Stderr(os.Stderr)) }, }.RunOn("test"), ) } anchore-packageurl-go-a0c3c17/LICENSE000066400000000000000000000020371516550243700172720ustar00rootroot00000000000000Copyright (c) the purl authors Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. anchore-packageurl-go-a0c3c17/Makefile000066400000000000000000000000561516550243700177240ustar00rootroot00000000000000.PHONY: * .DEFAULT: %: @go run -C .make . $@ anchore-packageurl-go-a0c3c17/README.md000066400000000000000000000047141516550243700175500ustar00rootroot00000000000000# packageurl-go [![build](https://github.com/package-url/packageurl-go/workflows/test/badge.svg)](https://github.com/package-url/packageurl-go/actions?query=workflow%3Atest) [![Coverage Status](https://coveralls.io/repos/github/package-url/packageurl-go/badge.svg)](https://coveralls.io/github/package-url/packageurl-go) [![PkgGoDev](https://pkg.go.dev/badge/github.com/package-url/packageurl-go)](https://pkg.go.dev/github.com/package-url/packageurl-go) [![Go Report Card](https://goreportcard.com/badge/github.com/package-url/packageurl-go)](https://goreportcard.com/report/github.com/package-url/packageurl-go) Go implementation of the package url spec. ## Install ``` go get -u github.com/package-url/packageurl-go ``` ## Versioning The versions will follow the spec. So if the spec is released at ``1.0``. Then all versions in the ``1.x.y`` will follow the ``1.x`` spec. ## Usage ### Create from parts ```go package main import ( "fmt" "github.com/package-url/packageurl-go" ) func main() { instance := packageurl.NewPackageURL("test", "ok", "name", "version", nil, "") fmt.Printf("%s", instance.ToString()) } ``` ### Parse from string ```go package main import ( "fmt" "github.com/package-url/packageurl-go" ) func main() { instance, err := packageurl.FromString("test:ok/name@version") if err != nil { panic(err) } fmt.Printf("%#v", instance) } ``` ## Test Testing using the normal ``go test`` command. Using ``make test`` will pull the test fixtures shared between all package-url projects and then execute the tests. ``` curl -Ls https://raw.githubusercontent.com/package-url/purl-spec/master/test-suite-data.json -o testdata/test-suite-data.json go test -v -cover ./... === RUN TestFromStringExamples --- PASS: TestFromStringExamples (0.00s) === RUN TestToStringExamples --- PASS: TestToStringExamples (0.00s) === RUN TestStringer --- PASS: TestStringer (0.00s) === RUN TestQualifiersMapConversion --- PASS: TestQualifiersMapConversion (0.00s) PASS github.com/package-url/packageurl-go coverage: 90.7% of statements ok github.com/package-url/packageurl-go 0.004s coverage: 90.7% of statements ``` ## Fuzzing Fuzzing is done with standard [Go fuzzing](https://go.dev/doc/fuzz/), introduced in Go 1.18. Fuzz tests check for inputs that cause `FromString` to panic. Using `make fuzz` will run fuzz tests for one minute. To run fuzz tests longer: ``` go test -fuzztime=60m -fuzz . ``` Or omit `-fuzztime` entirely to run indefinitely. anchore-packageurl-go-a0c3c17/VERSION000066400000000000000000000000061516550243700173270ustar00rootroot000000000000000.0.0 anchore-packageurl-go-a0c3c17/fuzz_test.go000066400000000000000000000023651516550243700206550ustar00rootroot00000000000000/* Copyright (c) the purl authors Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ package packageurl import ( "fmt" "testing" ) func FuzzFromString(f *testing.F) { f.Fuzz(func(t *testing.T, s string) { // Test that parsing doesn't panic. _, _ = FromString(s) fmt.Print(s) }) } anchore-packageurl-go-a0c3c17/go.mod000066400000000000000000000000631516550243700173700ustar00rootroot00000000000000module github.com/anchore/packageurl-go go 1.25.0 anchore-packageurl-go-a0c3c17/go.sum000066400000000000000000000000001516550243700174040ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/packageurl.go000066400000000000000000000461361516550243700207420ustar00rootroot00000000000000/* Copyright (c) the purl authors Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ // Package packageurl implements the package-url spec package packageurl import ( "errors" "fmt" "net/url" "path" "regexp" "sort" "strings" ) var ( // QualifierKeyPattern describes a valid qualifier key: // // - The key must be composed only of ASCII letters and numbers, '.', // '-' and '_' (period, dash and underscore). // - A key cannot start with a number. QualifierKeyPattern = regexp.MustCompile(`^[A-Za-z\.\-_][0-9A-Za-z\.\-_]*$`) // TypePattern describes a valid type: // // - The type must be composed only of ASCII letters and numbers, '.', // '+' and '-' (period, plus and dash). // - A type cannot start with a number. TypePattern = regexp.MustCompile(`^[A-Za-z\.\-\+][0-9A-Za-z\.\-\+]*$`) ) // These are the known purl types as defined in the spec. Some of these require // special treatment during parsing. // https://github.com/package-url/purl-spec#known-purl-types var ( // TypeAlpm is a pkg:alpm purl. TypeAlpm = "alpm" // TypeApk is a pkg:apk purl. TypeApk = "apk" TypeAlpine = "apk" // note: distinct from upstream (alias for apk) // TypeBitbucket is a pkg:bitbucket purl. TypeBitbucket = "bitbucket" // TypeBitnami is a pkg:bitnami purl. TypeBitnami = "bitnami" // TypeCargo is a pkg:cargo purl. TypeCargo = "cargo" // TypeCocoapods is a pkg:cocoapods purl. TypeCocoapods = "cocoapods" // TypeComposer is a pkg:composer purl. TypeComposer = "composer" // TypeConan is a pkg:conan purl. TypeConan = "conan" // TypeConda is a pkg:conda purl. TypeConda = "conda" // TypeCran is a pkg:cran purl. TypeCran = "cran" // TypeDebian is a pkg:deb purl. TypeDebian = "deb" // TypeDocker is a pkg:docker purl. TypeDocker = "docker" // TypeGem is a pkg:gem purl. TypeGem = "gem" // TypeGeneric is a pkg:generic purl. TypeGeneric = "generic" // TypeGithub is a pkg:github purl. TypeGithub = "github" // TypeGolang is a pkg:golang purl. TypeGolang = "golang" // TypeHackage is a pkg:hackage purl. TypeHackage = "hackage" // TypeHex is a pkg:hex purl. TypeHex = "hex" // TypeHuggingface is pkg:huggingface purl. TypeHuggingface = "huggingface" // TypeLuaRocks is a pkg:luarocks purl. TypeLuaRocks = "luarocks" // TypeMLFlow is pkg:mlflow purl. TypeMLFlow = "mlflow" // TypeMaven is a pkg:maven purl. TypeMaven = "maven" // TypeNPM is a pkg:npm purl. TypeNPM = "npm" // TypeNuget is a pkg:nuget purl. TypeNuget = "nuget" // TypeOCI is a pkg:oci purl. TypeOCI = "oci" // TypePub is a pkg:pub purl. TypePub = "pub" // TypePyPi is a pkg:pypi purl. TypePyPi = "pypi" // TypeQpkg is a pkg:qpkg purl. TypeQpkg = "qpkg" // TypeRPM is a pkg:rpm purl. TypeRPM = "rpm" // TypeSWID is pkg:swid purl TypeSWID = "swid" // TypeSwift is pkg:swift purl. TypeSwift = "swift" // KnownTypes is a map of types that are officially supported by the spec. // See https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#known-purl-types KnownTypes = map[string]struct{}{ TypeAlpm: {}, TypeApk: {}, TypeAlpine: {}, // note: distinct from upstream (alias for apk) TypeBitbucket: {}, TypeBitnami: {}, TypeCargo: {}, TypeCocoapods: {}, TypeComposer: {}, TypeConan: {}, TypeConda: {}, TypeCran: {}, TypeDebian: {}, TypeDocker: {}, TypeGem: {}, TypeGeneric: {}, TypeGithub: {}, TypeGolang: {}, TypeHackage: {}, TypeHex: {}, TypeHuggingface: {}, TypeLuaRocks: {}, TypeMaven: {}, TypeMLFlow: {}, TypeNPM: {}, TypeNuget: {}, TypeOCI: {}, TypePub: {}, TypePyPi: {}, TypeQpkg: {}, TypeRPM: {}, TypeSWID: {}, TypeSwift: {}, } TypeApache = "apache" TypeAndroid = "android" TypeAtom = "atom" TypeBower = "bower" TypeBrew = "brew" TypeBuildroot = "buildroot" TypeCarthage = "carthage" TypeChef = "chef" TypeChocolatey = "chocolatey" TypeClojars = "clojars" TypeCoreos = "coreos" TypeCpan = "cpan" TypeCtan = "ctan" TypeCrystal = "crystal" TypeDrupal = "drupal" TypeDtype = "dtype" TypeDub = "dub" TypeElm = "elm" TypeEclipse = "eclipse" TypeGitea = "gitea" TypeGitlab = "gitlab" TypeGradle = "gradle" TypeGuix = "guix" TypeHaxe = "haxe" TypeHelm = "helm" TypeJulia = "julia" TypeMelpa = "melpa" TypeMeteor = "meteor" TypeNim = "nim" TypeNix = "nix" TypeOpam = "opam" TypeOpenwrt = "openwrt" TypeOsgi = "osgi" TypeOTP = "otp" // note: distinct from upstream TypeP2 = "p2" TypePear = "pear" TypePecl = "pecl" TypePERL6 = "perl6" TypePlatformio = "platformio" TypeEbuild = "ebuild" TypePuppet = "puppet" TypeSourceforge = "sourceforge" TypeSublime = "sublime" TypeTerraform = "terraform" TypeVagrant = "vagrant" TypeVim = "vim" TypeWORDPRESS = "wordpress" TypeYocto = "yocto" // CandidateTypes is a map of types that are not yet officially supported by the spec, // but are being considered for inclusion. // See https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#other-candidate-types-to-define CandidateTypes = map[string]struct{}{ TypeApache: {}, TypeAndroid: {}, TypeAtom: {}, TypeBower: {}, TypeBrew: {}, TypeBuildroot: {}, TypeCarthage: {}, TypeChef: {}, TypeChocolatey: {}, TypeClojars: {}, TypeCoreos: {}, TypeCpan: {}, TypeCtan: {}, TypeCrystal: {}, TypeDrupal: {}, TypeDtype: {}, TypeDub: {}, TypeElm: {}, TypeEclipse: {}, TypeGitea: {}, TypeGitlab: {}, TypeGradle: {}, TypeGuix: {}, TypeHaxe: {}, TypeHelm: {}, TypeJulia: {}, TypeMelpa: {}, TypeMeteor: {}, TypeNim: {}, TypeNix: {}, TypeOpam: {}, TypeOpenwrt: {}, TypeOsgi: {}, TypeOTP: {}, TypeP2: {}, TypePear: {}, TypePecl: {}, TypePERL6: {}, TypePlatformio: {}, TypeEbuild: {}, TypePuppet: {}, TypeSourceforge: {}, TypeSublime: {}, TypeTerraform: {}, TypeVagrant: {}, TypeVim: {}, TypeWORDPRESS: {}, TypeYocto: {}, } ) // Qualifier represents a single key=value qualifier in the package url type Qualifier struct { Key string Value string } func (q Qualifier) String() string { // A value must be a percent-encoded string return fmt.Sprintf("%s=%s", escape(q.Key), escape(q.Value)) } // Qualifiers is a slice of key=value pairs, with order preserved as it appears // in the package URL. type Qualifiers []Qualifier // urlQuery returns a raw URL query with all the qualifiers as keys + values. func (q Qualifiers) urlQuery() string { if len(q) == 0 { return "" } var buf strings.Builder keys := make([]string, 0, len(q)) values := make(map[string][]string) for _, item := range q { keys = append(keys, item.Key) values[item.Key] = append(values[item.Key], item.Value) } sort.Strings(keys) for _, k := range keys { vs := values[k] keyEscaped := escape(k) for _, v := range vs { if buf.Len() > 0 { buf.WriteByte('&') } buf.WriteString(keyEscaped) buf.WriteByte('=') buf.WriteString(escape(v)) } } return buf.String() } // QualifiersFromMap constructs a Qualifiers slice from a string map. To get a // deterministic qualifier order (despite maps not providing any iteration order // guarantees) the returned Qualifiers are sorted in increasing order of key. func QualifiersFromMap(mm map[string]string) Qualifiers { q := Qualifiers{} for k, v := range mm { q = append(q, Qualifier{Key: k, Value: v}) } // sort for deterministic qualifier order sort.Slice(q, func(i int, j int) bool { return q[i].Key < q[j].Key }) return q } // Map converts a Qualifiers struct to a string map. func (q Qualifiers) Map() map[string]string { m := make(map[string]string) for i := 0; i < len(q); i++ { k := q[i].Key v := q[i].Value m[k] = v } return m } func (q Qualifiers) String() string { var kvPairs []string for _, q := range q { kvPairs = append(kvPairs, q.String()) } return strings.Join(kvPairs, "&") } func (q *Qualifiers) Normalize() error { qs := *q normedQQ := make(Qualifiers, 0, len(qs)) for _, q := range qs { if q.Key == "" { return fmt.Errorf("key is missing from qualifier: %v", q) } if q.Value == "" { // Empty values are equivalent to the key being omitted from the PackageURL. continue } key := strings.ToLower(q.Key) if !validQualifierKey(key) { return fmt.Errorf("invalid qualifier key: %q", key) } normedQQ = append(normedQQ, Qualifier{key, q.Value}) } sort.Slice(normedQQ, func(i, j int) bool { return normedQQ[i].Key < normedQQ[j].Key }) for i := 1; i < len(normedQQ); i++ { if normedQQ[i-1].Key == normedQQ[i].Key { return fmt.Errorf("duplicate qualifier key: %q", normedQQ[i].Key) } } *q = normedQQ return nil } // PackageURL is the struct representation of the parts that make a package url type PackageURL struct { Type string Namespace string Name string Version string Qualifiers Qualifiers Subpath string } // NewPackageURL creates a new PackageURL struct instance based on input func NewPackageURL(purlType, namespace, name, version string, qualifiers Qualifiers, subpath string) *PackageURL { return &PackageURL{ Type: purlType, Namespace: namespace, Name: name, Version: version, Qualifiers: qualifiers, Subpath: subpath, } } // ToString returns the human-readable instance of the PackageURL structure. // This is the literal purl as defined by the spec. func (p *PackageURL) ToString() string { u := &url.URL{ Scheme: "pkg", RawQuery: p.Qualifiers.urlQuery(), Fragment: p.Subpath, } paths := []string{p.Type} // we need to escape each segment by itself, so that we don't escape "/" in the namespace. for _, segment := range strings.Split(p.Namespace, "/") { if segment == "" { continue } paths = append(paths, escape(segment)) } nameWithVersion := escape(p.Name) if p.Version != "" { nameWithVersion += "@" + escape(p.Version) } paths = append(paths, nameWithVersion) u.Opaque = strings.Join(paths, "/") return u.String() } func (p PackageURL) String() string { return p.ToString() } // FromString parses a valid package url string into a PackageURL structure func FromString(purl string) (PackageURL, error) { u, err := url.Parse(strings.TrimSpace(purl)) if err != nil { return PackageURL{}, fmt.Errorf("failed to parse as URL: %w", err) } if u.Scheme != "pkg" { return PackageURL{}, fmt.Errorf("purl scheme is not \"pkg\": %q", u.Scheme) } p := u.Opaque // if a purl starts with pkg:/ or even pkg://, we need to fall back to host + path. if p == "" { p = strings.TrimPrefix(path.Join(u.Host, u.Path), "/") } typ, p, ok := strings.Cut(p, "/") if !ok { return PackageURL{}, fmt.Errorf("purl is missing type or name") } typ = strings.ToLower(typ) qualifiers, err := parseQualifiers(u.RawQuery) if err != nil { return PackageURL{}, fmt.Errorf("invalid qualifiers: %w", err) } namespace, name, version, err := separateNamespaceNameVersion(p) if err != nil { return PackageURL{}, err } pURL := PackageURL{ Qualifiers: qualifiers, Type: