Feature: map the current Dependencydiff package naming convention (GitHub) to OSV #2078
Labels
kind/enhancement
New feature or request
Comments
aidenwang9867
changed the title
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
In v0 of the API/CLI Dependencydiff (PR #2046/PR #2077), the formats (convention) of dependency fields like the package
ecosystem(GH usespypifor python pkgs whereas OSV usespip) follow the GitHub naming convention. Examples:[ { "changeType": "added", "packageUrl": "pkg:golang/github.com/google/go-github/v35@35.2.0", "sourceRepository": null, "manifestPath": "go.mod", "ecosystem": "gomod", "version": "35.2.0", "name": "github.com/google/go-github/v35", }, { "changeType": "updated", "packageUrl": "pkg:golang/gocloud.dev@0.23.0", "sourceRepository": "https://github.com/google/go-cloud", "manifestPath": "go.mod", "ecosystem": "gomod", "version": "0.23.0", "name": "gocloud.dev", }, ]Describe the solution you'd like
By @laurentsimon: since we may use a different Dependency-diff source API in the future, it would be nice not to get stuck using GH naming convention.
I can do the
ecosystemmapping using this list (near The defined ecosystems are:), by defining a static map in the scorecard code to convert the GH ecosystems to the OSV ones. I'll use a follow-up PR to do this mapping very soon.The text was updated successfully, but these errors were encountered: