Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Purl generation #1130

Closed
ThiefaineM opened this issue Mar 10, 2022 · 2 comments · Fixed by #1136
Closed

Purl generation #1130

ThiefaineM opened this issue Mar 10, 2022 · 2 comments · Fixed by #1136

Comments

@ThiefaineM
Copy link

Please read the Code of Conduct before you proceed
Code of Conduct

Ask your question here
Hello, I was using Tern on my Dockerfile where I use Python and the framework Django to generate CyclondeDX BOM. The returned purl for django is "pkg:pip/Django@3.2.3". Nevertheless, the "correct" purl to identify django seems to be "pkg:pypi/django@3.2.3" according to OSSINDEX and Package URL examples. I got the same issue on most components where the expected pypi is pip. Is this a normal behaviour or am I missing something ?
Best regards.
@rnjudge
Copy link
Contributor

rnjudge commented Mar 10, 2022

cc @coderpatros :)
Thanks for the issue @ThiefaineM!

Looking at what generates the purl:

 purl_type = package.pkg_format
    purl_namespace = cyclonedx_common.get_purl_namespace(os_guess, package.pkg_format)
    if purl_type:
        purl = PackageURL(purl_type, purl_namespace, package.name, package.version)
        package_dict['purl'] = str(purl)

the purl_type is using the package format, which for python package is pip

tern/tern/analyze/default/command_lib/base.yml

Line 278 in 1d9f547

pkg_format: 'pip'

I think some simple logic could fix this. I wonder if there's other package format types that might also need tweaking?

@ThiefaineM
Copy link
Author

Thank you for your quick reaction, I will not hesitate to create an issue if I encounter others in the future.

ThiefaineM pushed a commit to ThiefaineM/tern that referenced this issue Mar 21, 2022
Modification of package format for pip
9ef267e 
Packages download with pip or pip3 are taken from the index Pypi.
To be more accurate for the purl / in general, it could be better to use Pypi
to describe the packages format.
Here for the purl for a python component:
- https://ossindex.sonatype.org/component/pkg:pip/pip-tools
- https://ossindex.sonatype.org/component/pkg:pypi/pip-tools

The scond one is recognized but not the first.

Resolves: tern-tools#1130

Signed-off-by: Thiéfaine Mercier <thiefaine.mercier@avisto.com>
@ThiefaineM ThiefaineM mentioned this issue Mar 21, 2022
Merged
ThiefaineM pushed a commit to ThiefaineM/tern that referenced this issue Mar 22, 2022
Modification of package format for pip
03f4a91 
Packages download with pip or pip3 are taken
from the index Pypi.
To be more accurate for the purl / in general,
it could be better to use Pypi
to describe the packages format.

Resolves: tern-tools#1130

Signed-off-by: Thiéfaine Mercier <thiefaine.mercier@avisto.com>
rnjudge pushed a commit that referenced this issue Mar 23, 2022
@rnjudge
Modification of package format for pip
cdc6732 
Packages download with pip or pip3 are taken
from the index Pypi.
To be more accurate for the purl / in general,
it could be better to use Pypi
to describe the packages format.

Resolves: #1130

Signed-off-by: Thiéfaine Mercier <thiefaine.mercier@avisto.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Modification of package format for pip ThiefaineM/tern
2 participants
@rnjudge @ThiefaineM