typ, Namespace: namespace, Name: name, Version: version, Subpath: u.Fragment, } err = pURL.Normalize() return pURL, err } // Normalize converts p to its canonical form, returning an error if p is invalid. func (p *PackageURL) Normalize() error { typ := strings.ToLower(p.Type) if !validType(typ) { return fmt.Errorf("invalid type %q", typ) } namespace := strings.Trim(p.Namespace, "/") if err := p.Qualifiers.Normalize(); err != nil { return fmt.Errorf("invalid qualifiers: %v", err) } if p.Name == "" { return errors.New("purl is missing name") } subpath := strings.Trim(p.Subpath, "/") segs := strings.Split(p.Subpath, "/") for i, s := range segs { if (s == "." || s == "..") && i != 0 { return fmt.Errorf("invalid Package URL subpath: %q", p.Subpath) } } *p = PackageURL{ Type: typ, Namespace: typeAdjustNamespace(typ, namespace), Name: typeAdjustName(typ, p.Name, p.Qualifiers), Version: typeAdjustVersion(typ, p.Version), Qualifiers: p.Qualifiers, Subpath: subpath, } return validCustomRules(*p) } // escape the given string in a purl-compatible way // Source: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#character-encoding func escape(s string) string { // for compatibility with other implementations and the purl-spec, we want to escape all // characters, which is what "QueryEscape" does. The issue with QueryEscape is that it encodes // " " (space) as "+", which is valid in a query, but invalid in a path (see // https://stackoverflow.com/questions/2678551/when-should-space-be-encoded-to-plus-or-20) for // context). // To work around that, we replace the "+" signs with the path-compatible "%20". return strings.ReplaceAll(url.QueryEscape(s), "+", "%20") } func separateNamespaceNameVersion(path string) (ns, name, version string, err error) { name = path if namespaceSep := strings.LastIndex(name, "/"); namespaceSep != -1 { ns, name = name[:namespaceSep], name[namespaceSep+1:] ns, err = url.PathUnescape(ns) if err != nil { return "", "", "", fmt.Errorf("error unescaping namespace: %w", err) } } if versionSep := strings.LastIndex(name, "@"); versionSep != -1 { name, version = name[:versionSep], name[versionSep+1:] version, err = url.PathUnescape(version) if err != nil { return "", "", "", fmt.Errorf("error unescaping version: %w", err) } } name, err = url.PathUnescape(name) if err != nil { return "", "", "", fmt.Errorf("error unescaping name: %w", err) } if name == "" { return "", "", "", fmt.Errorf("purl is missing name") } return ns, name, version, nil } func parseQualifiers(rawQuery string) (Qualifiers, error) { // we need to parse the qualifiers ourselves and cannot rely on the `url.Query` type because // that uses a map, meaning it's unordered. We want to keep the order of the qualifiers, so this // function re-implements the `url.parseQuery` function based on our `Qualifier` type. Most of // the code here is taken from `url.parseQuery`. q := Qualifiers{} for rawQuery != "" { var key string key, rawQuery, _ = strings.Cut(rawQuery, "&") if strings.Contains(key, ";") { return nil, fmt.Errorf("invalid semicolon separator in query") } if key == "" { continue } key, value, _ := strings.Cut(key, "=") key, err := url.PathUnescape(key) if err != nil { return nil, fmt.Errorf("error unescaping qualifier key %q", key) } if !validQualifierKey(key) { return nil, fmt.Errorf("invalid qualifier key: '%s'", key) } value, err = url.PathUnescape(value) if err != nil { return nil, fmt.Errorf("error unescaping qualifier value %q", value) } q = append(q, Qualifier{ Key: strings.ToLower(key), Value: value, }) } return q, nil } // Make any purl type-specific adjustments to the parsed namespace. // See https://github.com/package-url/purl-spec#known-purl-types func typeAdjustNamespace(purlType, ns string) string { switch purlType { case TypeAlpm, TypeApk, TypeBitbucket, TypeComposer, TypeDebian, TypeGithub, TypeGolang, TypeNPM, TypeRPM, TypeQpkg: return strings.ToLower(ns) } return ns } // Make any purl type-specific adjustments to the parsed name. // See https://github.com/package-url/purl-spec#known-purl-types func typeAdjustName(purlType, name string, qualifiers Qualifiers) string { quals := qualifiers.Map() switch purlType { case TypeAlpm, TypeApk, TypeBitbucket, TypeBitnami, TypeComposer, TypeDebian, TypeGithub, TypeGolang, TypeNPM: return strings.ToLower(name) case TypePyPi: return strings.ToLower(strings.ReplaceAll(name, "_", "-")) case TypeMLFlow: return adjustMlflowName(name, quals) } return name } // Make any purl type-specific adjustments to the parsed version. // See https://github.com/package-url/purl-spec#known-purl-types func typeAdjustVersion(purlType, version string) string { if purlType == TypeHuggingface { return strings.ToLower(version) } return version } // https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#mlflow func adjustMlflowName(name string, qualifiers map[string]string) string { repo, ok := qualifiers["repository_url"] if !ok { // No repository qualifier given, keep as-is return name } switch { case strings.Contains(repo, "azureml"): // Azure ML is case-sensitive and must be kept as-is return name case strings.Contains(repo, "databricks"): // Databricks is case-insensitive and must be lowercased return strings.ToLower(name) default: // Unknown repository type, keep as-is return name } } // validQualifierKey validates a qualifierKey against our QualifierKeyPattern. func validQualifierKey(key string) bool { return QualifierKeyPattern.MatchString(key) } // validType validates a type against our TypePattern. func validType(typ string) bool { return TypePattern.MatchString(typ) } // validCustomRules evaluates additional rules for each package url type, as specified in the package-url specification. // On success, it returns nil. On failure, a descriptive error will be returned. func validCustomRules(p PackageURL) error { q := p.Qualifiers.Map() switch p.Type { case TypeConan: if p.Namespace != "" { if val, ok := q["channel"]; ok { if val == "" { return errors.New("the qualifier channel must be not empty if namespace is present") } } else { return errors.New("channel qualifier does not exist") } } else { if val, ok := q["channel"]; ok { if val != "" { return errors.New("namespace is required if channel is non empty") } } } case TypeSwift: if p.Namespace == "" { return errors.New("namespace is required") } if p.Version == "" { return errors.New("version is required") } case TypeCran: if p.Version == "" { return errors.New("version is required") } } return nil } anchore-packageurl-go-a0c3c17/packageurl_test.go000066400000000000000000000477131516550243700220030ustar00rootroot00000000000000/* Copyright (c) the purl authors Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ package packageurl_test import ( "encoding/json" "fmt" "os" "reflect" "regexp" "sort" "strings" "testing" "github.com/anchore/packageurl-go" ) type TestFixture struct { Description string `json:"description"` Purl string `json:"purl"` CanonicalPurl string `json:"canonical_purl"` PackageType string `json:"type"` Namespace string `json:"namespace"` Name string `json:"name"` Version string `json:"version"` QualifierMap OrderedMap `json:"qualifiers"` Subpath string `json:"subpath"` IsInvalid bool `json:"is_invalid"` } // OrderedMap is used to store the TestFixture.QualifierMap, to ensure that the // declaration order of qualifiers is preserved. type OrderedMap struct { OrderedKeys []string Map map[string]string } // qualifiersMapPattern is used to parse the TestFixture "qualifiers" field to // ensure that it's a json object. var qualifiersMapPattern = regexp.MustCompile(`(?ms)^\{.