Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VSA: under-specified resource_uri #808

Open
Tracked by #900
laurentsimon opened this issue Apr 6, 2023 · 0 comments
Open
Tracked by #900

VSA: under-specified resource_uri #808

laurentsimon opened this issue Apr 6, 2023 · 0 comments

Comments

@laurentsimon
Copy link
Contributor

The resource_uri is currently a purl, but there is no guidance on how to construct it. It would be useful to provide better guidance for it. A few things to think about:

  • public registry vs private company's software. Not all a company's software is distributed via a public registry. It's unclear how the purl should be constructed for the latter
  • compulsory version. Without a version, rollback attacks are possible. Version / tag is available in provenance, so we ought to make it available in the purl as well, I think.
  • monorepos. They don't have versions per se. I think their releases still adhere to some versioning scheme (semver, calver, etc)
This was referenced Apr 6, 2023
Open
Closed
@kpk47 kpk47 moved this to 🆕 New in Issue triage May 25, 2023
@kpk47 kpk47 moved this from 🆕 New Issues to 📋 Backlog in Issue triage May 25, 2023
@kpk47 kpk47 moved this from 📋 Backlog to Untriaged in Issue triage Jun 26, 2023
@joshuagl joshuagl mentioned this issue Oct 10, 2023
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Issue triage
Status: Untriaged
Milestone
No milestone
Development

No branches or pull requests
1 participant
@laurentsimon