Add golang purl service #316
Conversation
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
| ], | ||
| responses={200: GoLangPurlResponseSerializer()}, | ||
| ) | ||
| class GolangPurlViewSet(viewsets.ViewSet): |
There was a problem hiding this comment.
Need some docsting. Being more explicit about the fact that the endpoint accepts a standard Go import string and returns the corresponding PackageURL will be helpful.
packagedb/tests/test_api.py
Outdated
| class ToGolangPurlTestCase(TestCase): | ||
|
|
||
| def test_to_golang_purl(self): | ||
| response = self.client.get("/api/to_purl/go", data={"go_package": "github.com/gorilla/mux@v1.7.3"}, follow=True) |
There was a problem hiding this comment.
AFAIK, github.com/gorilla/mux@v1.7.3 is not a valid import statement.
Does Go allow specifying a particular package version using an @ symbol in an import statement?
There was a problem hiding this comment.
Good catch, not a go import https://github.com/moby/moby/blob/6c10086976d07d4746e03dcfd188972a2f07e1c9/vendor.mod#L51 but *.mod files does have version representation like this? should I change the code in packageurl-python to accept this kind of inputs as well ?
There was a problem hiding this comment.
should I change the code in packageurl-python to accept this kind of inputs as well ?
Update the code to also accept this would make sense. With proper documentation.
There was a problem hiding this comment.
BTW, see also https://stackoverflow.com/questions/24855081/how-do-i-import-a-specific-version-of-a-package-using-go-get and in particular the reference to http://labix.org/gopkg.in
There was a problem hiding this comment.
Good catch, not a go import https://github.com/moby/moby/blob/6c10086976d07d4746e03dcfd188972a2f07e1c9/vendor.mod#L51 but
*.modfiles does have version representation like this? should I change the code in packageurl-python to accept this kind of inputs as well ?
IMO it makes sense to support getting PURLs from both Go import and Go Manifest.
However, I'm not sure if we want to support obtaining PURLs from Go dependency management commands like...
go get github.com/gorilla/mux@v1.7.3There was a problem hiding this comment.
@keshav-space so should we throw an error when we encounter any package like this ? when there is "@" in package, we should error out ?
There was a problem hiding this comment.
I have added a PR here https://github.com/package-url/packageurl-python/pull/148/files, please have a look
There was a problem hiding this comment.
@keshav-space so should we throw an error when we encounter any package like this ? when there is "@" in package, we should error out ?
If we don't support them in packageurl-python, then we should raise an error here.
There was a problem hiding this comment.
I think this is all OK and handled in the packageurl library. And we do not support the @ notation from a "go get"
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
Co-authored-by: Keshav Priyadarshi <git@keshav.space>
Co-authored-by: Keshav Priyadarshi <git@keshav.space>
Fixes: #259
Added a
/api/to_purl/goendpoint to get a golang purl from a go import string or a package string in go.mod file