*\}$`) // UnmarshalJSON unmarshals the qualifiers field for a TestFixture. The // qualifiers field is given as a json object such as: // // "qualifiers": {"arch": "i386", "distro": "fedora-25"} // // This function performs in-order parsing of these values into an OrderedMap to // preserve items in order of declaration. Note that parsing as a // map[string]string won't preserve element order. func (m *OrderedMap) UnmarshalJSON(bytes []byte) error { data := string(bytes) switch data { case "null": m.OrderedKeys = []string{} m.Map = make(map[string]string) return nil default: // ensure that the data is a json object "{...}" if !qualifiersMapPattern.MatchString(data) { return fmt.Errorf("qualifiers parse error: not a json object: %s", data) } // find out the order in which map keys occur dec := json.NewDecoder(strings.NewReader(data)) // consume opening '{' _, _ = dec.Token() for dec.More() { t, _ := dec.Token() switch token := t.(type) { case json.Delim: if token != '}' { return fmt.Errorf("qualifiers parse error: expected delimiter '}', got: %v", token) } // closed json object -> we're done case string: // this token is a dictionary key m.OrderedKeys = append(m.OrderedKeys, token) // consume the value (the token following the colon after the key) _, _ = dec.Token() } } // now that we know the key order, just fill the OrderedMap.Map field if err := json.Unmarshal(bytes, &m.Map); err != nil { return err } return nil } } // Qualifiers converts the TestFixture.QualifierMap field to an object of type // packageurl.Qualifiers. func (t TestFixture) Qualifiers() packageurl.Qualifiers { q := packageurl.Qualifiers{} for _, key := range t.QualifierMap.OrderedKeys { q = append(q, packageurl.Qualifier{Key: key, Value: t.QualifierMap.Map[key]}) } return q } // TestFromStringExamples verifies that parsing example strings produce expected // results. func TestFromStringExamples(t *testing.T) { // Read the json file data, err := os.ReadFile("testdata/test-suite-data.json") if err != nil { t.Fatal(err) } // Load the json file contents into a structure testData := []TestFixture{} err = json.Unmarshal(data, &testData) if err != nil { t.Fatal(err) } // Use FromString on each item in the test set for _, tc := range testData { if tc.Description == "cpan module name like distribution name" || tc.Description == "cpan distribution name like module name" { // we're not sure if this validation conflicts with the upstream PURL-SPECIFICATION // skipping these tests for now continue } // Should parse without issue p, err := packageurl.FromString(tc.Purl) if tc.IsInvalid == false { if err != nil { t.Logf("%s failed: %s", tc.Description, err) t.Fail() } // verify parsing if p.Type != tc.PackageType { t.Logf("%s: incorrect package type: wanted: '%s', got '%s'", tc.Description, tc.PackageType, p.Type) t.Fail() } if p.Namespace != tc.Namespace { t.Logf("%s: incorrect namespace: wanted: '%s', got '%s'", tc.Description, tc.Namespace, p.Namespace) t.Fail() } if p.Name != tc.Name { t.Logf("%s: incorrect name: wanted: '%s', got '%s'", tc.Description, tc.Name, p.Name) t.Fail() } if p.Version != tc.Version { t.Logf("%s: incorrect version: wanted: '%s', got '%s'", tc.Description, tc.Version, p.Version) t.Fail() } want := tc.Qualifiers() sort.Slice(want, func(i, j int) bool { return want[i].Key < want[j].Key }) got := p.Qualifiers sort.Slice(got, func(i, j int) bool { return got[i].Key < got[j].Key }) if !reflect.DeepEqual(want, got) { t.Logf("%s: incorrect qualifiers: wanted: '%#v', got '%#v'", tc.Description, want, p.Qualifiers) t.Fail() } if p.Subpath != tc.Subpath { t.Logf("%s: incorrect subpath: wanted: '%s', got '%s'", tc.Description, tc.Subpath, p.Subpath) t.Fail() } } else { // Invalid cases if err == nil { t.Logf("%s did not fail and returned %#v", tc.Description, p) t.Fail() } } } } // TestToStringExamples verifies that the resulting package urls created match // the expected format. func TestToStringExamples(t *testing.T) { // Read the json file data, err := os.ReadFile("testdata/test-suite-data.json") if err != nil { t.Fatal(err) } // Load the json file contents into a structure var testData []TestFixture err = json.Unmarshal(data, &testData) if err != nil { t.Fatal(err) } // Use ToString on each item for _, tc := range testData { // Skip invalid items if tc.IsInvalid == true { continue } instance := packageurl.NewPackageURL( tc.PackageType, tc.Namespace, tc.Name, tc.Version, // Use QualifiersFromMap so that the qualifiers have a defined order, which is needed for string comparisons packageurl.QualifiersFromMap(tc.Qualifiers().Map()), tc.Subpath) result := instance.ToString() // NOTE: We create a purl with ToString and then load into a PackageURL // because qualifiers may not be in any order. By reparsing back // we can ensure the data transfers between string and instance form. canonical, _ := packageurl.FromString(tc.CanonicalPurl) toTest, _ := packageurl.FromString(result) // If the two results don't equal then the ToString failed if !reflect.DeepEqual(toTest, canonical) { t.Logf("%s failed: %s != %s", tc.Description, result, tc.CanonicalPurl) t.Fail() } } } // TestStringer verifies that the Stringer implementation produces results // equivalent with the ToString method. func TestStringer(t *testing.T) { // Read the json file data, err := os.ReadFile("testdata/test-suite-data.json") if err != nil { t.Fatal(err) } // Load the json file contents into a structure var testData []TestFixture err = json.Unmarshal(data, &testData) if err != nil { t.Fatal(err) } // Use ToString on each item for _, tc := range testData { // Skip invalid items if tc.IsInvalid == true { continue } purlPtr := packageurl.NewPackageURL( tc.PackageType, tc.Namespace, tc.Name, tc.Version, tc.Qualifiers(), tc.Subpath) purlValue := *purlPtr // Verify that the Stringer implementation returns a result // equivalent to ToString(). if purlPtr.ToString() != purlPtr.String() { t.Logf("%s failed: Stringer implementation differs from ToString: %s != %s", tc.Description, purlPtr.String(), purlPtr.ToString()) t.Fail() } // Verify that the %s format modifier works for values. fmtStr := purlValue.String() if fmtStr != purlPtr.String() { t.Logf("%s failed: %%s format modifier does not work on values: %s != %s", tc.Description, fmtStr, purlPtr.ToString()) t.Fail() } } } // Verify correct conversion of Qualifiers to a string map and vice versa. func TestQualifiersMapConversion(t *testing.T) { tests := []struct { kvMap map[string]string qualifiers packageurl.Qualifiers }{ { kvMap: map[string]string{}, qualifiers: packageurl.Qualifiers{}, }, { kvMap: map[string]string{"arch": "amd64"}, qualifiers: packageurl.Qualifiers{ packageurl.Qualifier{Key: "arch", Value: "amd64"}, }, }, { kvMap: map[string]string{"arch": "amd64", "os": "linux"}, qualifiers: packageurl.Qualifiers{ packageurl.Qualifier{Key: "arch", Value: "amd64"}, packageurl.Qualifier{Key: "os", Value: "linux"}, }, }, } for _, test := range tests { // map -> Qualifiers got := packageurl.QualifiersFromMap(test.kvMap) if !reflect.DeepEqual(got, test.qualifiers) { t.Logf("map -> qualifiers conversion failed: got: %#v, wanted: %#v", got, test.qualifiers) t.Fail() } // Qualifiers -> map mp := test.qualifiers.Map() if !reflect.DeepEqual(mp, test.kvMap) { t.Logf("qualifiers -> map conversion failed: got: %#v, wanted: %#v", mp, test.kvMap) t.Fail() } } } func TestNameEscaping(t *testing.T) { testCases := map[string]string{ "abc": "pkg:deb/abc", // from the spec: // - The ``name`` is prefixed by a '/' separator when the ``namespace`` is not empty // - This '/' is not part of the ``name`` // - A ``name`` must be a percent-encoded string // If a `name` element contains a `/`, it MUST BE escaped. "ab/c": "pkg:deb/ab%2Fc", // from the spec: // the ':' scheme and type separator does not need to and must NOT be encoded. It is unambiguous unencoded everywhere // note: while the above is correct for the scheme/type separator, ':' in names should be encoded "TODO: ": "pkg:deb/TODO%3A%20%3CProduct%20name%3E", } for name, output := range testCases { t.Run(name, func(t *testing.T) { p := &packageurl.PackageURL{Type: "deb", Name: name} if s := p.ToString(); s != output { t.Fatalf("wrong escape. expected=%q, got=%q", output, s) } }) } } func TestQualifierMissingEqual(t *testing.T) { input := "pkg:npm/test-pkg?key" want := packageurl.PackageURL{ Type: "npm", Name: "test-pkg", Qualifiers: packageurl.Qualifiers{}, } got, err := packageurl.FromString(input) if err != nil { t.Fatalf("FromString(%s): unexpected error: %v", input, err) } if !reflect.DeepEqual(want, got) { t.Fatalf("FromString(%s): want %q got %q", input, want, got) } } func TestNormalize(t *testing.T) { testCases := []struct { name string input packageurl.PackageURL want packageurl.PackageURL wantErr bool }{{ name: "type is case insensitive", input: packageurl.PackageURL{ Type: "NpM", Name: "pkg", }, want: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{}, }, }, { name: "type is manditory", input: packageurl.PackageURL{ Name: "pkg", }, wantErr: true, }, { name: "leading and traling / on namespace are trimmed", input: packageurl.PackageURL{ Type: "npm", Namespace: "/namespace/org/", Name: "pkg", }, want: packageurl.PackageURL{ Type: "npm", Namespace: "namespace/org", Name: "pkg", Qualifiers: packageurl.Qualifiers{}, }, }, { name: "qualifiers with empty values are removed", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{{ Key: "k1", Value: "v1", }, { Key: "k2", Value: "", }, { Key: "k3", Value: "v3", }}, }, want: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{{ Key: "k1", Value: "v1", }, { Key: "k3", Value: "v3", }}, }, }, { name: "qualifiers are sorted by key", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{{ Key: "k3", Value: "v3", }, { Key: "k2", Value: "v2", }, { Key: "k1", Value: "v1", }}, }, want: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{{ Key: "k1", Value: "v1", }, { Key: "k2", Value: "v2", }, { Key: "k3", Value: "v3", }}, }, }, { name: "duplicate keys are invalid", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{{ Key: "k1", Value: "v1", }, { Key: "k1", Value: "v2", }}, }, wantErr: true, }, { name: "keys are made lower case", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{{ Key: "KeY", Value: "v1", }}, }, want: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{{ Key: "key", Value: "v1", }}, }, }, { name: "name is required", input: packageurl.PackageURL{ Type: "npm", }, wantErr: true, }, { name: "leading and traling / on subpath are trimmed", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Subpath: "/sub/path/", }, want: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{}, Subpath: "sub/path", }, }, { name: "'.' is an invalid subpath segment", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Subpath: "/sub/./path/", }, wantErr: true, }, { name: "'..' is an invalid subpath segment", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Subpath: "/sub/../path/", }, wantErr: true, }, { name: "'./' is a valid subpath prefix", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Subpath: "./sub/path", }, want: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{}, Subpath: "./sub/path", }, }, { name: "'../' is a valid subpath prefix", input: packageurl.PackageURL{ Type: "npm", Name: "pkg", Subpath: "../sub/path", }, want: packageurl.PackageURL{ Type: "npm", Name: "pkg", Qualifiers: packageurl.Qualifiers{}, Subpath: "../sub/path", }, }, { name: "known type namespace adjustments", input: packageurl.PackageURL{ Type: "npm", Namespace: "NaMeSpAcE", Name: "pkg", }, want: packageurl.PackageURL{ Type: "npm", Namespace: "namespace", Name: "pkg", Qualifiers: packageurl.Qualifiers{}, }, }, { name: "known type name adjustments", input: packageurl.PackageURL{ Type: "npm", Name: "nAmE", }, want: packageurl.PackageURL{ Type: "npm", Name: "name", Qualifiers: packageurl.Qualifiers{}, }, }, { name: "known type version adjustments", input: packageurl.PackageURL{ Type: "huggingface", Name: "name", Version: "VeRsIoN", }, want: packageurl.PackageURL{ Type: "huggingface", Name: "name", Version: "version", Qualifiers: packageurl.Qualifiers{}, }, }} for _, testCase := range testCases { t.Run(testCase.name, func(t *testing.T) { got := testCase.input err := got.Normalize() if err != nil && testCase.wantErr { return } if err != nil && !testCase.wantErr { t.Fatalf("Normalize(%s): unexpected error: %v", testCase.name, err) } if testCase.wantErr { t.Fatalf("Normalize(%s): want error, got none", testCase.name) } if !reflect.DeepEqual(testCase.want, got) { t.Fatalf("Normalize(%s):\nwant %#v\ngot %#v", testCase.name, testCase.want, got) } }) } } // TestEncoding verifies that a string representation parsed by FromString // and returned by ToString will have URL encoding set where required: // https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#rules-for-each-purl-component // Note that this is not covered by test suite data verification since its // unencoded purls are marked as invalid, despite being accepted as input here. func TestEncoding(t *testing.T) { testCases := []struct { name string input string expected string }{ { name: "input without need for encoding is unchanged", input: "pkg:type/name/space/name@version?key=value#sub/path", expected: "pkg:type/name/space/name@version?key=value#sub/path", }, { name: "unencoded namespace segment is encoded", input: "pkg:type/name/spac e/name@version?key=value#sub/path", expected: "pkg:type/name/spac%20e/name@version?key=value#sub/path", }, { name: "explicit characters are encoded", input: "pkg:type/%3F%40%23space/name@version?key=value#sub/path", expected: "pkg:type/%3F%40%23space/name@version?key=value#sub/path", }, { name: "characters are unencoded where allowed", input: "pkg:type/%3E%41%22space/name@version?key=value!