Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use package URLs for packages #32

Closed
pombredanne opened this issue May 17, 2018 · 7 comments · Fixed by #114
Closed

Use package URLs for packages #32

pombredanne opened this issue May 17, 2018 · 7 comments · Fixed by #114
Assignees
@haikoschol
Labels
Priority: high
Milestone
Kickoff and baseline

Comments

@pombredanne
Copy link
Collaborator

See https://github.com/package-url
@pombredanne pombredanne mentioned this issue Feb 26, 2019
Closed
@lohani2280
Copy link
Contributor

lohani2280 commented Feb 26, 2019
edited
Loading

@pombredanne Can you please elaborate this issue a bit more?

@pombredanne
Copy link
Collaborator Author

Sure, the first step would be to understand the spec at https://github.com/package-url/purl-spec then contemplate how this could be integrated in the code here

@lohani2280
Copy link
Contributor

@pombredanne I am on it. Will get back very soon.

@lohani2280
Copy link
Contributor

lohani2280 commented Feb 28, 2019
edited
Loading

@pombredanne I have gone through the spec at https://github.com/package-url/purl-spec and developed a basic understanding about package URLs.
So for this task I think we should create a new endpoint and pass the package URLs as a string. On the server side we can use the purl parser to parse the purl string into its component and then use the name and version of the package extracted from the purl string to query cve-search api and get the response.
Please correct me if I am wrong somewhere. Also, would be glad to know your suggestions over this.

@pombredanne
Copy link
Collaborator Author

@lohani2280 actually the 1st step would likely to deal with the data models and structure and use a package url throughout for proper. The package url package has a contrib module with a django model mixin that should be good for starters. The update to the API would come rather naturally from that and should be accepting a purl and return vulnerabilities.

@lohani2280
Copy link
Contributor

lohani2280 commented Mar 4, 2019
edited
Loading

@pombredanne Currently requesting the server with package name/version returns the vulnerabilities associated with that package. Present way of requesting the server is-
/api/packages/?name=mimetex&version=1.50-1.1

By Use package URLs for packages do you want to incorporate changes such that the user request the server with purl and not through package name/version and the server returns back vulnerabilities?. Thus, the final way of requesting the server would be-
/api/packages/?purl=pkg:pypi/django@1.11.1

@pombredanne
Copy link
Collaborator Author

@lohani2280 yes, once purls are added to the models and used throughout, then the API should use these as opposed to name version (and we could also later accept too the set of discrete purl fields too)

@haikoschol haikoschol added this to the Kickoff and baseline milestone Sep 17, 2019
@haikoschol haikoschol self-assigned this Sep 27, 2019
@haikoschol haikoschol mentioned this issue Oct 1, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haikoschol haikoschol

Labels
Priority: high
Projects
None yet
Milestone
Kickoff and baseline
Development

Successfully merging a pull request may close this issue.

Use Package URL for packages haikoschol/vulnerablecode
3 participants
@haikoschol @pombredanne @lohani2280