#sub/path", expected: "pkg:type/%3EA%22space/name@version?key=value%21#sub/path", }, { name: "equals within version should be encoded", input: "pkg:type/space/name@ver=sion?key=value", expected: "pkg:type/space/name@ver%3Dsion?key=value", }, { name: "pre-encoded namespace segment is unchanged", input: "pkg:type/name/spac%20e/name@version?key=value#sub/path", expected: "pkg:type/name/spac%20e/name@version?key=value#sub/path", }, { name: "unencoded name is encoded is encoded", input: "pkg:type/name/space/nam e@version?key=value#sub/path", expected: "pkg:type/name/space/nam%20e@version?key=value#sub/path", }, { name: "pre-encoded name is unchanged", input: "pkg:type/name/space/nam%20e@version?key=value#sub/path", expected: "pkg:type/name/space/nam%20e@version?key=value#sub/path", }, { name: "unencoded version is encoded", input: "pkg:type/name/space/name@versio n?key=value#sub/path", expected: "pkg:type/name/space/name@versio%20n?key=value#sub/path", }, { name: "pre-encoded version is unchanged", input: "pkg:type/name/space/name@versio%20n%2Bbeta?key=value#sub/path", expected: "pkg:type/name/space/name@versio%20n%2Bbeta?key=value#sub/path", }, { name: "unencoded qualifier value is encoded", input: "pkg:type/name/space/name@version?key=valu e#sub/path", expected: "pkg:type/name/space/name@version?key=valu%20e#sub/path", }, { name: "pre-encoded qualifier value is unchanged", input: "pkg:type/name/space/name@version?key=valu%20e#sub/path", expected: "pkg:type/name/space/name@version?key=valu%20e#sub/path", }, { name: "unencoded subpath segment is encoded", input: "pkg:type/name/space/name@version?key=value#sub/pat h", expected: "pkg:type/name/space/name@version?key=value#sub/pat%20h", }, { name: "pre-encoded subpath segment is unchanged", input: "pkg:type/name/space/name@version?key=value#sub/pat%20h", expected: "pkg:type/name/space/name@version?key=value#sub/pat%20h", }, { name: "newline whitespace", input: " \tpkg:type/name/space/name@5.2.0\r\n", expected: "pkg:type/name/space/name@5.2.0", }, { name: "plus character not encoded to space", input: "pkg:type/name@1.0?param=some+thing+with+plus", expected: "pkg:type/name@1.0?param=some%2Bthing%2Bwith%2Bplus", }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { got, err := packageurl.FromString(tc.input) if err != nil { t.Fatal(err) } gotStr := got.ToString() if tc.expected != gotStr { t.Fatalf("expected %s to parse as %s but got %s", tc.input, tc.expected, gotStr) } }) } } anchore-packageurl-go-a0c3c17/testdata/000077500000000000000000000000001516550243700200745ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/testdata/.gitkeep000066400000000000000000000000001516550243700215130ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/testdata/fuzz/000077500000000000000000000000001516550243700210725ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/testdata/fuzz/FuzzFromString/000077500000000000000000000000001516550243700240435ustar00rootroot00000000000000771e938e4458e983a736261a702e27c7a414fd660a15b63034f290b146d2f217000066400000000000000000000000341516550243700337670ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/testdata/fuzz/FuzzFromStringgo test fuzz v1 string("0") d0a861fe9b7c443af2b649e08753442111b630dd29fcd570543db3f9351158aa000066400000000000000000000000351516550243700343360ustar00rootroot00000000000000anchore-packageurl-go-a0c3c17/testdata/fuzz/FuzzFromStringgo test fuzz v1 string("?A") anchore-packageurl-go-a0c3c17/testdata/test-suite-data.json000066400000000000000000000506641516550243700240170ustar00rootroot00000000000000[ { "description": "valid maven purl", "purl": "pkg:maven/org.apache.commons/io@1.3.4", "canonical_purl": "pkg:maven/org.apache.commons/io@1.3.4", "type": "maven", "namespace": "org.apache.commons", "name": "io", "version": "1.3.4", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "basic valid maven purl without version", "purl": "pkg:maven/org.apache.commons/io", "canonical_purl": "pkg:maven/org.apache.commons/io", "type": "maven", "namespace": "org.apache.commons", "name": "io", "version": null, "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "valid go purl without version and with subpath", "purl": "pkg:GOLANG/google.golang.org/genproto#/googleapis/api/annotations/", "canonical_purl": "pkg:golang/google.golang.org/genproto#googleapis/api/annotations", "type": "golang", "namespace": "google.golang.org", "name": "genproto", "version": null, "qualifiers": null, "subpath": "googleapis/api/annotations", "is_invalid": false }, { "description": "valid go purl with version and subpath", "purl": "pkg:GOLANG/google.golang.org/genproto@abcdedf#/googleapis/api/annotations/", "canonical_purl": "pkg:golang/google.golang.org/genproto@abcdedf#googleapis/api/annotations", "type": "golang", "namespace": "google.golang.org", "name": "genproto", "version": "abcdedf", "qualifiers": null, "subpath": "googleapis/api/annotations", "is_invalid": false }, { "description": "bitbucket namespace and name should be lowercased", "purl": "pkg:bitbucket/birKenfeld/pyGments-main@244fd47e07d1014f0aed9c", "canonical_purl": "pkg:bitbucket/birkenfeld/pygments-main@244fd47e07d1014f0aed9c", "type": "bitbucket", "namespace": "birkenfeld", "name": "pygments-main", "version": "244fd47e07d1014f0aed9c", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "github namespace and name should be lowercased", "purl": "pkg:github/Package-url/purl-Spec@244fd47e07d1004f0aed9c", "canonical_purl": "pkg:github/package-url/purl-spec@244fd47e07d1004f0aed9c", "type": "github", "namespace": "package-url", "name": "purl-spec", "version": "244fd47e07d1004f0aed9c", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "debian can use qualifiers", "purl": "pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie", "canonical_purl": "pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie", "type": "deb", "namespace": "debian", "name": "curl", "version": "7.50.3-1", "qualifiers": {"arch": "i386", "distro": "jessie"}, "subpath": null, "is_invalid": false }, { "description": "docker uses qualifiers and hash image id as versions", "purl": "pkg:docker/customer/dockerimage@sha256:244fd47e07d1004f0aed9c?repository_url=gcr.io", "canonical_purl": "pkg:docker/customer/dockerimage@sha256:244fd47e07d1004f0aed9c?repository_url=gcr.io", "type": "docker", "namespace": "customer", "name": "dockerimage", "version": "sha256:244fd47e07d1004f0aed9c", "qualifiers": {"repository_url": "gcr.io"}, "subpath": null, "is_invalid": false }, { "description": "Java gem can use a qualifier", "purl": "pkg:gem/jruby-launcher@1.1.2?Platform=java", "canonical_purl": "pkg:gem/jruby-launcher@1.1.2?platform=java", "type": "gem", "namespace": null, "name": "jruby-launcher", "version": "1.1.2", "qualifiers": {"platform": "java"}, "subpath": null, "is_invalid": false }, { "description": "maven often uses qualifiers", "purl": "pkg:Maven/org.apache.xmlgraphics/batik-anim@1.9.1?classifier=sources&repositorY_url=repo.spring.io/release", "canonical_purl": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?classifier=sources&repository_url=repo.spring.io/release", "type": "maven", "namespace": "org.apache.xmlgraphics", "name": "batik-anim", "version": "1.9.1", "qualifiers": {"classifier": "sources", "repository_url": "repo.spring.io/release"}, "subpath": null, "is_invalid": false }, { "description": "maven pom reference", "purl": "pkg:Maven/org.apache.xmlgraphics/batik-anim@1.9.1?extension=pom&repositorY_url=repo.spring.io/release", "canonical_purl": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?extension=pom&repository_url=repo.spring.io/release", "type": "maven", "namespace": "org.apache.xmlgraphics", "name": "batik-anim", "version": "1.9.1", "qualifiers": {"extension": "pom", "repository_url": "repo.spring.io/release"}, "subpath": null, "is_invalid": false }, { "description": "maven can come with a type qualifier", "purl": "pkg:Maven/net.sf.jacob-project/jacob@1.14.3?classifier=x86&type=dll", "canonical_purl": "pkg:maven/net.sf.jacob-project/jacob@1.14.3?classifier=x86&type=dll", "type": "maven", "namespace": "net.sf.jacob-project", "name": "jacob", "version": "1.14.3", "qualifiers": {"classifier": "x86", "type": "dll"}, "subpath": null, "is_invalid": false }, { "description": "npm can be scoped", "purl": "pkg:npm/%40angular/animation@12.3.1", "canonical_purl": "pkg:npm/%40angular/animation@12.3.1", "type": "npm", "namespace": "@angular", "name": "animation", "version": "12.3.1", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "nuget names are case sensitive", "purl": "pkg:Nuget/EnterpriseLibrary.Common@6.0.1304", "canonical_purl": "pkg:nuget/EnterpriseLibrary.Common@6.0.1304", "type": "nuget", "namespace": null, "name": "EnterpriseLibrary.Common", "version": "6.0.1304", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "pypi names have special rules and not case sensitive", "purl": "pkg:PYPI/Django_package@1.11.1.dev1", "canonical_purl": "pkg:pypi/django-package@1.11.1.dev1", "type": "pypi", "namespace": null, "name": "django-package", "version": "1.11.1.dev1", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "rpm often use qualifiers", "purl": "pkg:Rpm/fedora/curl@7.50.3-1.fc25?Arch=i386&Distro=fedora-25", "canonical_purl": "pkg:rpm/fedora/curl@7.50.3-1.fc25?arch=i386&distro=fedora-25", "type": "rpm", "namespace": "fedora", "name": "curl", "version": "7.50.3-1.fc25", "qualifiers": {"arch": "i386", "distro": "fedora-25"}, "subpath": null, "is_invalid": false }, { "description": "a scheme is always required", "purl": "EnterpriseLibrary.Common@6.0.1304", "canonical_purl": "EnterpriseLibrary.Common@6.0.1304", "type": null, "namespace": null, "name": "EnterpriseLibrary.Common", "version": null, "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "a type is always required", "purl": "pkg:EnterpriseLibrary.Common@6.0.1304", "canonical_purl": "pkg:EnterpriseLibrary.Common@6.0.1304", "type": null, "namespace": null, "name": "EnterpriseLibrary.Common", "version": null, "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "a name is required", "purl": "pkg:maven/@1.3.4", "canonical_purl": "pkg:maven/@1.3.4", "type": "maven", "namespace": null, "name": null, "version": null, "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "slash / after scheme is not significant", "purl": "pkg:/maven/org.apache.commons/io", "canonical_purl": "pkg:maven/org.apache.commons/io", "type": "maven", "namespace": "org.apache.commons", "name": "io", "version": null, "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "double slash // after scheme is not significant", "purl": "pkg://maven/org.apache.commons/io", "canonical_purl": "pkg:maven/org.apache.commons/io", "type": "maven", "namespace": "org.apache.commons", "name": "io", "version": null, "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "slash /// after type is not significant", "purl": "pkg:///maven/org.apache.commons/io", "canonical_purl": "pkg:maven/org.apache.commons/io", "type": "maven", "namespace": "org.apache.commons", "name": "io", "version": null, "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "valid maven purl with case sensitive namespace and name", "purl": "pkg:maven/HTTPClient/HTTPClient@0.3-3", "canonical_purl": "pkg:maven/HTTPClient/HTTPClient@0.3-3", "type": "maven", "namespace": "HTTPClient", "name": "HTTPClient", "version": "0.3-3", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "valid maven purl containing a space in the version and qualifier", "purl": "pkg:maven/mygroup/myartifact@1.0.0%20Final?mykey=my%20value", "canonical_purl": "pkg:maven/mygroup/myartifact@1.0.0%20Final?mykey=my%20value", "type": "maven", "namespace": "mygroup", "name": "myartifact", "version": "1.0.0 Final", "qualifiers": {"mykey": "my value"}, "subpath": null, "is_invalid": false }, { "description": "checks for invalid qualifier keys", "purl": "pkg:npm/myartifact@1.0.0?in%20production=true", "canonical_purl": null, "type": "npm", "namespace": null, "name": "myartifact", "version": "1.0.0", "qualifiers": {"in production": "true"}, "subpath": null, "is_invalid": true }, { "description": "valid conan purl", "purl": "pkg:conan/cctz@2.3", "canonical_purl": "pkg:conan/cctz@2.3", "type": "conan", "namespace": null, "name": "cctz", "version": "2.3", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "valid conan purl with namespace and qualifier channel", "purl": "pkg:conan/bincrafters/cctz@2.3?channel=stable", "canonical_purl": "pkg:conan/bincrafters/cctz@2.3?channel=stable", "type": "conan", "namespace": "bincrafters", "name": "cctz", "version": "2.3", "qualifiers": {"channel": "stable"}, "subpath": null, "is_invalid": false }, { "description": "invalid conan purl only namespace", "purl": "pkg:conan/bincrafters/cctz@2.3", "canonical_purl": "pkg:conan/bincrafters/cctz@2.3", "type": "conan", "namespace": "bincrafters", "name": "cctz", "version": "2.3", "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "invalid conan purl only channel qualifier", "purl": "pkg:conan/cctz@2.3?channel=stable", "canonical_purl": "pkg:conan/cctz@2.3?channel=stable", "type": "conan", "namespace": null, "name": "cctz", "version": "2.3", "qualifiers": {"channel": "stable"}, "subpath": null, "is_invalid": true }, { "description": "valid conda purl with qualifiers", "purl": "pkg:conda/absl-py@0.4.1?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2", "canonical_purl": "pkg:conda/absl-py@0.4.1?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2", "type": "conda", "namespace": null, "name": "absl-py", "version": "0.4.1", "qualifiers": {"build": "py36h06a4308_0", "channel": "main", "subdir": "linux-64", "type": "tar.bz2"}, "subpath": null, "is_invalid": false }, { "description": "valid cran purl", "purl": "pkg:cran/A3@0.9.1", "canonical_purl": "pkg:cran/A3@0.9.1", "type": "cran", "namespace": null, "name": "A3", "version": "0.9.1", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "invalid cran purl without name", "purl": "pkg:cran/@0.9.1", "canonical_purl": "pkg:cran/@0.9.1", "type": "cran", "namespace": null, "name": null, "version": "0.9.1", "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "invalid cran purl without version", "purl": "pkg:cran/A3", "canonical_purl": "pkg:cran/A3", "type": "cran", "namespace": null, "name": "A3", "version": null, "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "valid swift purl", "purl": "pkg:swift/github.com/Alamofire/Alamofire@5.4.3", "canonical_purl": "pkg:swift/github.com/Alamofire/Alamofire@5.4.3", "type": "swift", "namespace": "github.com/Alamofire", "name": "Alamofire", "version": "5.4.3", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "invalid swift purl without namespace", "purl": "pkg:swift/Alamofire@5.4.3", "canonical_purl": "pkg:swift/Alamofire@5.4.3", "type": "swift", "namespace": null, "name": "Alamofire", "version": "5.4.3", "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "invalid swift purl without name", "purl": "pkg:swift/github.com/Alamofire/@5.4.3", "canonical_purl": "pkg:swift/github.com/Alamofire/@5.4.3", "type": "swift", "namespace": "github.com/Alamofire", "name": null, "version": "5.4.3", "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "invalid swift purl without version", "purl": "pkg:swift/github.com/Alamofire/Alamofire", "canonical_purl": "pkg:swift/github.com/Alamofire/Alamofire", "type": "swift", "namespace": "github.com/Alamofire", "name": "Alamofire", "version": null, "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "valid hackage purl", "purl": "pkg:hackage/AC-HalfInteger@1.2.1", "canonical_purl": "pkg:hackage/AC-HalfInteger@1.2.1", "type": "hackage", "namespace": null, "name": "AC-HalfInteger", "version": "1.2.1", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "name and version are always required", "purl": "pkg:hackage", "canonical_purl": "pkg:hackage", "type": "hackage", "namespace": null, "name": null, "version": null, "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "minimal Hugging Face model", "purl": "pkg:huggingface/distilbert-base-uncased@043235d6088ecd3dd5fb5ca3592b6913fd516027", "canonical_purl": "pkg:huggingface/distilbert-base-uncased@043235d6088ecd3dd5fb5ca3592b6913fd516027", "type": "huggingface", "namespace": null, "name": "distilbert-base-uncased", "version": "043235d6088ecd3dd5fb5ca3592b6913fd516027", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "Hugging Face model with staging endpoint", "purl": "pkg:huggingface/microsoft/deberta-v3-base@559062ad13d311b87b2c455e67dcd5f1c8f65111?repository_url=https://hub-ci.huggingface.co", "canonical_purl": "pkg:huggingface/microsoft/deberta-v3-base@559062ad13d311b87b2c455e67dcd5f1c8f65111?repository_url=https://hub-ci.huggingface.co", "type": "huggingface", "namespace": "microsoft", "name": "deberta-v3-base", "version": "559062ad13d311b87b2c455e67dcd5f1c8f65111", "qualifiers": {"repository_url": "https://hub-ci.huggingface.co"}, "subpath": null, "is_invalid": false }, { "description": "Hugging Face model with various cases", "purl": "pkg:huggingface/EleutherAI/gpt-neo-1.3B@797174552AE47F449AB70B684CABCB6603E5E85E", "canonical_purl": "pkg:huggingface/EleutherAI/gpt-neo-1.3B@797174552ae47f449ab70b684cabcb6603e5e85e", "type": "huggingface", "namespace": "EleutherAI", "name": "gpt-neo-1.3B", "version": "797174552ae47f449ab70b684cabcb6603e5e85e", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "MLflow model tracked in Azure Databricks (case insensitive)", "purl": "pkg:mlflow/CreditFraud@3?repository_url=https://adb-5245952564735461.0.azuredatabricks.net/api/2.0/mlflow", "canonical_purl": "pkg:mlflow/creditfraud@3?repository_url=https://adb-5245952564735461.0.azuredatabricks.net/api/2.0/mlflow", "type": "mlflow", "namespace": null, "name": "creditfraud", "version": "3", "qualifiers": {"repository_url": "https://adb-5245952564735461.0.azuredatabricks.net/api/2.0/mlflow"}, "subpath": null, "is_invalid": false }, { "description": "MLflow model tracked in Azure ML (case sensitive)", "purl": "pkg:mlflow/CreditFraud@3?repository_url=https://westus2.api.azureml.ms/mlflow/v1.0/subscriptions/a50f2011-fab8-4164-af23-c62881ef8c95/resourceGroups/TestResourceGroup/providers/Microsoft.MachineLearningServices/workspaces/TestWorkspace", "canonical_purl": "pkg:mlflow/CreditFraud@3?repository_url=https://westus2.api.azureml.ms/mlflow/v1.0/subscriptions/a50f2011-fab8-4164-af23-c62881ef8c95/resourceGroups/TestResourceGroup/providers/Microsoft.MachineLearningServices/workspaces/TestWorkspace", "type": "mlflow", "namespace": null, "name": "CreditFraud", "version": "3", "qualifiers": {"repository_url": "https://westus2.api.azureml.ms/mlflow/v1.0/subscriptions/a50f2011-fab8-4164-af23-c62881ef8c95/resourceGroups/TestResourceGroup/providers/Microsoft.MachineLearningServices/workspaces/TestWorkspace"}, "subpath": null, "is_invalid": false }, { "description": "MLflow model with unique identifiers", "purl": "pkg:mlflow/trafficsigns@10?model_uuid=36233173b22f4c89b451f1228d700d49&run_id=410a3121-2709-4f88-98dd-dba0ef056b0a&repository_url=https://adb-5245952564735461.0.azuredatabricks.net/api/2.0/mlflow", "canonical_purl": "pkg:mlflow/trafficsigns@10?model_uuid=36233173b22f4c89b451f1228d700d49&repository_url=https://adb-5245952564735461.0.azuredatabricks.net/api/2.0/mlflow&run_id=410a3121-2709-4f88-98dd-dba0ef056b0a", "type": "mlflow", "namespace": null, "name": "trafficsigns", "version": "10", "qualifiers": {"model_uuid": "36233173b22f4c89b451f1228d700d49", "run_id": "410a3121-2709-4f88-98dd-dba0ef056b0a", "repository_url": "https://adb-5245952564735461.0.azuredatabricks.net/api/2.0/mlflow"}, "subpath": null, "is_invalid": false }, { "description": "composer names are not case sensitive", "purl": "pkg:composer/Laravel/Laravel@5.5.0", "canonical_purl": "pkg:composer/laravel/laravel@5.5.0", "type": "composer", "namespace": "laravel", "name": "laravel", "version": "5.5.0", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "cpan distribution name are case sensitive", "purl": "pkg:cpan/DROLSKY/DateTime@1.55", "canonical_purl": "pkg:cpan/DROLSKY/DateTime@1.55", "type": "cpan", "namespace": "DROLSKY", "name": "DateTime", "version": "1.55", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "cpan module name are case sensitive", "purl": "pkg:cpan/URI::PackageURL@2.11", "canonical_purl": "pkg:cpan/URI::PackageURL@2.11", "type": "cpan", "namespace": null, "name": "URI::PackageURL", "version": "2.11", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "cpan module name like distribution name", "purl": "pkg:cpan/Perl-Version@1.013", "canonical_purl": "pkg:cpan/Perl-Version@1.013", "type": "cpan", "namespace": null, "name": "Perl-Version", "version": "1.013", "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "cpan distribution name like module name", "purl": "pkg:cpan/GDT/URI::PackageURL@2.11", "canonical_purl": "pkg:cpan/GDT/URI::PackageURL", "type": "cpan", "namespace": "GDT", "name": "URI::PackageURL", "version": null, "qualifiers": null, "subpath": null, "is_invalid": true }, { "description": "cpan valid module name", "purl": "pkg:cpan/DateTime@1.55", "canonical_purl": "pkg:cpan/DateTime@1.55", "type": "cpan", "namespace": null, "name": "DateTime", "version": "1.55", "qualifiers": null, "subpath": null, "is_invalid": false }, { "description": "cpan valid module name without version", "purl": "pkg:cpan/URI", "canonical_purl": "pkg:cpan/URI", "type": "cpan", "namespace": null, "name": "URI", "version": null, "qualifiers": null, "subpath": null, "is_invalid": false } ]